Loading ...

Similarity Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:59569
Start date:29.08.2018
Start time:13:27:26
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:csshead.exe
Cookbook file name:default.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.evad.winEXE@3/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 32.7% (good quality ratio 29.3%)
  • Quality average: 80.9%
  • Quality standard deviation: 32.2%
HCA Information:
  • Successful, ratio: 57%
  • Number of executed functions: 89
  • Number of non-executed functions: 244
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):7.868755127097456
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.39%
  • UPX compressed Win32 Executable (30571/9) 0.30%
  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:csshead.exe
File size:165888
MD5:f0309aa0519ee70c29bbb471352781e7
SHA1:c0c4dd4c997f2a590eb5d9947e2ba81e79ce3c13
SHA256:7c13b9ab1ce7fdeeb8fbb235ed593e4affdedf317a6b7eac06ca3a64ab62daba
SHA512:3e0f96ccc07b3ded937e7ec01a5f2a858ceb8b88db53ad5a289172ae7b9f5722de689f4a0ecc39275b4c8c1a0be32466d147187a2025911dfadd199af4302ada
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*I.dn(.7n(.7n(.7.^?7k(.7u..7J(.7gP.7i(.7gP.7I(.7n(.7.).7u.>7.(.7u.?7/(.7u..7o(.7u..7o(.7Richn(.7........PE..L...F.9[...........

Similarity Information

Algorithm:APISTRING
Total Signature IDs in Database:4108360
Total Processes Database:48855
Total similar Processes:5077
Total similar Functions:20318

Similar Processes

  • csshead.exe (MD5: F0309AA0519EE70C29BBB471352781E7, PID: 1288)
    • jAqtHkfbz6.exe (PID: 3856, MD5: 201218D74CB36FA3B507B52B3F542E31 AnalysisID: 63349 Similar Functions: 61)
    • paint.exe (PID: 3424, MD5: 9A1C6993B7571ED6460D06833B78966C AnalysisID: 71976 Similar Functions: 57)
    • file2.exe (PID: 3684, MD5: 2B6E31835DAF786F3E9DEEC103C208BB AnalysisID: 66847 Similar Functions: 54)
    • winsvc.exe (PID: 3644, MD5: F80376F6E67D79147715E70823DE3A00 AnalysisID: 65110 Similar Functions: 54)
    • winsvc.exe (PID: 3652, MD5: F80376F6E67D79147715E70823DE3A00 AnalysisID: 65102 Similar Functions: 54)
    • winsvc.exe (PID: 3648, MD5: F80376F6E67D79147715E70823DE3A00 AnalysisID: 65090 Similar Functions: 49)
    • splugin.exe (PID: 3252, MD5: C09F5356DE9941991CD3B3D6D67D9106 AnalysisID: 41148 Similar Functions: 48)
    • tr.exe (PID: 2832, MD5: B63A39FAD3EDC42EF9968A870BB5ED84 AnalysisID: 31223 Similar Functions: 46)
    • 6683962.exe (PID: 3736, MD5: 941FA30BE8DCFEF277CE62DE74FFBF99 AnalysisID: 56382 Similar Functions: 45)
    • mlsd.exe (PID: 3440, MD5: 6EED20CCE1D8877E9953E4375AC750CE AnalysisID: 59838 Similar Functions: 45)
    • 3666712.exe (PID: 3484, MD5: EFB98185CB4A95C8E3F209B05EB4AEBC AnalysisID: 50392 Similar Functions: 45)
    • TempcQb83.eXe (PID: 3620, MD5: F80376F6E67D79147715E70823DE3A00 AnalysisID: 65112 Similar Functions: 44)
    • mxdn.exe (PID: 3456, MD5: 00FE617BE3854F8B3EB373E8272148DD AnalysisID: 49462 Similar Functions: 44)
    • winsvc.exe (PID: 3640, MD5: F80376F6E67D79147715E70823DE3A00 AnalysisID: 65115 Similar Functions: 44)
    • 9669353.exe (PID: 2772, MD5: 37C2017497122FE4AFCAD7FF30A24EF8 AnalysisID: 53041 Similar Functions: 43)
    • IPCPlgSvr.exe (PID: 3252, MD5: 91C6DFDA8F1B59308B7554A5E5666045 AnalysisID: 36661 Similar Functions: 38)
    • winsvc.exe (PID: 3656, MD5: F80376F6E67D79147715E70823DE3A00 AnalysisID: 65079 Similar Functions: 37)
    • press.exe (PID: 3212, MD5: C58F5A736C6E80CF3C4426DA67540F95 AnalysisID: 47139 Similar Functions: 36)
    • hjEjEgfnS.exe (PID: 3644, MD5: EFDB6033DCCF27FE103B8FC13BC4F2D7 AnalysisID: 378142 Similar Functions: 36)
    • speakface.exe (PID: 3612, MD5: 59360C0B24903D470D51A3544258A763 AnalysisID: 52753 Similar Functions: 36)
    • vtype.exe (PID: 3244, MD5: 1B8683494257868642655C7842B39CAA AnalysisID: 47031 Similar Functions: 36)
    • speakface.exe (PID: 3928, MD5: 59360C0B24903D470D51A3544258A763 AnalysisID: 52739 Similar Functions: 36)
    • speakface.exe (PID: 3632, MD5: 59360C0B24903D470D51A3544258A763 AnalysisID: 52699 Similar Functions: 35)
    • pvideo.exe (PID: 3248, MD5: B01470F68E56B010951D66644DEE76F4 AnalysisID: 40334 Similar Functions: 35)
    • 855985.exe (PID: 3580, MD5: 57EE4F77C5D58591B70400C4B4860399 AnalysisID: 55567 Similar Functions: 32)
    • 181948.exe (PID: 3584, MD5: 57EE4F77C5D58591B70400C4B4860399 AnalysisID: 55567 Similar Functions: 32)
    • proshuto8.exe (PID: 2668, MD5: 6F2AA155D82BF38A17AE83131F1A152D AnalysisID: 296551 Similar Functions: 32)
    • java.exe (PID: 1208, MD5: 6F4EB294ACF731771AFE3EF6F7EE812D AnalysisID: 271850 Similar Functions: 30)
    • speakface.exe (PID: 3624, MD5: 59360C0B24903D470D51A3544258A763 AnalysisID: 52761 Similar Functions: 30)
    • speakface.exe (PID: 3608, MD5: 59360C0B24903D470D51A3544258A763 AnalysisID: 52658 Similar Functions: 30)
  • explorer.exe (MD5: FCBCED2A237DCD7EF86CED551B731742, PID: 340)
    • splugin.exe (PID: 3252, MD5: C09F5356DE9941991CD3B3D6D67D9106 AnalysisID: 41148 Similar Functions: 29)
    • pvideo.exe (PID: 3248, MD5: B01470F68E56B010951D66644DEE76F4 AnalysisID: 40334 Similar Functions: 29)
    • press.exe (PID: 3212, MD5: C58F5A736C6E80CF3C4426DA67540F95 AnalysisID: 47139 Similar Functions: 28)
    • paint.exe (PID: 3424, MD5: 9A1C6993B7571ED6460D06833B78966C AnalysisID: 71976 Similar Functions: 28)
    • vtype.exe (PID: 3244, MD5: 1B8683494257868642655C7842B39CAA AnalysisID: 47031 Similar Functions: 28)
    • 3666712.exe (PID: 3484, MD5: EFB98185CB4A95C8E3F209B05EB4AEBC AnalysisID: 50392 Similar Functions: 28)
    • 6683962.exe (PID: 3736, MD5: 941FA30BE8DCFEF277CE62DE74FFBF99 AnalysisID: 56382 Similar Functions: 28)
    • mxdn.exe (PID: 3456, MD5: 00FE617BE3854F8B3EB373E8272148DD AnalysisID: 49462 Similar Functions: 28)
    • mlsd.exe (PID: 3440, MD5: 6EED20CCE1D8877E9953E4375AC750CE AnalysisID: 59838 Similar Functions: 28)
    • tr.exe (PID: 2832, MD5: B63A39FAD3EDC42EF9968A870BB5ED84 AnalysisID: 31223 Similar Functions: 27)
    • 9669353.exe (PID: 2772, MD5: 37C2017497122FE4AFCAD7FF30A24EF8 AnalysisID: 53041 Similar Functions: 26)
    • jAqtHkfbz6.exe (PID: 3856, MD5: 201218D74CB36FA3B507B52B3F542E31 AnalysisID: 63349 Similar Functions: 23)
    • 2016080813380002,jpg.jpg.exe (PID: 2816, MD5: 26BFC108EC961EA10CA20AFCE4594D95 AnalysisID: 25668 Similar Functions: 14)
    • id654093871066.pdf.exe (PID: 3020, MD5: 69BE1E62B00BA27CC4AE0E3B41720D41 AnalysisID: 28881 Similar Functions: 14)
    • explorer.exe (PID: 3100, MD5: 8B88EBBB05A0E56B7DCC708498C02B3E AnalysisID: 28881 Similar Functions: 13)
    • dwm.exe (PID: 1420, MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D AnalysisID: 56574 Similar Functions: 7)
    • taskhost.exe (PID: 3424, MD5: 72E953215CADE1A726C04AAFDF6B463D AnalysisID: 355921 Similar Functions: 5)
    • dwm.exe (PID: 1704, MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D AnalysisID: 28958 Similar Functions: 4)
    • reader_sl.exe (PID: 1900, MD5: 505F022493D471025ADD399A4162208B AnalysisID: 24588 Similar Functions: 4)
    • taskhost.exe (PID: 2956, MD5: 72E953215CADE1A726C04AAFDF6B463D AnalysisID: 249130 Similar Functions: 3)
    • explorer.exe (PID: 1712, MD5: 8B88EBBB05A0E56B7DCC708498C02B3E AnalysisID: 28958 Similar Functions: 3)
    • taskhost.exe (PID: 1256, MD5: 72E953215CADE1A726C04AAFDF6B463D AnalysisID: 356353 Similar Functions: 3)
    • dwm.exe (PID: 3480, MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D AnalysisID: 355921 Similar Functions: 3)
    • taskhost.exe (PID: 2568, MD5: 72E953215CADE1A726C04AAFDF6B463D AnalysisID: 247333 Similar Functions: 3)
    • dwm.exe (PID: 1684, MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D AnalysisID: 24588 Similar Functions: 3)
    • hitmanpro.3.7.x-patch.exe (PID: 3256, MD5: 92018B6185D8822BF7194CAE21E5C7EB AnalysisID: 41260 Similar Functions: 3)
    • taskhost.exe (PID: 3100, MD5: 72E953215CADE1A726C04AAFDF6B463D AnalysisID: 258313 Similar Functions: 3)
    • poweriso.6.x.patch.exe (PID: 2816, MD5: 57F4BC6B07929B5C183D69EBAE904FDB AnalysisID: 30238 Similar Functions: 3)
    • etup.exe (PID: 3748, MD5: 8AD504D873DBA440325BDCE426FD2CE7 AnalysisID: 49904 Similar Functions: 2)
    • glasswire-patch[Settings-fixed].exe (PID: 2820, MD5: C8398C45B86F64452448F1360580C710 AnalysisID: 30860 Similar Functions: 2)

Similar Functions

  • Function_00014397 API ID: GetModuleHandleGetProcAddress, String ID: CorExitProcess$[FILE], Total Matches: 2031
  • Function_00014FEB API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter, String ID: , Total Matches: 1574
  • Function_0001CD2B API ID: _parse_cmdline$GetModuleFileName, String ID: [FILE], Total Matches: 1436
  • Function_0001D0C2 API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter, String ID: , Total Matches: 1399
  • Function_0001CDE6 API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings, String ID: , Total Matches: 1214
  • Function_000186E5 API ID: __cftof2_l__fltout2, String ID: -, Total Matches: 1199
  • Function_000187A6 API ID: __cftof2_l__fltout2, String ID: -, Total Matches: 1199
  • Function_0001580D API ID: InterlockedDecrementInterlockedIncrement$__getptd, String ID: , Total Matches: 1129
  • Function_0001826C API ID: __alldvrm$__cftoe_strrchr, String ID: 0, Total Matches: 1040
  • Function_0001A651 API ID: __getptd, String ID: csm, Total Matches: 945
  • Function_00015504 API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd, String ID: , Total Matches: 891
  • Function_00015DBE API ID: GetModuleHandleInterlockedIncrement, String ID: KERNEL32.DLL, Total Matches: 793
  • EntryPoint API ID: VirtualProtect$ExitProcessGetProcAddressLoadLibrary, String ID: , Total Matches: 529
  • Function_0001C6E0 API ID: LCMapString$MultiByteToWideChar$WideCharToMultiByte, String ID: , Total Matches: 514
  • Function_00018185 API ID: __fltout2, String ID: -$e+000, Total Matches: 485
  • Function_000042D4 API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken, String ID: , Total Matches: 383
  • Function_000042D4 API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken, String ID: , Total Matches: 383
  • Function_0001A8D8 API ID: _UnwindNestedFrames, String ID: csm$csm, Total Matches: 379
  • Function_0001A946 API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck, String ID: MOC$RCC$csm$csm$csm, Total Matches: 376
  • Function_0001CAB5 API ID: _strlen, String ID: , Total Matches: 365
  • Function_0000FC10 API ID: GetTopWindow$GetWindowSendMessage, String ID: , Total Matches: 248
  • Function_00015E72 API ID: GetCurrentThreadIdGetLastErrorRtlDecodePointerSetLastError, String ID: , Total Matches: 124
  • Function_00022A40 API ID: GetLastErrorMultiByteToWideChar$SysAllocStringlstrlen, String ID: , Total Matches: 119
  • Function_000139DD API ID: GetModuleHandleGetProcAddressGetSystemInfoVirtualAllocVirtualProtectVirtualQuery, String ID: SetThreadStackGuarantee$[FILE], Total Matches: 114
  • Function_000160A2 API ID: GetProcAddressRtlEncodePointer$RtlDecodePointer$GetCurrentThreadIdGetModuleHandleTlsAllocTlsSetValue, String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL, Total Matches: 92
  • Function_00001A50 API ID: CallWindowProcGetWindowLong$SetWindowLong, String ID: $, Total Matches: 77
  • Function_00010390 API ID: CallWindowProcGetWindowLong$SetWindowLong, String ID: $, Total Matches: 77
  • Function_000041C8 API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken, String ID: , Total Matches: 51
  • Function_000041CC API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken, String ID: , Total Matches: 51
  • Function_000041C8 API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken, String ID: , Total Matches: 51
  • Function_000041CC API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken, String ID: , Total Matches: 51
  • Function_00019A60 API ID: __FindPESection$_ValidateScopeTableHandlers$VirtualQuery, String ID: , Total Matches: 41
  • Function_0000485C API ID: CloseHandleCreateFileFlushFileBuffersWriteFile, String ID: , Total Matches: 39
  • Function_0000485C API ID: CloseHandleCreateFileFlushFileBuffersWriteFile, String ID: , Total Matches: 39
  • Function_00016034 API ID: TlsGetValue$RtlDecodePointerTlsSetValue, String ID: , Total Matches: 31
  • Function_00005026 API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory, String ID: D$_section, Total Matches: 30
  • Function_00005028 API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory, String ID: D$_section, Total Matches: 30
  • Function_00005028 API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory, String ID: D$_section, Total Matches: 30
  • Function_00005026 API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory, String ID: D$_section, Total Matches: 30
  • Function_000080C0 API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject, String ID: .lnk, Total Matches: 28
  • Function_000080BE API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject, String ID: .lnk, Total Matches: 28
  • Function_00007C4E API ID: CreateFileReadFile$CloseHandleSetFilePointer, String ID: , Total Matches: 27
  • Function_00007C50 API ID: CreateFileReadFile$CloseHandleSetFilePointer, String ID: , Total Matches: 27
  • Function_00007C4E API ID: CreateFileReadFile$CloseHandleSetFilePointer, String ID: , Total Matches: 27
  • Function_00007C50 API ID: CreateFileReadFile$CloseHandleSetFilePointer, String ID: , Total Matches: 27
  • Function_00010A00 API ID: CreateWindowExFlushInstructionCacheGetCurrentProcessSetLastError, String ID: , Total Matches: 23
  • Function_00004406 API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl, String ID: , Total Matches: 22
  • Function_00004408 API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl, String ID: , Total Matches: 22
  • Function_00004408 API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl, String ID: , Total Matches: 22
  • Function_00004406 API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl, String ID: , Total Matches: 22
  • Function_00008258 API ID: WSACleanupWSAStartupgethostbynamegethostnameinet_ntoa, String ID: , Total Matches: 16
  • Function_000047AC API ID: CreateFile$CloseHandleGetFileSizeReadFile, String ID: , Total Matches: 15
  • Function_0000660C API ID: Sleep$GetTickCount, String ID: d, Total Matches: 15
  • Function_00008AA4 API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage, String ID: 0, Total Matches: 15
  • Function_00008AA4 API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage, String ID: 0, Total Matches: 15
  • Function_000047AC API ID: CreateFile$CloseHandleGetFileSizeReadFile, String ID: , Total Matches: 15
  • Function_0000660C API ID: Sleep$GetTickCount, String ID: d, Total Matches: 15
  • Function_00004608 API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile, String ID: d, Total Matches: 14
  • Function_000082F4 API ID: CreateProcessGetTempPathSleepwsprintf, String ID: >UD $D, Total Matches: 14
  • Function_00004608 API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile, String ID: d, Total Matches: 14
  • Function_000082F4 API ID: CreateProcessGetTempPathSleepwsprintf, String ID: >UD $D, Total Matches: 14
  • Function_00001910 API ID: MonitorFromPoint$GetMonitorInfo, String ID: (, Total Matches: 13
  • Function_00009230 API ID: CloseHandleExitProcessOpenMutexSleep, String ID: -, Total Matches: 12
  • Function_00005640 API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath, String ID: ., Total Matches: 12
  • Function_00003C28 API ID: CloseHandleCreateFileWriteFile, String ID: P, Total Matches: 12
  • Function_000076A0 API ID: MoveFileEx, String ID: .lnk$.txt, Total Matches: 12
  • Function_00008D0C API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep, String ID: .lnk, Total Matches: 12
  • Function_00007D3C API ID: GetTempPathShellExecute, String ID: , Total Matches: 12
  • Function_00001440 API ID: SendMessage$GetClientRectGetMenuItemCount, String ID: , Total Matches: 12
  • Function_00001530 API ID: SendMessage$GetClientRectGetMenuItemCount, String ID: , Total Matches: 12
  • Function_00005640 API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath, String ID: ., Total Matches: 12
  • Function_00003C28 API ID: CloseHandleCreateFileWriteFile, String ID: P, Total Matches: 12
  • Function_00009230 API ID: CloseHandleExitProcessOpenMutexSleep, String ID: -, Total Matches: 12
  • Function_00007D3C API ID: GetTempPathShellExecute, String ID: , Total Matches: 12
  • Function_00002574 API ID: LoadLibrary, String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<, Total Matches: 11
  • Function_00002574 API ID: LoadLibrary, String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<, Total Matches: 11
  • Function_0000E750 API ID: SendMessage$GetClientRectSetWindowPos, String ID: , Total Matches: 10
  • Function_00008760 API ID: GetWindowLongGetWindowRectSendMessage$InvalidateRect, String ID: , Total Matches: 9
  • Function_00006430 API ID: GetClassNamelstrcmp$CallNextHookEx, String ID: #32768, Total Matches: 8
  • Function_00000EB0 API ID: SendMessage$GetActiveWindowGetCurrentProcessIdGetWindowThreadProcessIdIsWindowEnabled, String ID: , Total Matches: 8
  • Function_0000F120 API ID: RtlLeaveCriticalSection$RaiseExceptionRtlEnterCriticalSection, String ID: , Total Matches: 5
  • Function_00000AE0 API ID: FreeLibrary$GetProcAddressLoadLibrary, String ID: DllGetVersion, Total Matches: 5
  • Function_00013C45 API ID: GetLastError$CreateThreadGetCurrentThreadIdRtlExitUserThread___fls_getvalue@4___fls_setvalue@8__getptd, String ID: , Total Matches: 5
  • Function_00013C51 API ID: GetLastError$CreateThreadGetCurrentThreadIdRtlExitUserThread___fls_getvalue@4___fls_setvalue@8__getptd, String ID: , Total Matches: 5
  • Function_00000C00 API ID: GetProcAddress$FreeLibraryLoadLibrary, String ID: IsAppThemed$IsThemeActive$[FILE], Total Matches: 5
  • Function_00006ECE API ID: CharLowerBuffSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetClassDevsSetupDiGetDeviceRegistryProperty$LoadLibrary, String ID: n@, Total Matches: 4
  • Function_00006EEC API ID: CharLowerBuffSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetClassDevsSetupDiGetDeviceRegistryProperty$LoadLibrary, String ID: n@, Total Matches: 4
  • Function_00006900 API ID: GetComputerNameRegOpenKeyEx, String ID: t!@, Total Matches: 4
  • Function_00006904 API ID: GetComputerNameRegOpenKeyEx, String ID: t!@, Total Matches: 4
  • Function_00004B9B API ID: GetComputerNameGetVolumeInformationRegOpenKeyEx, String ID: t!@, Total Matches: 4
  • Function_00004BA0 API ID: GetComputerNameGetVolumeInformationRegOpenKeyEx, String ID: t!@, Total Matches: 4
  • Function_000040E0 API ID: IsWindow$SendMessageSetFocus, String ID: , Total Matches: 4
  • Function_00008ED0 API ID: PeekMessage$DestroyMenuGetMenuItemCountMapWindowPointsPtInRectRemoveMenu, String ID: , Total Matches: 4
  • Function_000017F0 API ID: GetWindowLong$SetWindowLong, String ID: $, Total Matches: 3
  • Function_00004A68 API ID: GetCurrentProcess$GetComputerNameRegOpenKeyEx, String ID: t!@, Total Matches: 2
  • Function_000090B8 API ID: VirtualProtect, String ID: !@, Total Matches: 2
  • Function_00006110 API ID: GetSysColorBrush$FillRect$FrameRect$DrawEdgeGetMenuItemInfoGetSysColorInflateRectOffsetRectSetBkMode, String ID: , Total Matches: 2
  • Function_00003E50 API ID: SelectObjectSendMessage$DrawTextSetBkModeSetTextColor, String ID: , Total Matches: 2
  • Function_00002A20 API ID: DrawText$SetTextColorlstrlen, String ID: , Total Matches: 1
  • Function_00003B70 API ID: RegisterClipboardFormatRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: WTL_CmdBar_InternalGetBarMsg, Total Matches: 1
  • Function_00003B20 API ID: RegisterClipboardFormatRtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: WTL_CmdBar_InternalAutoPopupMsg, Total Matches: 1
  • Function_0000F4A0 API ID: DeleteObject$FindResourceLoadBitmapLoadImageLoadResourceLockResource, String ID: , Total Matches: 1
  • Function_0000FD50 API ID: SetWindowTextlstrcpylstrlenwsprintf, String ID: :%d, Total Matches: 1
  • Function_0000FDD0 API ID: lstrcat$SetWindowTextlstrcpylstrlenwsprintf, String ID: - $:%d, Total Matches: 1
  • Function_00011E10 API ID: GetProcessHeap$HeapFreeInterlockedCompareExchangeIsProcessorFeaturePresentRtlAllocateHeap, String ID: , Total Matches: 1
  • Function_000056C0 API ID: PostMessageSendMessage$GetFocusIsWindow$RaiseException, String ID: , Total Matches: 1
  • Function_00001F60 API ID: GetMenuDefaultItemGetSystemMenuGetWindowRectPtInRectSendMessage, String ID: , Total Matches: 1
  • Function_00011F2E API ID: RtlInterlockedPopEntrySList$GetProcessHeapRtlAllocateHeapRtlInterlockedPushEntrySListVirtualAllocVirtualFree, String ID: , Total Matches: 1

General

Root Process Name:csshead.exe
Process MD5:201218D74CB36FA3B507B52B3F542E31
Total matches:61
Initial Analysis Report:Open
Initial sample Analysis ID:63349
Initial sample SHA 256:78FBD18CC7DF53021F74B6879E254A605D866806BF22166F37628469347A6CF8
Initial sample name:jAqtHkfbz.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 124
  • API ID: GetCurrentThreadIdGetLastErrorRtlDecodePointerSetLastError
  • String ID:
  • API String ID: 2725908529-0
  • Opcode ID: caf53e39780e2f2e328ebb93a6b98db73a773a9d2c4d6a5da3a091a064053409
  • Instruction ID: ea82ca62171b5387ce5f4ab6297fb1d3040a41ceccf9fa6c9216793dde81d322
  • Opcode Fuzzy Hash: 0BD05E86272540946CB89143B04013112A26AD2B7081CB39203B8125B3CB90713DBE84
  • Instruction Fuzzy Hash: ea82ca62171b5387ce5f4ab6297fb1d3040a41ceccf9fa6c9216793dde81d322
APIs
  • GetLastError.KERNEL32(?,00000000,004251BD,00422AA1,?,?,00417F96,00000009), ref: 00425E76
    • Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
    • Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
    • Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A
  • SetLastError.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425EE0
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • RtlDecodePointer.NTDLL(00000000), ref: 00425EB2
  • GetCurrentThreadId.KERNEL32 ref: 00425EC8
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:9A1C6993B7571ED6460D06833B78966C
Total matches:57
Initial Analysis Report:Open
Initial sample Analysis ID:71976
Initial sample SHA 256:81D016E80FDDB754B20702BE0218C8351CB040E0D3A108A1D972A68C86DE4CE9
Initial sample name:paint.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 4
  • API ID: CharLowerBuffSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetClassDevsSetupDiGetDeviceRegistryProperty$LoadLibrary
  • String ID: n@
  • API String ID: 1856892526-3430618438
  • Opcode ID: f395957a129d18a7057bf5d2b46ad4e5b50706271406e1c0a15cd69007c876c7
  • Instruction ID: e1fe8120ec9eb699218d3ba7918ebdcf80a84b61bc84734396826ac2cb6ecfb7
  • Opcode Fuzzy Hash: 1A21680205998247D9A7260030B7F9741D0F352E31E4D33274EB2663DD1B1AA05DFE5F
  • Instruction Fuzzy Hash: e1fe8120ec9eb699218d3ba7918ebdcf80a84b61bc84734396826ac2cb6ecfb7
APIs
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • LoadLibraryA.KERNELBASE(?), ref: 00406F0B
  • SetupDiGetClassDevsA.SETUPAPI(0040A014,00000000,00000000,00000002), ref: 00406F79
  • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00406FA7
  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00406FCE
  • CharLowerBuffA.USER32(00000000,00000000), ref: 00406FE7
  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00406FF1
  • SetupDiGetClassDevsA.SETUPAPI(0040A024,00000000,00000000,00000002), ref: 00407028
  • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00407056
  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0040707D
  • CharLowerBuffA.USER32(00000000,00000000), ref: 00407096
  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004070A0
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 2
  • API ID: GetCurrentProcess$GetComputerNameRegOpenKeyEx
  • String ID: t!@
  • API String ID: 3309570369-1459244525
  • Opcode ID: 0f515d2ccba9fb09622a15f09a41a7b0691d431ab9b77dc0686a87efc184a67a
  • Instruction ID: f296bf137465afbf62ce5bf383cc4be3297ed09ac4068a95a9abc795b2b5319f
  • Opcode Fuzzy Hash: 67F044430BA8D603FA656A053823B2425E8FBA2639D8D67A11CF0332F28F4CA044F50B
  • Instruction Fuzzy Hash: f296bf137465afbf62ce5bf383cc4be3297ed09ac4068a95a9abc795b2b5319f
APIs
  • GetComputerNameA.KERNEL32(?,00000081), ref: 00404A8B
  • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00404AB9
    • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00404B17
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00404B41
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 529
  • API ID: VirtualProtect$ExitProcessGetProcAddressLoadLibrary
  • String ID:
  • API String ID: 3823878537-0
  • Opcode ID: d95e0b075cb19b401ad6c9f0b477e12b1d0310c4fb8863e63a70c8408a8bbf82
  • Instruction ID: 8e57f1b9a81fcd56b1470cbc81c8163520b0cb991b0639a9e32c723d180e0442
  • Opcode Fuzzy Hash: A8113D44941FADC3BC47A0C401D8719B2693F82551DD70B06A16A2C9D79927B7A75B3C
  • Instruction Fuzzy Hash: 8e57f1b9a81fcd56b1470cbc81c8163520b0cb991b0639a9e32c723d180e0442
APIs
  • LoadLibraryA.KERNEL32(?), ref: 0045515A
  • GetProcAddress.KERNEL32(?,00452FF9), ref: 00455178
  • ExitProcess.KERNEL32(?,00452FF9), ref: 00455189
  • VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,?), ref: 004551A6
  • VirtualProtect.KERNELBASE(00400000,00001000), ref: 004551BB
Memory Dump Source
  • Source File: 00000000.00000001.22650852242.0042E000.00000080.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000001.22650847650.00400000.00000002.sdmp
  • Associated: 00000000.00000001.22650875118.00456000.00000008.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 4
  • API ID: GetComputerNameRegOpenKeyEx
  • String ID: t!@
  • API String ID: 3881136468-1459244525
  • Opcode ID: b85cb74487aa6f988b72e9fa7186664ecde379de55712d535bfb4c8f26644669
  • Instruction ID: f2c03765e5d1ca2d3c39d2a8341eae070377902dc4b9c690e8b2d5eca6183eee
  • Opcode Fuzzy Hash: 5CE0924117A96547EEA569413CE3B2201E9F373A22E9EA3A15AF4535E58D04A080FD0F
  • Instruction Fuzzy Hash: f2c03765e5d1ca2d3c39d2a8341eae070377902dc4b9c690e8b2d5eca6183eee
APIs
  • GetComputerNameA.KERNEL32(?,?), ref: 00406927
  • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965
    • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 2
  • API ID: VirtualProtect
  • String ID: !@
  • API String ID: 268857135-3147449996
  • Opcode ID: a865e2df332133ea9193b9e3bdb4a5adb05490316c00832a622abb0dfb0e8a2a
  • Instruction ID: c5daa1bd82e8a6898d62e5f923d9e7b3f0e6c71b3c0cc13f266b0d98df876758
  • Opcode Fuzzy Hash: 62D0A7E409A8A1531539680434795092F007BE0B5D8FC22400DC7378926B4C3190B748
  • Instruction Fuzzy Hash: c5daa1bd82e8a6898d62e5f923d9e7b3f0e6c71b3c0cc13f266b0d98df876758
APIs
  • VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 114
  • API ID: GetModuleHandleGetProcAddressGetSystemInfoVirtualAllocVirtualProtectVirtualQuery
  • String ID: SetThreadStackGuarantee$[FILE]
  • API String ID: 680167281-1579773211
  • Opcode ID: 168240ab15ce24652e769bfb5492d562a5f91951bd35543584bc6f19a768c252
  • Instruction ID: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
  • Opcode Fuzzy Hash: 30F0DC5592AF88CFCAB28083370134C9074FB14A8FC8D3F8136A1A5959DF0171B91F05
  • Instruction Fuzzy Hash: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
APIs
  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00423A06
  • GetSystemInfo.KERNEL32(?), ref: 00423A1E
  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00423A2E
  • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00423A3E
  • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00423A90
  • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 00423AA5
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 4
  • API ID: GetComputerNameGetVolumeInformationRegOpenKeyEx
  • String ID: t!@
  • API String ID: 976818110-1459244525
  • Opcode ID: 0020e8489871acdda78cd5072940fb3bc6fad13dc2004c33f66e4daf0c5fcb76
  • Instruction ID: 8395e48386cde48b3361b65c01986312c368c958ac72b8d78f847c9b9ff6d5f0
  • Opcode Fuzzy Hash: EE21830B0B78E753B9226B416892B0711E5F763722D9973F15DF0279E29A05A280FA1F
  • Instruction Fuzzy Hash: 8395e48386cde48b3361b65c01986312c368c958ac72b8d78f847c9b9ff6d5f0
APIs
  • GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
  • RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
  • GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 248
  • API ID: GetTopWindow$GetWindowSendMessage
  • String ID:
  • API String ID: 806787523-0
  • Opcode ID: 8f9c371dbac9708627cc1f2154af520d1bfde1075e8fe3710eb5bdb2079ed30a
  • Instruction ID: 0a2d4dfdb96a51fa7a499036c587268d7ced3cac977377f8fd8831779064eaa6
  • Opcode Fuzzy Hash: B2D02335113D4007D1145549143031E71D05130FFB08C37B007E30C59F4EC151BC4E4C
  • Instruction Fuzzy Hash: 0a2d4dfdb96a51fa7a499036c587268d7ced3cac977377f8fd8831779064eaa6
APIs
  • GetTopWindow.USER32 ref: 0041FC14
  • SendMessageA.USER32(00000000,?,?,?), ref: 0041FC38
  • GetTopWindow.USER32(00000000), ref: 0041FC43
  • GetWindow.USER32(00000000,00000002), ref: 0041FC65
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:2B6E31835DAF786F3E9DEEC103C208BB
Total matches:54
Initial Analysis Report:Open
Initial sample Analysis ID:66847
Initial sample SHA 256:B16B34A6AF7AEFE6C0210917A2EC747838573CEA6658CDB6CB3D8F937E70F953
Initial sample name:file.exe

Similar Executed Functions

Similarity
  • Total matches: 92
  • API ID: GetProcAddressRtlEncodePointer$RtlDecodePointer$GetCurrentThreadIdGetModuleHandleTlsAllocTlsSetValue
  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
  • API String ID: 2497162807-3819984048
  • Opcode ID: 40a92d6be80270f0d887ea1b1180d001f2a8259290e1ea56a906897199c583e9
  • Instruction ID: b3df56086602818656d02239aef3d71136703ba182de22dd1fa9d84292d4f75f
  • Opcode Fuzzy Hash: 5A0124C700588643D9F86600700027392F31BD316B83DEB2016B9AA495DACAB6383EC8
  • Instruction Fuzzy Hash: b3df56086602818656d02239aef3d71136703ba182de22dd1fa9d84292d4f75f
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424C8B), ref: 004260AA
  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004260CC
  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004260D9
  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004260E6
  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004260F3
  • TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
  • TlsSetValue.KERNEL32(00000000,?,00424C8B), ref: 0042615E
  • RtlEncodePointer.NTDLL ref: 00426179
  • RtlEncodePointer.NTDLL ref: 00426186
  • RtlEncodePointer.NTDLL ref: 00426193
  • RtlEncodePointer.NTDLL ref: 004261A0
    • Part of subcall function 0042BF11: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042BF39
  • RtlDecodePointer.NTDLL(Function_00015F05), ref: 004261C1
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • RtlDecodePointer.NTDLL(00000000), ref: 004261F0
    • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
  • GetCurrentThreadId.KERNEL32 ref: 00426202
    • Part of subcall function 00425D81: RtlDecodePointer.NTDLL(0044204C), ref: 00425D92
    • Part of subcall function 00425D81: TlsFree.KERNEL32(00442050,00426218,?,00424C8B), ref: 00425DAC
    • Part of subcall function 00425D81: RtlDeleteCriticalSection.NTDLL(00000000), ref: 0042BF78
    • Part of subcall function 00425D81: RtlDeleteCriticalSection.NTDLL(00442050), ref: 0042BFA2
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 114
  • API ID: GetModuleHandleGetProcAddressGetSystemInfoVirtualAllocVirtualProtectVirtualQuery
  • String ID: SetThreadStackGuarantee$[FILE]
  • API String ID: 680167281-1579773211
  • Opcode ID: 168240ab15ce24652e769bfb5492d562a5f91951bd35543584bc6f19a768c252
  • Instruction ID: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
  • Opcode Fuzzy Hash: 30F0DC5592AF88CFCAB28083370134C9074FB14A8FC8D3F8136A1A5959DF0171B91F05
  • Instruction Fuzzy Hash: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
APIs
  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00423A06
  • GetSystemInfo.KERNEL32(?), ref: 00423A1E
  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00423A2E
  • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00423A3E
  • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00423A90
  • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 00423AA5
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2
  • API ID: GetSysColorBrush$FillRect$FrameRect$DrawEdgeGetMenuItemInfoGetSysColorInflateRectOffsetRectSetBkMode
  • String ID:
  • API String ID: 2229727391-0
  • Opcode ID: 90e8aff3d27a1c143cabdc3f28c954df0dd597e430b2a9240d7be7c2dc094682
  • Instruction ID: b52916a7167fd754fb7b17c02c09a1a004262e9bc0257bf3923ec1843ede5b9c
  • Opcode Fuzzy Hash: 6231CE59193B3052CA78294BA8823DE3166FF93EAFD0C7B4105D53862F1FB551B08EAC
  • Instruction Fuzzy Hash: b52916a7167fd754fb7b17c02c09a1a004262e9bc0257bf3923ec1843ede5b9c
APIs
  • GetSysColorBrush.USER32(00000004), ref: 00416150
  • FillRect.USER32(?,?,00000000), ref: 0041615D
  • DrawEdge.USER32(00000006,?,00000006,00000002), ref: 004161A4
  • GetSysColorBrush.USER32(0000001D), ref: 004161B6
  • FillRect.USER32(?,?,00000000), ref: 004161C3
  • GetSysColorBrush.USER32(0000000D), ref: 004161CB
  • FrameRect.USER32(00000000,?,00000000), ref: 004161D8
  • OffsetRect.USER32(?,00000000,?), ref: 00416228
  • InflateRect.USER32(?,000000FF,000000FF), ref: 0041625E
  • GetSysColorBrush.USER32(00000004), ref: 0041626A
  • FillRect.USER32(?,?,00000000), ref: 0041627B
  • GetSysColorBrush.USER32(0000000D), ref: 00416283
  • FrameRect.USER32(00000000,?,00000000), ref: 00416294
  • GetSysColorBrush.USER32(00000004), ref: 00416321
  • GetSysColorBrush.USER32(00000010), ref: 0041632B
    • Part of subcall function 00414710: SelectObject.GDI32(00000000,00000000), ref: 004147C8
    • Part of subcall function 00414710: PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
    • Part of subcall function 00414710: GetSysColor.USER32(00000012), ref: 004147F2
    • Part of subcall function 00414710: SelectObject.GDI32(00000000,?), ref: 0041485A
    • Part of subcall function 00414710: DeleteObject.GDI32(00000000), ref: 00414865
    • Part of subcall function 00414710: DeleteDC.GDI32(00000000), ref: 00414872
    • Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A
  • GetMenuItemInfoA.USER32 ref: 00416371
  • SetBkMode.GDI32(?,00000001), ref: 004163E0
  • GetSysColor.USER32(?), ref: 00416404
    • Part of subcall function 00412A20: lstrlen.KERNEL32(?,?,00000000,?,74FEE270), ref: 00412A33
    • Part of subcall function 00412A20: SetTextColor.GDI32(00000000,?), ref: 00412A5B
    • Part of subcall function 00412A20: DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
    • Part of subcall function 00412A20: DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1
  • API ID: PostMessageSendMessage$GetFocusIsWindow$RaiseException
  • String ID:
  • API String ID: 391519874-0
  • Opcode ID: a1eea519b2c352ff7b7a205c4a063e2cc2c0f12c177e65121b2273f3d05a518e
  • Instruction ID: f27b3117c9092eb5d3e1ac38c25a2563f5c5a049188849e05d7cbb74b76b3fad
  • Opcode Fuzzy Hash: 8D218B48011D5285E062AF00798938F10227B93FBEE78837232E960A9FBF9491A57F58
  • Instruction Fuzzy Hash: f27b3117c9092eb5d3e1ac38c25a2563f5c5a049188849e05d7cbb74b76b3fad
APIs
  • SendMessageA.USER32(?,00000447,00000000,00000000), ref: 00415708
  • SendMessageA.USER32(?,00000448,00000000,00000000), ref: 00415728
    • Part of subcall function 004117C0: GetFocus.USER32 ref: 004117D2
    • Part of subcall function 004117C0: SetFocus.USER32(?), ref: 004117E2
  • GetFocus.USER32 ref: 0041574E
  • IsWindow.USER32(?), ref: 00415761
  • SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041577C
  • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004158D1
    • Part of subcall function 00411530: GetClientRect.USER32(?,?), ref: 00411569
    • Part of subcall function 00411530: GetMenuItemCount.USER32(?), ref: 00411573
    • Part of subcall function 00411530: SendMessageA.USER32(?,00000417,?,?), ref: 004115BD
    • Part of subcall function 00411530: SendMessageA.USER32(?,0000041D,?,?), ref: 004115E0
    • Part of subcall function 00411440: GetClientRect.USER32(?,?), ref: 00411479
    • Part of subcall function 00411440: GetMenuItemCount.USER32(?), ref: 00411498
    • Part of subcall function 00411440: SendMessageA.USER32(?,00000417,?,?), ref: 004114C6
    • Part of subcall function 00411440: SendMessageA.USER32(?,0000041D,?,?), ref: 004114E9
  • PostMessageA.USER32(?,00000100,0000001B,00000000), ref: 0041586B
  • PostMessageA.USER32(00000000,00000100,0000001B,00000000), ref: 00415894
    • Part of subcall function 00411630: GetParent.USER32(?), ref: 00411640
    • Part of subcall function 00411630: SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
    • Part of subcall function 00411630: GetVersionExA.KERNEL32(?), ref: 0041169F
    • Part of subcall function 00411630: LoadLibraryA.KERNEL32(comctl32.dll), ref: 004116D6
    • Part of subcall function 00411630: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004116EF
    • Part of subcall function 00411630: FreeLibrary.KERNEL32(00000000), ref: 0041170A
    • Part of subcall function 00411630: SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F
    • Part of subcall function 00411630: PostMessageA.USER32(00000000,0000042B,00000000,00000000), ref: 00411797
    • Part of subcall function 00411630: PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004117AA
  • GetFocus.USER32 ref: 004158E6
  • IsWindow.USER32(?), ref: 004158F5
  • SendMessageA.USER32(?,00000447,00000000,00000000), ref: 0041590C
  • PostMessageA.USER32(?,00000100,00000028,00000000), ref: 00415933
  • PostMessageA.USER32(?,00000448,000000FF,00000000), ref: 00415961
    • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414100
    • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414119
    • Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
    • Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2
  • API ID: SelectObjectSendMessage$DrawTextSetBkModeSetTextColor
  • String ID:
  • API String ID: 3624289050-3916222277
  • Opcode ID: eb6400b2b758a748fab4abd5a4d2cbfab26b1518db259ae23214a5df549b5111
  • Instruction ID: 87f92ce5fbec10df0c0a6cc80d100b4918e189a58f9df7836c3011d7b6f753ef
  • Opcode Fuzzy Hash: 2DF0B4664839B042E43C5A462962FBBB022E3437EFE49F75120906424D5FA593641FEC
  • Instruction Fuzzy Hash: 87f92ce5fbec10df0c0a6cc80d100b4918e189a58f9df7836c3011d7b6f753ef
APIs
  • SetTextColor.GDI32(?,?), ref: 00413E6B
  • SetBkMode.GDI32(?,?), ref: 00413E76
  • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00413E86
  • SelectObject.GDI32(?,00000000), ref: 00413E9C
  • SendMessageA.USER32 ref: 00413F0F
  • DrawTextA.USER32(?,000000C8,000000FF,?,?), ref: 00413F37
  • SelectObject.GDI32(?,?), ref: 00413F47
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 5
  • API ID: GetProcAddress$FreeLibraryLoadLibrary
  • String ID: IsAppThemed$IsThemeActive$[FILE]
  • API String ID: 606304839-3656490713
  • Opcode ID: 68e66909eb26d52cbb5d5ad2c4a9d0aab3d20dbf10772c7de8d805213d4cc552
  • Instruction ID: 3ce3cb6f0ac9f64df36a53ba8c23d607a112200dcab43fd8f4a98bba1f4a0356
  • Opcode Fuzzy Hash: 38D02B235CA6484726E561017AC0420B0B1922271C00C7313076C3A0D9C73150ADAF94
  • Instruction Fuzzy Hash: 3ce3cb6f0ac9f64df36a53ba8c23d607a112200dcab43fd8f4a98bba1f4a0356
APIs
  • LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00410C2D
  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00410C46
  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00410C58
  • FreeLibrary.KERNEL32(00000000), ref: 00410C67
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1
  • API ID: DeleteObject$FindResourceLoadBitmapLoadImageLoadResourceLockResource
  • String ID:
  • API String ID: 3906019232-0
  • Opcode ID: 3f2b867d31614ff35b828579f24f706b8663f8f55edeea223ae3d5da19f81fdb
  • Instruction ID: 795093392e6a88a06a2fb1f5153911d8c1b224da00f2b49ebb7f942791cb405d
  • Opcode Fuzzy Hash: CC11EAA6069AF1C5E53C6640B57C33B7162A363B97C0D7B1214D8354962FA07231AF2C
  • Instruction Fuzzy Hash: 795093392e6a88a06a2fb1f5153911d8c1b224da00f2b49ebb7f942791cb405d
APIs
  • FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041F4B8
  • LoadResource.KERNEL32(00442B94,00000000), ref: 0041F4CE
  • LockResource.KERNEL32(00000000), ref: 0041F4D9
  • LoadImageA.USER32(00442B94,?,00000000,00000000,00000000,00002040), ref: 0041F596
    • Part of subcall function 0041E6B0: DeleteObject.GDI32(00000000,00000000), ref: 0041E6C3
  • LoadBitmapA.USER32(00442B94,?), ref: 0041F5B3
  • DeleteObject.GDI32(00000000), ref: 0041F623
    • Part of subcall function 00410BB0: GetVersionExA.KERNEL32 ref: 00410BD6
  • DeleteObject.GDI32(00000000), ref: 0041F652
    • Part of subcall function 0041EE80: GetCurrentObject.GDI32(00000000,00000007), ref: 0041EEA3
    • Part of subcall function 0041EE80: SelectObject.GDI32(00000000,?), ref: 0041EEDA
    • Part of subcall function 0041EE80: DeleteDC.GDI32(00000000), ref: 0041EF7C
    • Part of subcall function 0041EE80: GetCurrentProcess.KERNEL32 ref: 0041F006
    • Part of subcall function 0041EE80: FlushInstructionCache.KERNEL32(00000000), ref: 0041F00D
    • Part of subcall function 0041EE80: SetWindowLongA.USER32(?,000000FC,?), ref: 0041F01A
    • Part of subcall function 00411B80: DeleteObject.GDI32 ref: 00411B8A
    • Part of subcall function 0041E1F0: FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041E200
    • Part of subcall function 0041E1F0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041E208
    • Part of subcall function 0041E1F0: LockResource.KERNEL32(00000000), ref: 0041E20F
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 9
  • API ID: GetWindowLongGetWindowRectSendMessage$InvalidateRect
  • String ID:
  • API String ID: 2431701617-0
  • Opcode ID: cbcb8fc9cdf9f7da19b72781468aede5d1add90d5d168460ac0ab8bb5b07aaa9
  • Instruction ID: 2d222aa38c8b9792f0f1c956e9e424c9997aed1382e7dfc7103e959200013b80
  • Opcode Fuzzy Hash: B1F0EC5C18A9B281E438290A345D3BD3566E7D3BBBE4D767004827B84B97C0E5E46E4E
  • Instruction Fuzzy Hash: 2d222aa38c8b9792f0f1c956e9e424c9997aed1382e7dfc7103e959200013b80
APIs
  • GetWindowLongA.USER32(?,000000F0), ref: 0041877C
  • SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
  • InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
  • GetWindowRect.USER32(?,?), ref: 004187C9
  • GetWindowLongA.USER32(?,000000F0), ref: 004187E4
  • SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
  • GetWindowRect.USER32(?,?), ref: 00418823
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 8
  • API ID: GetClassNamelstrcmp$CallNextHookEx
  • String ID: #32768
  • API String ID: 3555716370-207879865
  • Opcode ID: 7baa6d57bbf3fb84449ed192feaf17e1dfc4168332d9106dab649d43ace71bdc
  • Instruction ID: b63818fa4f79b9eb047a2c6d7c082f515b2f1f4e18d76a5586f531d1bfde4187
  • Opcode Fuzzy Hash: CFE022EB097D9482AD3004863408158B2A2BCF21A546C2B030742210672BF0E9E80E88
  • Instruction Fuzzy Hash: b63818fa4f79b9eb047a2c6d7c082f515b2f1f4e18d76a5586f531d1bfde4187
APIs
  • GetClassNameA.USER32(?,00000007,00000007), ref: 0041645A
  • lstrcmp.KERNEL32(#32768,00000000), ref: 0041646A
  • GetClassNameA.USER32(?,00000007,00000007), ref: 0041649A
  • lstrcmp.KERNEL32(#32768,00000000), ref: 004164AA
  • CallNextHookEx.USER32(00442A54,?,?,?), ref: 004164D8
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1
  • API ID: RtlInterlockedPopEntrySList$GetProcessHeapRtlAllocateHeapRtlInterlockedPushEntrySListVirtualAllocVirtualFree
  • String ID:
  • API String ID: 4203545028-0
  • Opcode ID: 447f5a856220c7630b08529984e49e61e1135ffe24259eb714ea7793c883abc2
  • Instruction ID: fabd8742abe48ecbebd7ac0c1d8a4d26c5d48c349bcafea011c2690a182c4e8f
  • Opcode Fuzzy Hash: D1E020E7011D8380C65510643850333F020FFB657ED6C1F1001B0079969F81703CAF4D
  • Instruction Fuzzy Hash: fabd8742abe48ecbebd7ac0c1d8a4d26c5d48c349bcafea011c2690a182c4e8f
APIs
  • GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
  • RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
  • RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
  • RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
  • RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
    • Part of subcall function 00421E10: IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,004124FE), ref: 00421E12
    • Part of subcall function 00421E10: GetProcessHeap.KERNEL32(00000018,00000008,?,?,?,?,?,004124FE), ref: 00421E41
    • Part of subcall function 00421E10: RtlAllocateHeap.NTDLL(00000000), ref: 00421E44
    • Part of subcall function 00421E10: InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
    • Part of subcall function 00421E10: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,004124FE), ref: 00421E67
    • Part of subcall function 00421E10: HeapFree.KERNEL32(00000000,?,?,?,?,?,004124FE), ref: 00421E6A
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 8
  • API ID: SendMessage$GetActiveWindowGetCurrentProcessIdGetWindowThreadProcessIdIsWindowEnabled
  • String ID:
  • API String ID: 1851182715-0
  • Opcode ID: 87b94c7119a0bb5c0848de1cd8d9d5b44fef1a83e729f22c4acb0cf31386dbf4
  • Instruction ID: 13d285e24533d6425c796b3d72999faf7d9f033b70407827b4ceaf71b74c9e1a
  • Opcode Fuzzy Hash: 5EE0684C1040A6C3D012BA40282732E22926793E57D0CAB3233C27880D8B9092A59F0D
  • Instruction Fuzzy Hash: 13d285e24533d6425c796b3d72999faf7d9f033b70407827b4ceaf71b74c9e1a
APIs
  • GetActiveWindow.USER32 ref: 00410EDF
  • GetWindowThreadProcessId.USER32(00000000), ref: 00410EE6
  • GetCurrentProcessId.KERNEL32 ref: 00410EEC
  • IsWindowEnabled.USER32(?), ref: 00410EFD
  • SendMessageA.USER32(?,0000011F,00000000,?), ref: 00410F40
  • SendMessageA.USER32(?,0000011F,FFFF0000,00000000), ref: 00410F58
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1
  • API ID: GetProcessHeap$HeapFreeInterlockedCompareExchangeIsProcessorFeaturePresentRtlAllocateHeap
  • String ID:
  • API String ID: 977837635-0
  • Opcode ID: a0989f7c9f1da2c53007407c24c9dfc39b63ace48fcc80e0021f172244815768
  • Instruction ID: 7b23064657a08705361ad21267eea3be9e6c86a84a923f279c7efef2ecfb0800
  • Opcode Fuzzy Hash: A8D023CD04AF5DD84D3810103480363F575F67980850CAF1412D333011AE1171771FC5
  • Instruction Fuzzy Hash: 7b23064657a08705361ad21267eea3be9e6c86a84a923f279c7efef2ecfb0800
APIs
  • IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,004124FE), ref: 00421E12
  • GetProcessHeap.KERNEL32(00000018,00000008,?,?,?,?,?,004124FE), ref: 00421E41
  • RtlAllocateHeap.NTDLL(00000000), ref: 00421E44
  • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
  • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,004124FE), ref: 00421E67
  • HeapFree.KERNEL32(00000000,?,?,?,?,?,004124FE), ref: 00421E6A
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: SendMessage$GetClientRectGetMenuItemCount
  • String ID:
  • API String ID: 299319555-0
  • Opcode ID: 8d4965aaaf66cfd70dcf56f5d10b9d3aaea30d56e85ed38450215aea890c940d
  • Instruction ID: 9f1530c90e7152968056007d7116793f18be9c93e76728c648c11472e5ccaf30
  • Opcode Fuzzy Hash: 76F0979B4879E603893828839D94BABB803F2D057F854B31246903839F0E95706019EC
  • Instruction Fuzzy Hash: 9f1530c90e7152968056007d7116793f18be9c93e76728c648c11472e5ccaf30
APIs
  • GetClientRect.USER32(?,?), ref: 00411479
  • GetMenuItemCount.USER32(?), ref: 00411498
  • SendMessageA.USER32(?,00000417,?,?), ref: 004114C6
  • SendMessageA.USER32(?,0000041D,?,?), ref: 004114E9
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1
  • API ID: DrawText$SetTextColorlstrlen
  • String ID:
  • API String ID: 760151791-0
  • Opcode ID: 89c9ef4c70ff8e8101d84f8e6a58ddf3b64c80e88c48cb0735b448eb4ca58d8a
  • Instruction ID: 1f86d8a346c53b593c166470e8d672b0a9068f2ffbe85b77b1f41d27951bf106
  • Opcode Fuzzy Hash: 8BE0266A3223F001D41B4601D57174D351127D3F45C4C625432C1D40DC27D9537E6F45
  • Instruction Fuzzy Hash: 1f86d8a346c53b593c166470e8d672b0a9068f2ffbe85b77b1f41d27951bf106
APIs
  • lstrlen.KERNEL32(?,?,00000000,?,74FEE270), ref: 00412A33
  • SetTextColor.GDI32(00000000,?), ref: 00412A5B
  • DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
  • DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 4
  • API ID: IsWindow$SendMessageSetFocus
  • String ID:
  • API String ID: 412162688-0
  • Opcode ID: bb5f03e5b2f4c56f1954e5d578fa40bd9826524bc87b23d2571d63e371344dc2
  • Instruction ID: d5ec0b19bb7f7dc08fdd89d509a2c304adf70756f5badf1842c0eeedfe4227f1
  • Opcode Fuzzy Hash: 07D05E975E4C5740F0A92E80B88D363066563A261EFE9073145E918E25BAEB643C5F78
  • Instruction Fuzzy Hash: d5ec0b19bb7f7dc08fdd89d509a2c304adf70756f5badf1842c0eeedfe4227f1
APIs
  • IsWindow.USER32(?), ref: 00414100
  • IsWindow.USER32(?), ref: 00414119
  • SetFocus.USER32(?), ref: 00414123
  • SendMessageA.USER32 ref: 00414141
    • Part of subcall function 004128F0: SendMessageA.USER32(?,00000446,00100000,?), ref: 0041292D
    • Part of subcall function 004128F0: InvalidateRect.USER32(?,00000000,00000001), ref: 0041293B
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 124
  • API ID: GetCurrentThreadIdGetLastErrorRtlDecodePointerSetLastError
  • String ID:
  • API String ID: 2725908529-0
  • Opcode ID: caf53e39780e2f2e328ebb93a6b98db73a773a9d2c4d6a5da3a091a064053409
  • Instruction ID: ea82ca62171b5387ce5f4ab6297fb1d3040a41ceccf9fa6c9216793dde81d322
  • Opcode Fuzzy Hash: 0BD05E86272540946CB89143B04013112A26AD2B7081CB39203B8125B3CB90713DBE84
  • Instruction Fuzzy Hash: ea82ca62171b5387ce5f4ab6297fb1d3040a41ceccf9fa6c9216793dde81d322
APIs
  • GetLastError.KERNEL32(?,00000000,004251BD,00422AA1,?,?,00417F96,00000009), ref: 00425E76
    • Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
    • Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
    • Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A
  • SetLastError.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425EE0
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • RtlDecodePointer.NTDLL(00000000), ref: 00425EB2
  • GetCurrentThreadId.KERNEL32 ref: 00425EC8
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:F80376F6E67D79147715E70823DE3A00
Total matches:54
Initial Analysis Report:Open
Initial sample Analysis ID:65110
Initial sample SHA 256:04ABDA7F7BDCC69AF28546D1464D3450F8A8A5011A72742DB9F71303C46AEE08
Initial sample name:5020189792_979255.jpg.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:F80376F6E67D79147715E70823DE3A00
Total matches:54
Initial Analysis Report:Open
Initial sample Analysis ID:65102
Initial sample SHA 256:C914400A2688AB1FFD6564FDAC354EA4FC85C2483EBAE3CD1023288CAF425BB5
Initial sample name:1220180178_017855.jpg.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:F80376F6E67D79147715E70823DE3A00
Total matches:49
Initial Analysis Report:Open
Initial sample Analysis ID:65090
Initial sample SHA 256:3E630A7FCFD98E360EF9C422A53C3F16204CBA6AF14A1BBCA2068B80B3874213
Initial sample name:420185187_518739.jpg.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:C09F5356DE9941991CD3B3D6D67D9106
Total matches:48
Initial Analysis Report:Open
Initial sample Analysis ID:41148
Initial sample SHA 256:42C04255EAB287F7F4211CC94E90C56CB0A7C352941DEFAB5F009353BC958D19
Initial sample name:splugin.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 124
  • API ID: GetCurrentThreadIdGetLastErrorRtlDecodePointerSetLastError
  • String ID:
  • API String ID: 2725908529-0
  • Opcode ID: caf53e39780e2f2e328ebb93a6b98db73a773a9d2c4d6a5da3a091a064053409
  • Instruction ID: ea82ca62171b5387ce5f4ab6297fb1d3040a41ceccf9fa6c9216793dde81d322
  • Opcode Fuzzy Hash: 0BD05E86272540946CB89143B04013112A26AD2B7081CB39203B8125B3CB90713DBE84
  • Instruction Fuzzy Hash: ea82ca62171b5387ce5f4ab6297fb1d3040a41ceccf9fa6c9216793dde81d322
APIs
  • GetLastError.KERNEL32(?,00000000,004251BD,00422AA1,?,?,00417F96,00000009), ref: 00425E76
    • Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
    • Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
    • Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A
  • SetLastError.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425EE0
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • RtlDecodePointer.NTDLL(00000000), ref: 00425EB2
  • GetCurrentThreadId.KERNEL32 ref: 00425EC8
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:B63A39FAD3EDC42EF9968A870BB5ED84
Total matches:46
Initial Analysis Report:Open
Initial sample Analysis ID:31223
Initial sample SHA 256:BF26945A850E6DF808409F800AB1DBB42B2469440CAA394B4721CDF4A7D371AC
Initial sample name:tr.exe

Similar Executed Functions

Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 4
  • API ID: CharLowerBuffSetupDiDestroyDeviceInfoListSetupDiEnumDeviceInfoSetupDiGetClassDevsSetupDiGetDeviceRegistryProperty$LoadLibrary
  • String ID: n@
  • API String ID: 1856892526-3430618438
  • Opcode ID: f395957a129d18a7057bf5d2b46ad4e5b50706271406e1c0a15cd69007c876c7
  • Instruction ID: e1fe8120ec9eb699218d3ba7918ebdcf80a84b61bc84734396826ac2cb6ecfb7
  • Opcode Fuzzy Hash: 1A21680205998247D9A7260030B7F9741D0F352E31E4D33274EB2663DD1B1AA05DFE5F
  • Instruction Fuzzy Hash: e1fe8120ec9eb699218d3ba7918ebdcf80a84b61bc84734396826ac2cb6ecfb7
APIs
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • LoadLibraryA.KERNELBASE(?), ref: 00406F0B
  • SetupDiGetClassDevsA.SETUPAPI(0040A014,00000000,00000000,00000002), ref: 00406F79
  • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00406FA7
  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00406FCE
  • CharLowerBuffA.USER32(00000000,00000000), ref: 00406FE7
  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00406FF1
  • SetupDiGetClassDevsA.SETUPAPI(0040A024,00000000,00000000,00000002), ref: 00407028
  • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00407056
  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0040707D
  • CharLowerBuffA.USER32(00000000,00000000), ref: 00407096
  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004070A0
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 2
  • API ID: GetCurrentProcess$GetComputerNameRegOpenKeyEx
  • String ID: t!@
  • API String ID: 3309570369-1459244525
  • Opcode ID: 0f515d2ccba9fb09622a15f09a41a7b0691d431ab9b77dc0686a87efc184a67a
  • Instruction ID: f296bf137465afbf62ce5bf383cc4be3297ed09ac4068a95a9abc795b2b5319f
  • Opcode Fuzzy Hash: 67F044430BA8D603FA656A053823B2425E8FBA2639D8D67A11CF0332F28F4CA044F50B
  • Instruction Fuzzy Hash: f296bf137465afbf62ce5bf383cc4be3297ed09ac4068a95a9abc795b2b5319f
APIs
  • GetComputerNameA.KERNEL32(?,00000081), ref: 00404A8B
  • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00404AB9
    • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00404B17
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00404B41
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 4
  • API ID: GetComputerNameRegOpenKeyEx
  • String ID: t!@
  • API String ID: 3881136468-1459244525
  • Opcode ID: b85cb74487aa6f988b72e9fa7186664ecde379de55712d535bfb4c8f26644669
  • Instruction ID: f2c03765e5d1ca2d3c39d2a8341eae070377902dc4b9c690e8b2d5eca6183eee
  • Opcode Fuzzy Hash: 5CE0924117A96547EEA569413CE3B2201E9F373A22E9EA3A15AF4535E58D04A080FD0F
  • Instruction Fuzzy Hash: f2c03765e5d1ca2d3c39d2a8341eae070377902dc4b9c690e8b2d5eca6183eee
APIs
  • GetComputerNameA.KERNEL32(?,?), ref: 00406927
  • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965
    • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 2
  • API ID: VirtualProtect
  • String ID: !@
  • API String ID: 268857135-3147449996
  • Opcode ID: a865e2df332133ea9193b9e3bdb4a5adb05490316c00832a622abb0dfb0e8a2a
  • Instruction ID: c5daa1bd82e8a6898d62e5f923d9e7b3f0e6c71b3c0cc13f266b0d98df876758
  • Opcode Fuzzy Hash: 62D0A7E409A8A1531539680434795092F007BE0B5D8FC22400DC7378926B4C3190B748
  • Instruction Fuzzy Hash: c5daa1bd82e8a6898d62e5f923d9e7b3f0e6c71b3c0cc13f266b0d98df876758
APIs
  • VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 4
  • API ID: GetComputerNameGetVolumeInformationRegOpenKeyEx
  • String ID: t!@
  • API String ID: 976818110-1459244525
  • Opcode ID: 0020e8489871acdda78cd5072940fb3bc6fad13dc2004c33f66e4daf0c5fcb76
  • Instruction ID: 8395e48386cde48b3361b65c01986312c368c958ac72b8d78f847c9b9ff6d5f0
  • Opcode Fuzzy Hash: EE21830B0B78E753B9226B416892B0711E5F763722D9973F15DF0279E29A05A280FA1F
  • Instruction Fuzzy Hash: 8395e48386cde48b3361b65c01986312c368c958ac72b8d78f847c9b9ff6d5f0
APIs
  • GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
  • RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
  • GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

General

Root Process Name:csshead.exe
Process MD5:941FA30BE8DCFEF277CE62DE74FFBF99
Total matches:45
Initial Analysis Report:Open
Initial sample Analysis ID:56382
Initial sample SHA 256:95B8F7277E3965872577AEBFC4D1A0A5738E6C814CBEB9AEF85B495B36DABAE8
Initial sample name:668396.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 114
  • API ID: GetModuleHandleGetProcAddressGetSystemInfoVirtualAllocVirtualProtectVirtualQuery
  • String ID: SetThreadStackGuarantee$[FILE]
  • API String ID: 680167281-1579773211
  • Opcode ID: 168240ab15ce24652e769bfb5492d562a5f91951bd35543584bc6f19a768c252
  • Instruction ID: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
  • Opcode Fuzzy Hash: 30F0DC5592AF88CFCAB28083370134C9074FB14A8FC8D3F8136A1A5959DF0171B91F05
  • Instruction Fuzzy Hash: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
APIs
  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00423A06
  • GetSystemInfo.KERNEL32(?), ref: 00423A1E
  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00423A2E
  • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00423A3E
  • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00423A90
  • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 00423AA5
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 77
  • API ID: CallWindowProcGetWindowLong$SetWindowLong
  • String ID: $
  • API String ID: 3866310918-3993045852
  • Opcode ID: ad095534242b8f661b43784e464837e169c304f971d99c585a85536d9eadf7f2
  • Instruction ID: 4a4eeb3e94a68d829235e649e3395343a9ee774aaf760f4ab5c1ca3d04699f5e
  • Opcode Fuzzy Hash: 88F028171AAEB267F17B2103A593BAA0342E3C36BFE097A1011C65072E5FA1E6350E5D
  • Instruction Fuzzy Hash: 4a4eeb3e94a68d829235e649e3395343a9ee774aaf760f4ab5c1ca3d04699f5e
APIs
  • CallWindowProcA.USER32(?,?,?,?,?), ref: 00411AD3
  • GetWindowLongA.USER32(?,000000FC), ref: 00411AE8
  • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00411AFD
  • GetWindowLongA.USER32(?,000000FC), ref: 00411B18
  • SetWindowLongA.USER32(?,000000FC,?), ref: 00411B2A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 4
  • API ID: PeekMessage$DestroyMenuGetMenuItemCountMapWindowPointsPtInRectRemoveMenu
  • String ID:
  • API String ID: 2665095626-0
  • Opcode ID: efe597dbb320c90ba25db7325b5adf02f11ae29fbeb20ca0692be43f9b0331a8
  • Instruction ID: 340ed14801e0d5f5aeaae7cd6b81a8f32ab4df8fd8bd5db5e08c8001e76fa3d4
  • Opcode Fuzzy Hash: 0CF0596514BF3041E4F9298158C9B7F2183EB9162EC087B00A5D02462E0D1542361F8D
  • Instruction Fuzzy Hash: 340ed14801e0d5f5aeaae7cd6b81a8f32ab4df8fd8bd5db5e08c8001e76fa3d4
APIs
  • GetMenuItemCount.USER32 ref: 00418EEB
  • RemoveMenu.USER32(?,-00000001,00000400), ref: 00418F07
  • DestroyMenu.USER32 ref: 00418F15
  • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 00418F46
  • PeekMessageA.USER32 ref: 00418F88
  • PtInRect.USER32(00000000,00000000,?), ref: 00418F9D
  • PeekMessageA.USER32(?,?,00000201,00000201,00000001), ref: 00418FBC
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 9
  • API ID: GetWindowLongGetWindowRectSendMessage$InvalidateRect
  • String ID:
  • API String ID: 2431701617-0
  • Opcode ID: cbcb8fc9cdf9f7da19b72781468aede5d1add90d5d168460ac0ab8bb5b07aaa9
  • Instruction ID: 2d222aa38c8b9792f0f1c956e9e424c9997aed1382e7dfc7103e959200013b80
  • Opcode Fuzzy Hash: B1F0EC5C18A9B281E438290A345D3BD3566E7D3BBBE4D767004827B84B97C0E5E46E4E
  • Instruction Fuzzy Hash: 2d222aa38c8b9792f0f1c956e9e424c9997aed1382e7dfc7103e959200013b80
APIs
  • GetWindowLongA.USER32(?,000000F0), ref: 0041877C
  • SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
  • InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
  • GetWindowRect.USER32(?,?), ref: 004187C9
  • GetWindowLongA.USER32(?,000000F0), ref: 004187E4
  • SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
  • GetWindowRect.USER32(?,?), ref: 00418823
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: FreeLibrary$GetProcAddressLoadLibrary
  • String ID: DllGetVersion
  • API String ID: 2512122033-2861820592
  • Opcode ID: be49aa90af57e269024710232b8ec6c16d6d85efe12ba3e8e4d375a5604effca
  • Instruction ID: c9669b9c6fb3d348bb8482e27c1c13d29037c5d683bf86d8a3501337a0ca5500
  • Opcode Fuzzy Hash: B5C012C0471919149931824534565191235BA61B4316D3F745FB4085FB5E3615784F88
  • Instruction Fuzzy Hash: c9669b9c6fb3d348bb8482e27c1c13d29037c5d683bf86d8a3501337a0ca5500
APIs
  • LoadLibraryA.KERNEL32(?), ref: 00410AE6
  • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00410B11
  • FreeLibrary.KERNEL32(00000000), ref: 00410B21
  • FreeLibrary.KERNEL32(00000000), ref: 00410B32
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 13
  • API ID: MonitorFromPoint$GetMonitorInfo
  • String ID: (
  • API String ID: 321890912-3887548279
  • Opcode ID: 50a6a21e842f298da833938df26900c679260b0af102af06c5ecc669f6a088b0
  • Instruction ID: db54427a310a53abcab4a7bb41387822345ddb1a193adcbb6f2b382980b0f959
  • Opcode Fuzzy Hash: B7D05E8F4A9B75BF8439008A95427BCA090B2F18AFB12B7A41602A554D59F4E0702B6C
  • Instruction Fuzzy Hash: db54427a310a53abcab4a7bb41387822345ddb1a193adcbb6f2b382980b0f959
APIs
  • MonitorFromPoint.USER32(?,?,00000000), ref: 00411928
  • MonitorFromPoint.USER32(?,?,00000002), ref: 00411932
  • GetMonitorInfoA.USER32 ref: 0041196C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 23
  • API ID: CreateWindowExFlushInstructionCacheGetCurrentProcessSetLastError
  • String ID:
  • API String ID: 1787983824-0
  • Opcode ID: abdcd0cee5a5650f6a0d0b3ca1d171cfde8c2d256cd1b6985ff036785179edfb
  • Instruction ID: 346dc5fbfa1c3060e430b335733926fa09466434c4f7727a6664cef35d78d8e0
  • Opcode Fuzzy Hash: 02F05CA317E57003E66931406539B6E6113D7567A2D0D3B0007E7141374D349A354E5C
  • Instruction Fuzzy Hash: 346dc5fbfa1c3060e430b335733926fa09466434c4f7727a6664cef35d78d8e0
APIs
  • GetCurrentProcess.KERNEL32 ref: 00420A36
  • FlushInstructionCache.KERNEL32(00000000), ref: 00420A3D
  • CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 00420AD1
    • Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
    • Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
    • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
    • Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
    • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
    • Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
    • Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
  • SetLastError.KERNEL32(0000000E), ref: 00420A57
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

General

Root Process Name:csshead.exe
Process MD5:6EED20CCE1D8877E9953E4375AC750CE
Total matches:45
Initial Analysis Report:Open
Initial sample Analysis ID:59838
Initial sample SHA 256:80DDBDBEDA351B942A6619381744A528974D9C549E6CD9B36993D5DD0313FC42
Initial sample name:mlsd.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:EFB98185CB4A95C8E3F209B05EB4AEBC
Total matches:45
Initial Analysis Report:Open
Initial sample Analysis ID:50392
Initial sample SHA 256:192DB4F6BCAE16A78C0C7544A3653A597C4CE05F8B8773F2553414C42BDDAA51
Initial sample name:3666712.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:F80376F6E67D79147715E70823DE3A00
Total matches:44
Initial Analysis Report:Open
Initial sample Analysis ID:65112
Initial sample SHA 256:6865E3954816AFC08C28029D8D552026CC4F11E4EF6EEFB2BAE38123463C0A75
Initial sample name:6120184456_445675.jpg.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:00FE617BE3854F8B3EB373E8272148DD
Total matches:44
Initial Analysis Report:Open
Initial sample Analysis ID:49462
Initial sample SHA 256:6FD04B0C6EA295F5617F83896B8CE243909A77A9DA4E876C0F8E6E414BDEFFC3
Initial sample name:mxdn.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:F80376F6E67D79147715E70823DE3A00
Total matches:44
Initial Analysis Report:Open
Initial sample Analysis ID:65115
Initial sample SHA 256:0E7A38751C3697AD9C504323CA3360C0100A55006E1A7F1FC6C42AA26475CE99
Initial sample name:4520182243_224333.jpg.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:37C2017497122FE4AFCAD7FF30A24EF8
Total matches:43
Initial Analysis Report:Open
Initial sample Analysis ID:53041
Initial sample SHA 256:A041C5E65A76301656BE927D2BA92BC5A42567D7EE649E4A0C767D78254B29F7
Initial sample name:9669353.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 114
  • API ID: GetModuleHandleGetProcAddressGetSystemInfoVirtualAllocVirtualProtectVirtualQuery
  • String ID: SetThreadStackGuarantee$[FILE]
  • API String ID: 680167281-1579773211
  • Opcode ID: 168240ab15ce24652e769bfb5492d562a5f91951bd35543584bc6f19a768c252
  • Instruction ID: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
  • Opcode Fuzzy Hash: 30F0DC5592AF88CFCAB28083370134C9074FB14A8FC8D3F8136A1A5959DF0171B91F05
  • Instruction Fuzzy Hash: c3eaa84aebdb894e036c547a6790cf16f1ca52550c26384ee843b7874e8e5b08
APIs
  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00423A06
  • GetSystemInfo.KERNEL32(?), ref: 00423A1E
  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00423A2E
  • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00423A3E
  • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00423A90
  • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 00423AA5
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:91C6DFDA8F1B59308B7554A5E5666045
Total matches:38
Initial Analysis Report:Open
Initial sample Analysis ID:36661
Initial sample SHA 256:A275EA07EC1F7031ACC61249C63419C452A8D67B3DDA32CC711B5300B996594F
Initial sample name:IPCWebComponents.exe

Similar Executed Functions

Similarity
  • Total matches: 92
  • API ID: GetProcAddressRtlEncodePointer$RtlDecodePointer$GetCurrentThreadIdGetModuleHandleTlsAllocTlsSetValue
  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
  • API String ID: 2497162807-3819984048
  • Opcode ID: 40a92d6be80270f0d887ea1b1180d001f2a8259290e1ea56a906897199c583e9
  • Instruction ID: b3df56086602818656d02239aef3d71136703ba182de22dd1fa9d84292d4f75f
  • Opcode Fuzzy Hash: 5A0124C700588643D9F86600700027392F31BD316B83DEB2016B9AA495DACAB6383EC8
  • Instruction Fuzzy Hash: b3df56086602818656d02239aef3d71136703ba182de22dd1fa9d84292d4f75f
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424C8B), ref: 004260AA
  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004260CC
  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004260D9
  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004260E6
  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004260F3
  • TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
  • TlsSetValue.KERNEL32(00000000,?,00424C8B), ref: 0042615E
  • RtlEncodePointer.NTDLL ref: 00426179
  • RtlEncodePointer.NTDLL ref: 00426186
  • RtlEncodePointer.NTDLL ref: 00426193
  • RtlEncodePointer.NTDLL ref: 004261A0
    • Part of subcall function 0042BF11: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042BF39
  • RtlDecodePointer.NTDLL(Function_00015F05), ref: 004261C1
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • RtlDecodePointer.NTDLL(00000000), ref: 004261F0
    • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
  • GetCurrentThreadId.KERNEL32 ref: 00426202
    • Part of subcall function 00425D81: RtlDecodePointer.NTDLL(0044204C), ref: 00425D92
    • Part of subcall function 00425D81: TlsFree.KERNEL32(00442050,00426218,?,00424C8B), ref: 00425DAC
    • Part of subcall function 00425D81: RtlDeleteCriticalSection.NTDLL(00000000), ref: 0042BF78
    • Part of subcall function 00425D81: RtlDeleteCriticalSection.NTDLL(00442050), ref: 0042BFA2
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:F80376F6E67D79147715E70823DE3A00
Total matches:37
Initial Analysis Report:Open
Initial sample Analysis ID:65079
Initial sample SHA 256:AAB1A7E112C52907B8BBF3C132DD3198B7F8210BD329F4D70EA792AF9773CD83
Initial sample name:1420185506_550645.jpg.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:C58F5A736C6E80CF3C4426DA67540F95
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:47139
Initial sample SHA 256:79051CFE2B37DDC439C18BC0C1856958DD026A7A6DD0A24DE4222D91DBFDA22C
Initial sample name:pres.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

General

Root Process Name:csshead.exe
Process MD5:EFDB6033DCCF27FE103B8FC13BC4F2D7
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:378142
Initial sample SHA 256:C6581B6925D047ECDB4409DD091053F1898863D9B10FD3EE645021B251C76CC8
Initial sample name:PIS7506211.vbs

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 119
  • API ID: GetLastErrorMultiByteToWideChar$SysAllocStringlstrlen
  • String ID:
  • API String ID: 4230599178-0
  • Opcode ID: 468728043dfb9852b8690612bcb51d55d10320337695dfbbc006e964a1b00cd2
  • Instruction ID: c153524e1755858dc61a6d9fc5ce6f87f1b19e9f6db067147f3d6b07e21d1df7
  • Opcode Fuzzy Hash: C1017B06AC9C44A6E96760803804B4A42D13B4336BD0DFFB253E9155EEAE24313D2FC8
  • Instruction Fuzzy Hash: c153524e1755858dc61a6d9fc5ce6f87f1b19e9f6db067147f3d6b07e21d1df7
APIs
  • lstrlen.KERNEL32(?,004420A4), ref: 00432A87
  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432A9D
  • GetLastError.KERNEL32 ref: 00432AAC
    • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432B3B
  • GetLastError.KERNEL32 ref: 00432B56
  • SysAllocString.OLEAUT32(00000000), ref: 00432B71
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:59360C0B24903D470D51A3544258A763
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:52753
Initial sample SHA 256:623D7AFC2C114AD2D3912ACCF6764958C911F5EA728399556D37A055084A5E13
Initial sample name:1DOC3614119459.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:1B8683494257868642655C7842B39CAA
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:47031
Initial sample SHA 256:5588E347602EE7266F5B058B46955239028A16DFC82A5780C7135DE7E32A6FBC
Initial sample name:vtype.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

General

Root Process Name:csshead.exe
Process MD5:59360C0B24903D470D51A3544258A763
Total matches:36
Initial Analysis Report:Open
Initial sample Analysis ID:52739
Initial sample SHA 256:2878D2445DE37E18CAEE5CBC9684D54442A3A21D00D09575F81BB63EE0C7AAA3
Initial sample name:5DOC2035940845.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:59360C0B24903D470D51A3544258A763
Total matches:35
Initial Analysis Report:Open
Initial sample Analysis ID:52699
Initial sample SHA 256:3BFFCC999C2CBC375D7259A65DB927957749FE6892398B0AF71208C3623906B5
Initial sample name:1DOC2039217697.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:B01470F68E56B010951D66644DEE76F4
Total matches:35
Initial Analysis Report:Open
Initial sample Analysis ID:40334
Initial sample SHA 256:014F177F6542735538783F639AFF9F46AB4879544D6DDFED327FFED7313E4A60
Initial sample name:pvideo.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: bcd57c65414e1ee713fa5faccd5506c5ffcefd8112e2e8b2d5ef24a8fe0cb4cb
  • Instruction ID: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
  • Opcode Fuzzy Hash: 0F12D99331C80107C915876A36669CF0449D2B76BC40933FA07BE73ADABF9BB56C4863
  • Instruction Fuzzy Hash: bcbae6d423310654ab41570ec168108def1dbbfdc60d60485d45659db1cbf408
APIs
  • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
  • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
  • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
  • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
  • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
  • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
  • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
  • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
  • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
  • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
  • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
  • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
  • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751707937.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751720901.00403000.00000020.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 09ed38bf5a7d582bf2bb6d950b6f9ff340aa4d9a41dc5b7e9f7f815ea18d9b79
  • Instruction ID: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
  • Opcode Fuzzy Hash: 722127460ACDE093B832254136A3EA512C6BF9372EC4D77A10D70557E3AE85A096BF0D
  • Instruction Fuzzy Hash: 31743b3b0089faef5b70ae1b3b318fd5955b68a6ab588081acb0edf3983e62cc
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
  • CloseHandle.KERNEL32(?), ref: 004052C8
    • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
  • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
  • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ResumeThread.KERNELBASE(?), ref: 0040527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
  • CloseHandle.KERNEL32(?), ref: 004052BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: 97365bb904d505a4470370e945e6c3fefb9173e091d59822198fdf57fa3be7d3
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: 1CF0F44149CD0627E53B38543073F6B212ABB93B44CCDBA795894A2D475B98B08BFF07
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
  • GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • CloseHandle.KERNEL32(?), ref: 004043F3
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 847b072207e606b166c93749a5b3e05be669f96f6133ec2628f90dad46a7906c
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: EBE04F4A08CC5343A5717898317277A3182F79371AC9D77A1498022201D7C0B0B97F03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
  • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
  • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: a869a8cd62e7df914fc032d1c0fb277f7a96078ae968c232a9801744e52f8088
  • Instruction ID: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
  • Opcode Fuzzy Hash: B0E0264F02688252D4667A30B93C7331185BF6236ACCCA7301A92B82966B88107ABF17
  • Instruction Fuzzy Hash: 51d11595203758c8225c424249e5ef061724fd95df4cddf9e1ab844e275f3639
APIs
  • Sleep.KERNEL32(00003A98), ref: 00409260
    • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
    • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
  • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
  • CloseHandle.KERNEL32(00000000), ref: 004092A5
  • ExitProcess.KERNEL32 ref: 004092AD
    • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: 683e361bb6ce27753b9dd63efa85e508080038f376446c420f8369f710908f94
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: DBE04F4108CC4647E97268D53173B6A6042F78372AC8D37619DE053695C7C0E0EA7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
  • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
  • CloseHandle.KERNEL32(?), ref: 00404849
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: cbde70c4e3fd2bc78d7250d7d8514ccfb88a6b5f88c3c805dc0921d0ad335d14
  • Instruction ID: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
  • Opcode Fuzzy Hash: D5F0B49204CD0257D93A78A2347BB67605AF752649C4CF7230D8217D134B44B0676F07
  • Instruction Fuzzy Hash: 38342c5ec1bf85b65ed9fd53401fe81ed50601d83cae8a9d1619a423958c3600
APIs
  • GetCurrentThread.KERNEL32 ref: 004041DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
  • GetLastError.KERNEL32 ref: 004041F4
  • GetCurrentProcess.KERNEL32 ref: 00404207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
    • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
  • CloseHandle.KERNEL32(?), ref: 0040424E
  • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
  • EqualSid.ADVAPI32(?,?), ref: 004042A2
  • FreeSid.ADVAPI32(?), ref: 004042BE
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: 379275ce35191a8b93daf1a589893d96f704557c5d108c831e7e034749432f40
  • Instruction ID: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
  • Opcode Fuzzy Hash: D0F0A046249D472B98352AD93863FA6046AF393B12CCDB331082473E834BD5F096EF03
  • Instruction Fuzzy Hash: 2a60a2d7d98bd98c9e695efd6abaaed765412a33ba7f1cee0b8c146d706f2f4d
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
  • LocalFree.KERNEL32(?), ref: 004044AC
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 9c7c323336e5c922e689fd86bf988dfdb7277317b04210a6c763aed42b1a41cd
  • Instruction ID: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
  • Opcode Fuzzy Hash: C31135420B9CA156C53367433493B9260E0FB82CADE5CF7629CF6272DA2B447009F32E
  • Instruction Fuzzy Hash: 85b07a187082eadf690041acefe8dea4a1908772a5bb407cd1c006b11e55dce8
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
  • FindClose.KERNEL32(000000FF), ref: 0040583D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetCurrentProcess$CreateMutexGetCursorPosLocalAllocLocalFreeRtlExitUserThreadRtlInitializeCriticalSectionSleep
  • String ID: .lnk
  • API String ID: 1091336183-24824748
  • Opcode ID: 58a1dca7547e5bbff80d2f1fd88a6bb040a231d2aeca5d6fb3729413f0c15a15
  • Instruction ID: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
  • Opcode Fuzzy Hash: 9C319C0A52FCC252B626395434716860589BB927259DCD7B086FA317F24F0CD08AF70D
  • Instruction Fuzzy Hash: b491e3b7e2987c1b0db0e8d89e2b56493d99c0ca1b8461c60b0fdfcf99178623
APIs
    • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
  • GetCurrentProcess.KERNEL32 ref: 00408D33
    • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
    • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
    • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
  • GetCurrentProcess.KERNEL32 ref: 00408D5D
  • GetCurrentProcess.KERNEL32 ref: 00408D77
    • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
    • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
    • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
  • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
    • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
  • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
  • LocalFree.KERNEL32(?), ref: 00408DC3
    • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
    • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
    • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
    • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
  • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
    • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
    • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
    • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
    • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
    • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
    • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
    • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • Sleep.KERNEL32(000003E8), ref: 00408FC8
  • GetCursorPos.USER32(?), ref: 00409000
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
    • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
    • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
    • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
    • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
    • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
    • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
    • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
    • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
    • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
  • RtlExitUserThread.NTDLL(00000000), ref: 00409069
    • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
    • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
    • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
    • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
    • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
    • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
    • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 28
  • API ID: CloseHandleSHDeleteKey$CreateEventExitProcessReleaseMutexRtlRemoveVectoredExceptionHandlerSendMessageWaitForSingleObject
  • String ID: .lnk
  • API String ID: 283429878-24824748
  • Opcode ID: 25d1d868055cde1760b4a23deaacadc3d5131ad5421679da8e75fd081b14f1b5
  • Instruction ID: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
  • Opcode Fuzzy Hash: EC01E14146A09281FAA236103071B1709A13BD237ADEDF7709AEF24EF64F4C80E5EF46
  • Instruction Fuzzy Hash: 7f0a54233486fec13901f3771ca7fe7183611a23cc9f5fd470ec56445d7a6ea7
APIs
  • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
  • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
  • CloseHandle.KERNEL32(00000000), ref: 00408112
    • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
    • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
    • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
  • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
  • ExitProcess.KERNEL32 ref: 00408244
    • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
    • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
  • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
    • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
  • ReleaseMutex.KERNEL32(00000000), ref: 00408221
  • CloseHandle.KERNEL32(00000000), ref: 0040822D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6b7ec0e89191cecd76cc34b291f302fe40859303b6ac74b70c3f8e27cc3cfcf6
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: 0CF0621615CD8287F87168953263F9AA142FBD2929E8D776046B1233E38741E17BAB13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
  • CloseHandle.KERNEL32(000000FF), ref: 004046C0
  • DeleteFileA.KERNEL32(?), ref: 004046CA
  • Sleep.KERNEL32(00000064), ref: 004046E7
  • Sleep.KERNEL32(00000064), ref: 004046FA
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4d42990f90777fa0290ae341486a2e8b01dd3f6124da9be7c2b770c87815b850
  • Instruction ID: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
  • Opcode Fuzzy Hash: 29317B47027CD5A3D8337E4464D3F2651B0EF62DBEDC8B33216F4526EE4A817019E629
  • Instruction Fuzzy Hash: ab6a8f6daca4e7e7c5175a0fbb081edb4fb991c0923106e2a01bec3b8e675214
APIs
    • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
  • Sleep.KERNEL32(000927C0), ref: 004066F5
  • GetTickCount.KERNEL32 ref: 004066FD
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • GetTickCount.KERNEL32 ref: 004067AF
  • Sleep.KERNEL32(00001388), ref: 004067CD
    • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
  • Sleep.KERNEL32(000493E0), ref: 004067F3
  • Sleep.KERNEL32(000927C0), ref: 0040680F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: 1f294b141a4521f723747e34e4ef9ebb323ae824d97d59b48fac299cde25b9d3
  • Instruction ID: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
  • Opcode Fuzzy Hash: F1E06D4921881183F4F5685236A171A12A77F93B08C2CEB13088574182EB9421FCBF06
  • Instruction Fuzzy Hash: 6c8d59e2a15c20537a64c6ccb563bc7da389846ef084396726c7433614072a71
APIs
  • RegisterClassExA.USER32(00000030), ref: 00408AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
  • TranslateMessage.USER32(?), ref: 00408B37
  • DispatchMessageA.USER32(?), ref: 00408B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 40bdcfeb2672a24abe71a72cd580808b4682ce58fb116d59452dd7005b752bec
  • Instruction ID: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
  • Opcode Fuzzy Hash: E1F0A4C20768A7CBE07366413952F6112E1BF8197EF4DAB615EF0226DA5E04111DF708
  • Instruction Fuzzy Hash: baa5f69fd8627647c011614b4557028a7b6f3520d759699143f18aceb8a93e02
APIs
    • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
    • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
  • wsprintfA.USER32 ref: 00408476
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
  • Sleep.KERNEL32(000005DC), ref: 004083E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: 630a53f99ea4ed99d3bab80af2c6c3aedc3f7884d0aeb35f6cdc7caf9d0987b4
  • Instruction ID: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
  • Opcode Fuzzy Hash: 9C2148048A6C4457E8B328402CA3F9A2192B703A5FC4DB3A16AF4272D7CB81514DFF1D
  • Instruction Fuzzy Hash: e1bf553a991c49a09c5f348d86221115626feaae26641245801e8cd88bae2439
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
  • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 87839543d5719d9aa7a98c5202c9c2701879531adcded608b57a4c4e934fb3e6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 51D05E41095D8557E9B22C443B337A21242F35162AC5C33A28FF0A63924751A17A5F03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
  • CloseHandle.KERNEL32(000000FF), ref: 004048CE
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: MoveFileEx
  • String ID: .lnk$.txt
  • API String ID: 431664693-85911508
  • Opcode ID: 324f1d49b4a42d43565bee249b71bfab1a8517835f43b11cf998c56d4a031800
  • Instruction ID: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
  • Opcode Fuzzy Hash: D621F1C22345E201D533260532B2B4356A5FF9197CEFE9BE19EAD115E63F4C204DE30A
  • Instruction Fuzzy Hash: 1ffee76e9abbf1336cb679ea6286cdaf0b34bfed4ce10b9cba23d15dee56841c
APIs
    • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
    • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
    • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
    • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
  • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
    • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
    • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
    • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: ac4bdc91d77d5b8b97ee9fc1dac1ba37e62087b3971ed52c5adb8fd7d6a58a1f
  • Instruction ID: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
  • Opcode Fuzzy Hash: 9FF0EC430699D387513D23471581B1132E0FF52B78E8DBBB056B113AF4068470ACF60F
  • Instruction Fuzzy Hash: 9bc1df8f127720bf007e454c7710a65cf415d15b18c847dce23966ef1c06d6ac
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
    • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
    • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751720901.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.22751695591.00400000.00000002.sdmp
  • Associated: 00000000.00000002.22751707937.00401000.00000040.sdmp
  • Associated: 00000000.00000002.22751737834.0040A000.00000004.sdmp
  • Associated: 00000000.00000002.22751753168.0040E000.00000002.sdmp

General

Root Process Name:csshead.exe
Process MD5:57EE4F77C5D58591B70400C4B4860399
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:55567
Initial sample SHA 256:9D45C3CF3B7AC4E4AC1529859A3CE12DD92F958DC0039133E8D0D3ECE3076BAC
Initial sample name:19.04.18.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:57EE4F77C5D58591B70400C4B4860399
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:55567
Initial sample SHA 256:9D45C3CF3B7AC4E4AC1529859A3CE12DD92F958DC0039133E8D0D3ECE3076BAC
Initial sample name:19.04.18.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:6F2AA155D82BF38A17AE83131F1A152D
Total matches:32
Initial Analysis Report:Open
Initial sample Analysis ID:296551
Initial sample SHA 256:1BBE76D89604C0A235538FCA4B420F49BE876E489A4C6FAE95C14CE1F925A994
Initial sample name:00081222019.docx

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 376
  • API ID: __getptd$_CallSETranslator_GetRangeOfTrysToCheck
  • String ID: MOC$RCC$csm$csm$csm
  • API String ID: 1801275210-561960519
  • Opcode ID: b98b11a8cea096363764eb909f107372b9deede938a3b41401b069bac1a439c5
  • Instruction ID: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
  • Opcode Fuzzy Hash: B6F05906265BD013E2215008BC933E9E085BB55167EED5B918088F8BF69ED8B16BF24E
  • Instruction Fuzzy Hash: 4cdfd82133cdf6b7016465ba2fd2c1a104452e963acab60a0722c5067c5a0f7c
APIs
  • __getptd.LIBCMT ref: 0042A95F
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A96D
    • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
  • _CallSETranslator.LIBCMT ref: 0042A9A4
    • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
  • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
    • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 379
  • API ID: _UnwindNestedFrames
  • String ID: csm$csm
  • API String ID: 4244963413-2583052117
  • Opcode ID: e062fa604a25e5b032547e91d3524e6ec8a8135ed97e0c96e09d63c06615b5fb
  • Instruction ID: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
  • Opcode Fuzzy Hash: 04D0A74242F1C7F5620130855206968D2805E001BB58E2378D4742DBFED5CDB0A9F548
  • Instruction Fuzzy Hash: 31e36592be1a1cf24ee752a57034b5a547018bfc5a97c0d784d2dab931c76c59
APIs
  • _UnwindNestedFrames.LIBCMT ref: 0042A902
    • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
    • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
    • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
    • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
    • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 945
  • API ID: __getptd
  • String ID: csm
  • API String ID: 3384420010-2193726395
  • Opcode ID: 58765ad11e01c7b9e9eabe86b7eddb5721959dd7641d0900819ab938725aa3c3
  • Instruction ID: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
  • Opcode Fuzzy Hash: 02D05E0182913997F2BE2A41B05110DA944A752C5BC9946A05154F70A659569171F410
  • Instruction Fuzzy Hash: ba3642e181306479aafdea4562163df7c265896bec8771907347905e297ddf95
APIs
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
    • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
  • __getptd.LIBCMT ref: 0042A660
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __getptd.LIBCMT ref: 0042A66E
    • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:6F4EB294ACF731771AFE3EF6F7EE812D
Total matches:30
Initial Analysis Report:Open
Initial sample Analysis ID:271850
Initial sample SHA 256:922515C3AFFEA4EA2FBAC8D709BEE6ED5F2E0ACC07F96E27C3B414B421775185
Initial sample name:17HY9087546.jar

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1574
  • API ID: IsDebuggerPresentSetUnhandledExceptionFilterUnhandledExceptionFilter
  • String ID:
  • API String ID: 685291694-0
  • Opcode ID: 6074802e37bf34acb0b1b2c965fc8a3b959f3e139ab562e318959c20232d33f9
  • Instruction ID: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
  • Opcode Fuzzy Hash: ABF049415369C792B12A1F202D96F40D3A9EE0AE3BF8C5BA183705ABF75F90101CE95E
  • Instruction Fuzzy Hash: ccff2b1c9ed8ebe2525a1c6a7af420e052ad5be20e7b4ab4427bf034f979377f
APIs
  • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
  • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1040
  • API ID: __alldvrm$__cftoe_strrchr
  • String ID: 0
  • API String ID: 2865227320-4108050209
  • Opcode ID: 82c72cc6e96567f92bd152846ef71a5a59784bf29d11410bfdc0c48b00d06513
  • Instruction ID: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
  • Opcode Fuzzy Hash: DE3153C005979084F17B70405561F8232827BA37A7F4C77196D66B47BB3701B28A7ACF
  • Instruction Fuzzy Hash: 4205b4ba17620b136ba4caf726ded33368dd565a9f08fc4a31436dddb434dae1
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 514
  • API ID: LCMapString$MultiByteToWideChar$WideCharToMultiByte
  • String ID:
  • API String ID: 2840897622-0
  • Opcode ID: 0ed25fa262cb37a761f358f3187d5e3d0f22bf8d294c882f795035dd8de99d2d
  • Instruction ID: 73f70aba97bf9c5afd15a300eb3171b6be404893a7819f53f252d33be5212da3
  • Opcode Fuzzy Hash: AB119E85090EC55ADB3148C019A3FCEF0967B4335BDCDFA52CA9CD02160E94321B5B55
  • Instruction Fuzzy Hash: 73f70aba97bf9c5afd15a300eb3171b6be404893a7819f53f252d33be5212da3
APIs
  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000200,?,?,?,?,?,?), ref: 0042C751
  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042C7BF
  • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042C7DB
  • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C814
    • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
  • LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C87A
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0042C899
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 891
  • API ID: InterlockedDecrementInterlockedIncrement__amsg_exit__getptd
  • String ID:
  • API String ID: 1416872836-0
  • Opcode ID: efda30fdceb4d42ef6435b88fd72f3ebe5a6b74139dcf8204bac7282244ae40b
  • Instruction ID: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
  • Opcode Fuzzy Hash: 5EE072D313ACE0B389B4B84C7C20A021050276644288F33E2826C309C08B20A4FEAE99
  • Instruction Fuzzy Hash: c32dbd091d5b81293a174be6dcb58d9abbad3ad088a1f204ac88816324418f8e
APIs
  • __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
  • __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
  • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 365
  • API ID: _strlen
  • String ID:
  • API String ID: 4218353326-3916222277
  • Opcode ID: 4d5b4835f14b12f354a70b80c4b1d85783e4952afe2b3403853ffda40e266f20
  • Instruction ID: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
  • Opcode Fuzzy Hash: EF019EC10B5640D2F8BE45447610B7751A4735253FC1E9BD02B5A34DAA0E94B33CD7C9
  • Instruction Fuzzy Hash: 53a5cf7d9700571e9d92d72f6fe93b0c0dc9116e9fde07388a8a448b5572b76c
APIs
  • _strlen.LIBCMT ref: 0042CADF
    • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
  • _strlen.LIBCMT ref: 0042CB10
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
    • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 485
  • API ID: __fltout2
  • String ID: -$e+000
  • API String ID: 3994888974-1412363215
  • Opcode ID: 87cf8493afa41acbf5a52b6570c861eae387707df00514e613e9858087923c06
  • Instruction ID: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
  • Opcode Fuzzy Hash: 05E02B089B8F0568A57A21042268D54B1407AD273FCDDE7514455B9A7E0BC272398B5C
  • Instruction Fuzzy Hash: 0ea8525553e01c09cb94f32bb490552acaab9873b3262d149a02f68e75d4e8c3
APIs
  • __fltout2.LIBCMT ref: 004281B4
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1199
  • API ID: __cftof2_l__fltout2
  • String ID: -
  • API String ID: 3351720910-2547889144
  • Opcode ID: 3ecf70b7584fd43c7468d4ae51303f77453193fd969f76a560213aa8d5f66d6a
  • Instruction ID: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
  • Opcode Fuzzy Hash: 98E0610D225E40496D7528056129C5061407B43B3FD4CF7974499F877857E3B519CF6A
  • Instruction Fuzzy Hash: a3c99c07699fd9c05b16eea1258a1f72c185a0efcbdd55be0e874d41699fa6d2
APIs
  • __fltout2.LIBCMT ref: 00428710
    • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
    • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
  • __cftof2_l.LIBCMT ref: 0042878F
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
    • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
    • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
    • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 793
  • API ID: GetModuleHandleInterlockedIncrement
  • String ID: KERNEL32.DLL
  • API String ID: 1059149659-2576044830
  • Opcode ID: 0a9ad8578875525d344662c04387834a3863c96689618f3ff1b79dfdb594b03a
  • Instruction ID: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
  • Opcode Fuzzy Hash: 25E02CE2029E00C2E97AA5047853F06903327E3A71C8C7729A23B389C2EB2611349C88
  • Instruction Fuzzy Hash: 37c73b593da77b8ab1e52ee6af61108917e3574ef521cc890e050ecba12683c7
APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:59360C0B24903D470D51A3544258A763
Total matches:30
Initial Analysis Report:Open
Initial sample Analysis ID:52761
Initial sample SHA 256:0794447DA6E410FE1C99E45F0EC81C80028D5EBC094594DFD3A0EAEE33C9DB1F
Initial sample name:5DOC3683925792.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:csshead.exe
Process MD5:59360C0B24903D470D51A3544258A763
Total matches:30
Initial Analysis Report:Open
Initial sample Analysis ID:52658
Initial sample SHA 256:3268D01C2F119F67D2AA26E672CE08CAF1843DF131975B2BFB8A1DB8F3252B30
Initial sample name:9DOC2818625513.js

Similar Executed Functions

Similarity
  • Total matches: 1214
  • API ID: FreeEnvironmentStringsWideCharToMultiByte$GetEnvironmentStrings
  • String ID:
  • API String ID: 1419575072-0
  • Opcode ID: 5238dcbc8fc2e0a5fd073f7f0fd60515b4b961088c0e1486cc16ac7d2d18394b
  • Instruction ID: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
  • Opcode Fuzzy Hash: 49E0CDD14D48C8427136484768653F9E459D0125934CD3FD28A5E4D7E3A624B8328F59
  • Instruction Fuzzy Hash: 719a60f42afd6d5f0ff2761a3d3087c1c848d0d2c24983d5fd5cb78af108445a
APIs
  • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1399
  • API ID: GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeGetTickCountRtlQueryPerformanceCounter
  • String ID:
  • API String ID: 588848570-0
  • Opcode ID: 318e800a48f883e279e59b84ae646057939b8945fe1ca4eec0ac9935bb56e0fb
  • Instruction ID: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
  • Opcode Fuzzy Hash: 5BE026808250460EA839104835E16AA017179F3A0DACCBBB000915F25322A0BC35180A
  • Instruction Fuzzy Hash: 89e5f0325433f2ab7c87a28edf444c9e41b37b4b74163b45efd9d9343e704e56
APIs
  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
  • GetCurrentProcessId.KERNEL32 ref: 0042D105
  • GetCurrentThreadId.KERNEL32 ref: 0042D10D
  • GetTickCount.KERNEL32 ref: 0042D115
  • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

Similar Non-Executed Functions

Similarity
  • Total matches: 1129
  • API ID: InterlockedDecrementInterlockedIncrement$__getptd
  • String ID:
  • API String ID: 2916263689-0
  • Opcode ID: 44ddc92eb5b82b625f4d1b7cc35d520f6e723aec175505755f5685a225c4f056
  • Instruction ID: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
  • Opcode Fuzzy Hash: E801CE01014560F3E47AEC847003FD730713776EA3C9DEB6122DA24A8B6F243178ABD8
  • Instruction Fuzzy Hash: d0574bec78941db9228f2ec4eb5ed2cb997408e9e5645c1d6fab7e69050a1759
APIs
  • __getptd.LIBCMT ref: 0042581D
    • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
    • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
    • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
    • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
    • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • InterlockedDecrement.KERNEL32(?), ref: 00425883
  • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
    • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
    • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
  • InterlockedDecrement.KERNEL32 ref: 0042593A
  • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
    • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 1436
  • API ID: _parse_cmdline$GetModuleFileName
  • String ID: [FILE]
  • API String ID: 3720779703-124780900
  • Opcode ID: ae63c286bd75ec2a2d7c2f2ed399f8e2c5415b23780ae262b58e562ad0e61716
  • Instruction ID: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
  • Opcode Fuzzy Hash: CFE0C0030F4880C1567B9A00B051BB17591D5842BF96D9FB14366B30E7CF50F035638A
  • Instruction Fuzzy Hash: adf2206c123290f1b3e4f8523338676069d21a8610e7c8b4c7a56583a1bc5dde
APIs
  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
  • _parse_cmdline.LIBCMT ref: 0042CD82
    • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
  • _parse_cmdline.LIBCMT ref: 0042CDC3
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
Similarity
  • Total matches: 2031
  • API ID: GetModuleHandleGetProcAddress
  • String ID: CorExitProcess$[FILE]
  • API String ID: 1063276154-452959123
  • Opcode ID: 36e6b4c97dea7cfcfb3513e97158113810a7701f5e68190893cae6ffb4e9d41b
  • Instruction ID: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
  • Opcode Fuzzy Hash: D6A012220506CACC5C6860C238100548074BDE0E1A40C6B1103490A642021421342DC4
  • Instruction Fuzzy Hash: 568bdceae73f98c83904a76c2430409339303195a8aa69af8212cc9b705bb810
APIs
  • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.22751766410.00410000.00000040.sdmp, Offset: 00410000, based on PE: false

General

Root Process Name:explorer.exe
Process MD5:C09F5356DE9941991CD3B3D6D67D9106
Total matches:29
Initial Analysis Report:Open
Initial sample Analysis ID:41148
Initial sample SHA 256:42C04255EAB287F7F4211CC94E90C56CB0A7C352941DEFAB5F009353BC958D19
Initial sample name:splugin.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:B01470F68E56B010951D66644DEE76F4
Total matches:29
Initial Analysis Report:Open
Initial sample Analysis ID:40334
Initial sample SHA 256:014F177F6542735538783F639AFF9F46AB4879544D6DDFED327FFED7313E4A60
Initial sample name:pvideo.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:C58F5A736C6E80CF3C4426DA67540F95
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:47139
Initial sample SHA 256:79051CFE2B37DDC439C18BC0C1856958DD026A7A6DD0A24DE4222D91DBFDA22C
Initial sample name:pres.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:9A1C6993B7571ED6460D06833B78966C
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:71976
Initial sample SHA 256:81D016E80FDDB754B20702BE0218C8351CB040E0D3A108A1D972A68C86DE4CE9
Initial sample name:paint.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:1B8683494257868642655C7842B39CAA
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:47031
Initial sample SHA 256:5588E347602EE7266F5B058B46955239028A16DFC82A5780C7135DE7E32A6FBC
Initial sample name:vtype.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:EFB98185CB4A95C8E3F209B05EB4AEBC
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:50392
Initial sample SHA 256:192DB4F6BCAE16A78C0C7544A3653A597C4CE05F8B8773F2553414C42BDDAA51
Initial sample name:3666712.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:941FA30BE8DCFEF277CE62DE74FFBF99
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:56382
Initial sample SHA 256:95B8F7277E3965872577AEBFC4D1A0A5738E6C814CBEB9AEF85B495B36DABAE8
Initial sample name:668396.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:00FE617BE3854F8B3EB373E8272148DD
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:49462
Initial sample SHA 256:6FD04B0C6EA295F5617F83896B8CE243909A77A9DA4E876C0F8E6E414BDEFFC3
Initial sample name:mxdn.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:6EED20CCE1D8877E9953E4375AC750CE
Total matches:28
Initial Analysis Report:Open
Initial sample Analysis ID:59838
Initial sample SHA 256:80DDBDBEDA351B942A6619381744A528974D9C549E6CD9B36993D5DD0313FC42
Initial sample name:mlsd.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:B63A39FAD3EDC42EF9968A870BB5ED84
Total matches:27
Initial Analysis Report:Open
Initial sample Analysis ID:31223
Initial sample SHA 256:BF26945A850E6DF808409F800AB1DBB42B2469440CAA394B4721CDF4A7D371AC
Initial sample name:tr.exe

Similar Executed Functions

Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:37C2017497122FE4AFCAD7FF30A24EF8
Total matches:26
Initial Analysis Report:Open
Initial sample Analysis ID:53041
Initial sample SHA 256:A041C5E65A76301656BE927D2BA92BC5A42567D7EE649E4A0C767D78254B29F7
Initial sample name:9669353.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 22
  • API ID: ConvertStringSecurityDescriptorToSecurityDescriptorGetSecurityDescriptorSaclInitializeSecurityDescriptorLocalFreeSetSecurityDescriptorDaclSetSecurityDescriptorSacl
  • String ID:
  • API String ID: 830655387-0
  • Opcode ID: ae34fe9e104b8e30252ed44bb7a481101a281386164d3304e160551154fb8f93
  • Instruction ID: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
  • Opcode Fuzzy Hash: 74F08C06645D877B993529992803B95006AF793A22CCDBB32083467AC3DAD1E45AEF17
  • Instruction Fuzzy Hash: a0bb7ab5e7160805ead914702a171646160b4b35533d4b043bc1ee10d4060692
APIs
  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0068441F
  • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00684437
  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00681CB4,00000001,?,00000000), ref: 00684453
  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684478
  • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00684498
  • LocalFree.KERNEL32(?), ref: 006844AC
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:201218D74CB36FA3B507B52B3F542E31
Total matches:23
Initial Analysis Report:Open
Initial sample Analysis ID:63349
Initial sample SHA 256:78FBD18CC7DF53021F74B6879E254A605D866806BF22166F37628469347A6CF8
Initial sample name:jAqtHkfbz.exe

Similar Executed Functions

Similarity
  • Total matches: 11
  • API ID: LoadLibrary
  • String ID: '\/$'`+9$+WJ$:H$A;=S$B=K$D$C2$Psapi$WO$W[Q$_p5:$`M<$ad$j$xtz:$z{y<
  • API String ID: 2077302977-1452207234
  • Opcode ID: 04210300ac0cb0b9e112ba8a4447320cee297c6bcf124c580a88833ea259f153
  • Instruction ID: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
  • Opcode Fuzzy Hash: 5C12D617C1C94257EA1143A944620CE0261D1BB63E10A7FFB46BD775CAFFA3B90E9162
  • Instruction Fuzzy Hash: 01a3077eabea42ebac4575fa14e0a8bd4f53bd7571d341a4c52f0415b530052a
APIs
  • LoadLibraryA.KERNEL32(00681BF0), ref: 00682D59
  • LoadLibraryA.KERNEL32(00681BE8), ref: 00682D9E
  • LoadLibraryA.KERNELBASE(Psapi), ref: 00682FDA
  • LoadLibraryA.KERNELBASE(00681C40), ref: 00682FFB
  • LoadLibraryA.KERNEL32(00681CAC), ref: 0068301C
  • LoadLibraryA.KERNEL32(00681D08), ref: 006830A9
  • LoadLibraryA.KERNEL32(00681C20), ref: 00683388
  • LoadLibraryA.KERNEL32(00681BF8), ref: 006833CD
  • LoadLibraryA.KERNELBASE(00681C28), ref: 00683412
  • LoadLibraryA.KERNEL32(00681EEC), ref: 00683457
  • LoadLibraryA.KERNELBASE(00681C38), ref: 0068348A
  • LoadLibraryA.KERNEL32(00681CA4), ref: 006834CF
  • LoadLibraryA.KERNELBASE(00681EDC), ref: 0068350C
  • LoadLibraryA.KERNELBASE(00681EE4), ref: 00683683
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 12
  • API ID: FindCloseFindFirstFileFindNextFileSHGetSpecialFolderPath
  • String ID: .
  • API String ID: 1491940985-248832578
  • Opcode ID: 847e9c226dee3d16e8473c6c873470d058e23295cd5af0c04ffd27a8a43bb5ac
  • Instruction ID: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
  • Opcode Fuzzy Hash: 7111E7060F9CA557C63316431883B8510E4FB81D6DE5DFF6298B6A72D9DE40700AF31E
  • Instruction Fuzzy Hash: 783845e7cf92690c688a67d897fdab86861dc96d24472d7e8cd81596a462f69d
APIs
  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00685664
  • FindFirstFileA.KERNEL32(?,00000080), ref: 00685697
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
    • Part of subcall function 006847AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
    • Part of subcall function 006847AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
    • Part of subcall function 006847AC: GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006847AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
    • Part of subcall function 006847AC: CloseHandle.KERNEL32(?), ref: 00684849
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00685825
  • FindClose.KERNEL32(000000FF), ref: 0068583D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: CreateProcessGetTempPathSleepwsprintf
  • String ID: >UD $D
  • API String ID: 4270156151-3542313568
  • Opcode ID: 4a34f360d4b2cf79f88a7c1956ac2f756e94eb2ecaab9077ef3448d89b361611
  • Instruction ID: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
  • Opcode Fuzzy Hash: FCF0A4C20B64ABCBE06367413D42B6113F1FF41A7DF4E9F615EB0616D99E00110DF608
  • Instruction Fuzzy Hash: 07f63464bd60ab6f08235ff8381d259fc3e6b79a81ea0a244bc187a1012b2113
APIs
    • Part of subcall function 00687290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 006872AC
    • Part of subcall function 00687290: CloseHandle.KERNEL32(?), ref: 006872B9
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • GetTempPathA.KERNEL32(00000201,?), ref: 00688364
  • wsprintfA.USER32 ref: 00688476
    • Part of subcall function 0068485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
    • Part of subcall function 0068485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
    • Part of subcall function 0068485C: FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
    • Part of subcall function 0068485C: CloseHandle.KERNEL32(000000FF), ref: 006848CE
  • Sleep.KERNEL32(000005DC), ref: 006883E3
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068840C
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleExitProcessOpenMutexSleep
  • String ID: -
  • API String ID: 4224407553-2547889144
  • Opcode ID: 766225e4078f1282aea54923433f0feb12143653464d0b6b403014dd341516dc
  • Instruction ID: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
  • Opcode Fuzzy Hash: 1EE0261F86688692F49272704D283260395FB51329CCDAF316661E80D9FBC4102EBB1A
  • Instruction Fuzzy Hash: d59dd2d731f72d9575193445abf64ae7baeb1b941b9cadfe63f4249f0cabc39e
APIs
  • Sleep.KERNEL32(00003A98), ref: 00689260
    • Part of subcall function 00686E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00686E26
    • Part of subcall function 00686E04: CharUpperBuffA.USER32(?,000001F5), ref: 00686E37
  • OpenMutexA.KERNEL32(00100000,00000000,00681CC8), ref: 00689292
  • CloseHandle.KERNEL32(00000000), ref: 006892A5
  • ExitProcess.KERNEL32 ref: 006892AD
    • Part of subcall function 006869BC: GetTempPathA.KERNEL32(00000101,?), ref: 006869E1
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: CloseHandleCreateFileWriteFile
  • String ID: P
  • API String ID: 300539103-3110715001
  • Opcode ID: a0d8325fe3833133ed6e9288858e344122b4c8528edc263b86630298fbb1195d
  • Instruction ID: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
  • Opcode Fuzzy Hash: E2216A048E6C4957F8B329401C93F5A1292B703A6FC4EB7A166F4271D6CB81504DFA1D
  • Instruction Fuzzy Hash: a786816ef3cbb6697c7ca4becfc7149c7ca836c73f8b7b38a1ff01a04e48fcfe
APIs
    • Part of subcall function 00683864: InternetOpenA.WININET(?,?,?,?,?), ref: 0068387C
    • Part of subcall function 0068161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0068164D
    • Part of subcall function 00681660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0068168F
    • Part of subcall function 006815E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00681607
    • Part of subcall function 006839CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 006839EF
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 006816A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 006816C3
    • Part of subcall function 006815B0: InternetReadFile.WININET(?,?,?,?), ref: 006815CF
  • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
  • CloseHandle.KERNEL32(000000FF), ref: 00683E6B
    • Part of subcall function 0068151C: InternetCloseHandle.WININET(?), ref: 00681529
    • Part of subcall function 006816D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 006816F7
    • Part of subcall function 0068170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0068172B
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 12
  • API ID: GetTempPathShellExecute
  • String ID:
  • API String ID: 512541067-3916222277
  • Opcode ID: 5909ed8b5129cf964bd0aaabdaffa3fefb75e79e4c7e56ae16b1468b3605ceab
  • Instruction ID: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
  • Opcode Fuzzy Hash: CAF0A0430AA9E28751292346098171032A0FF52A78ACD7FB1A67053AF48180706DF60F
  • Instruction Fuzzy Hash: 6839a79500730b6422b45d1c67b64e308517d7fc7e2a16f35d88dab47aa26ada
APIs
  • GetTempPathA.KERNEL32(00000101,00000000), ref: 00687D5B
    • Part of subcall function 00683C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00683E08
    • Part of subcall function 00683C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00683E55
    • Part of subcall function 00683C28: CloseHandle.KERNEL32(000000FF), ref: 00683E6B
  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00687DCA
    • Part of subcall function 00681864: wsprintfA.USER32 ref: 00681874
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:26BFC108EC961EA10CA20AFCE4594D95
Total matches:14
Initial Analysis Report:Open
Initial sample Analysis ID:25668
Initial sample SHA 256:FB0F5FF4760F6869A63FC6ED01D19241D83919B88F70343473CB6AF014FA8954
Initial sample name:2016080813380002,jpg.jpg.exe

Similar Executed Functions

Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:69BE1E62B00BA27CC4AE0E3B41720D41
Total matches:14
Initial Analysis Report:Open
Initial sample Analysis ID:28881
Initial sample SHA 256:164EAB81C9EF0B14B4F93F7F5B60B0111D9EB3DE3131C35F2F388837E0309B9E
Initial sample name:id654093871066.pdf.exe

Similar Executed Functions

Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:8B88EBBB05A0E56B7DCC708498C02B3E
Total matches:13
Initial Analysis Report:Open
Initial sample Analysis ID:28881
Initial sample SHA 256:164EAB81C9EF0B14B4F93F7F5B60B0111D9EB3DE3131C35F2F388837E0309B9E
Initial sample name:id654093871066.pdf.exe

Similar Executed Functions

Similarity
  • Total matches: 15
  • API ID: CreateWindowExDispatchMessageGetMessageRegisterClassExRtlExitUserThreadTranslateMessage
  • String ID: 0
  • API String ID: 3618916020-4108050209
  • Opcode ID: fe864b82b5b8b45b9a3ee4d7c27e3b11bbcfdeaa94bd3f324ca5144b1a26a4f8
  • Instruction ID: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
  • Opcode Fuzzy Hash: 06E06D0585E44592F0F16A42294231A02327F87B1DE2CDF1359A5351C0EE9060ECBF05
  • Instruction Fuzzy Hash: ae2a4e76ae066c596e0185d33b8e9e36146cd11b64090c208411195ce36408ce
APIs
  • RegisterClassExA.USER32(00000030), ref: 00688AF1
  • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00688B1D
  • TranslateMessage.USER32(?), ref: 00688B37
  • DispatchMessageA.USER32(?), ref: 00688B41
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00688B51
  • RtlExitUserThread.NTDLL(00000000), ref: 00688B5D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: CreateFile$CloseHandleGetFileSizeReadFile
  • String ID:
  • API String ID: 135965633-0
  • Opcode ID: aadf8f0ceb474147f1ec75c465e9ba5d0c844eef1c53975f94c0eaa6aab4b1ca
  • Instruction ID: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
  • Opcode Fuzzy Hash: C8E04F414CCC4743F97268D50963B5A1342F78372AC8E3B6299A493655C7C1E08A7F03
  • Instruction Fuzzy Hash: 43c10b0a34aeac921376bbbfc739e1babd427cd318e1ef89b4c8f7ad13d1749a
APIs
  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006847D9
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 006847FB
  • GetFileSize.KERNEL32(?,00000000), ref: 00684810
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0068483F
  • CloseHandle.KERNEL32(?), ref: 00684849
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

Similarity
  • Total matches: 30
  • API ID: CloseHandle$CreateFileMappingCreateProcessGetExitCodeProcessGetModuleHandleGetThreadContextMapViewOfFileResumeThreadVirtualProtectExWaitForSingleObjectWriteProcessMemory
  • String ID: D$_section
  • API String ID: 3418459151-2547996920
  • Opcode ID: 1cce57ba56a9e1cc06ffcca1dc5e5bfd456f5389336d5d58524c615b4583b64a
  • Instruction ID: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
  • Opcode Fuzzy Hash: 52215B464ACDD057B97222811B83AA10292BF9373EC4E7BB24D30956D3FE85E042FB0D
  • Instruction Fuzzy Hash: c7d623e40ddf95ba6a1b2ce2c83f3b580320bb094b1d79b9940a848a40daea40
APIs
  • GetModuleHandleA.KERNEL32(00000000), ref: 00685040
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0068508F
  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 006850F5
  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0068510D
    • Part of subcall function 006813B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006813CD
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F3A
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00684F69
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00684FBC
    • Part of subcall function 00684EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00684FED
  • GetThreadContext.KERNEL32(?,00010007), ref: 00685209
  • CloseHandle.KERNEL32(?), ref: 006852C8
    • Part of subcall function 00684DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00684E09
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E39
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E5A
    • Part of subcall function 00684DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00684E7E
  • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00685252
  • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0068526C
    • Part of subcall function 00681828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00686A2F), ref: 0068183A
  • ResumeThread.KERNEL32(?), ref: 0068527E
  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00685292
  • GetExitCodeProcess.KERNEL32(?,?), ref: 006852A4
  • CloseHandle.KERNEL32(?), ref: 006852BE
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 14
  • API ID: Sleep$CloseHandleCreateFileDeleteFileFlushFileBuffersGetFileSizeWriteFile
  • String ID: d
  • API String ID: 1835484852-2564639436
  • Opcode ID: 6a8a9f74bc30734ac2920ed785c79d133df25b40311145d26cc946c7cd1cd359
  • Instruction ID: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
  • Opcode Fuzzy Hash: C0F0F61659CD8387F87128C10A03F8A5342FBD293DE8F7B524170232D2C745E15B9B13
  • Instruction Fuzzy Hash: 7f88fe073ac31423f0a067142e79009f2469da1e93ebd2323a874ec8eca8eafd
APIs
    • Part of subcall function 00683988: FindFirstFileA.KERNEL32(?,?), ref: 006839A4
    • Part of subcall function 00683988: FindClose.KERNEL32(000000FF), ref: 006839BF
  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0068465B
  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00684670
  • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 006846A4
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006846B6
  • CloseHandle.KERNEL32(000000FF), ref: 006846C0
  • DeleteFileA.KERNEL32(?), ref: 006846CA
  • Sleep.KERNEL32(00000064), ref: 006846E7
  • Sleep.KERNEL32(00000064), ref: 006846FA
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 15
  • API ID: Sleep$GetTickCount
  • String ID: d
  • API String ID: 1959847744-2564639436
  • Opcode ID: 4df15c86f026b782c0e2ec83881cd7cdc6f58794d43ec49e2f3b8a59bbf8de04
  • Instruction ID: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
  • Opcode Fuzzy Hash: 32315B47427C96A7D8337E4484C3F2502B1EF62CBDDC8773256F4A66EE8A857009F229
  • Instruction Fuzzy Hash: 07bf5d97f8c7b4ece2ce0ddd977b2a05fa4c46139dabc8bf09cfa788a68413c3
APIs
    • Part of subcall function 006864BC: GetVersionExA.KERNEL32(0000009C), ref: 00686530
  • Sleep.KERNEL32(000927C0), ref: 006866F5
  • GetTickCount.KERNEL32 ref: 006866FD
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • GetTickCount.KERNEL32 ref: 006867AF
  • Sleep.KERNEL32(00001388), ref: 006867CD
    • Part of subcall function 00685468: GetSystemTime.KERNEL32(?), ref: 00685472
  • Sleep.KERNEL32(000493E0), ref: 006867F3
  • Sleep.KERNEL32(000927C0), ref: 0068680F
Strings
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 27
  • API ID: CreateFileReadFile$CloseHandleSetFilePointer
  • String ID:
  • API String ID: 3069708523-0
  • Opcode ID: 17b59022d72fb36466e20cc7afc5e6a0e784fd5bd9c984186f8d79e430900cc6
  • Instruction ID: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
  • Opcode Fuzzy Hash: 6DE0464A4CCC5383F5B1B8881552B6A23A2F7A3B1AC9EBBA2858042101D7C0B0C97E03
  • Instruction Fuzzy Hash: d591f7ef06654b9f9a62e3edaed55e68cb58eef320aa9985f0408eb2efe8683d
APIs
  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00687C71
  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00687C93
  • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00687CB2
  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00687CC7
  • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00687CDD
  • CloseHandle.KERNEL32(000000FF), ref: 00687CE7
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true
Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:505BF4D1CADEB8D4F8BCD08D944DE25D
Total matches:7
Initial Analysis Report:Open
Initial sample Analysis ID:56574
Initial sample SHA 256:0F7AD889A17D10622948687E253430D9C037B709AD527C2CB67A6BF30BBDBB00
Initial sample name:6PethE7GDd.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:72E953215CADE1A726C04AAFDF6B463D
Total matches:5
Initial Analysis Report:Open
Initial sample Analysis ID:355921
Initial sample SHA 256:02E6227CA8FC5EC083EEEEA193527D9BB81D93A924210338EB292A47E87067A8
Initial sample name:149invoice.pdf.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:505BF4D1CADEB8D4F8BCD08D944DE25D
Total matches:4
Initial Analysis Report:Open
Initial sample Analysis ID:28958
Initial sample SHA 256:50D01AAB200BA6D3E63439F80A3FB9916F607AFCCEA1C24C0A887E80E2DF4950
Initial sample name:LawTugx.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:505F022493D471025ADD399A4162208B
Total matches:4
Initial Analysis Report:Open
Initial sample Analysis ID:24588
Initial sample SHA 256:223D29E850E9501CDB6C734EFD60C691EEA2664060D1D4A4665671DFCF384165
Initial sample name:inst3.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:72E953215CADE1A726C04AAFDF6B463D
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:249130
Initial sample SHA 256:3AA5C8461DDB801D61F00C123A71B66610DB31D35E683DE27875AFD19AC9A59E
Initial sample name:73Products description.scr

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:8B88EBBB05A0E56B7DCC708498C02B3E
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:28958
Initial sample SHA 256:50D01AAB200BA6D3E63439F80A3FB9916F607AFCCEA1C24C0A887E80E2DF4950
Initial sample name:LawTugx.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:72E953215CADE1A726C04AAFDF6B463D
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:356353
Initial sample SHA 256:47D03315F6237116F636211774E8B74D2D521E08C065FDC16E5AF19B20DBA454
Initial sample name:104PO#293701.scr

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:505BF4D1CADEB8D4F8BCD08D944DE25D
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:355921
Initial sample SHA 256:02E6227CA8FC5EC083EEEEA193527D9BB81D93A924210338EB292A47E87067A8
Initial sample name:149invoice.pdf.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:72E953215CADE1A726C04AAFDF6B463D
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:247333
Initial sample SHA 256:562F9EE944C15DC1B2A5CA865A087146FB71943132227A39FE60FF27EAEF32D9
Initial sample name:36Revised Invoice.pdf.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:505BF4D1CADEB8D4F8BCD08D944DE25D
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:24588
Initial sample SHA 256:223D29E850E9501CDB6C734EFD60C691EEA2664060D1D4A4665671DFCF384165
Initial sample name:inst3.exe

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:92018B6185D8822BF7194CAE21E5C7EB
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:41260
Initial sample SHA 256:3A9168EE2E871E12423E75A69AF2680B60364857F762ABFB9338D31D85D1312D
Initial sample name:hitmanpro.3.7.x-patch.exe

Similar Executed Functions

Similar Non-Executed Functions

Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:72E953215CADE1A726C04AAFDF6B463D
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:258313
Initial sample SHA 256:1BAD455DC0D7FB78134196A495FEDED0DF601485DBBF09336F74B8B1820AC9D6
Initial sample name:72image.scr

Similar Executed Functions

Similarity
  • Total matches: 383
  • API ID: GetTokenInformation$CloseHandleGetLastErrorGetSidSubAuthorityGetSidSubAuthorityCountOpenProcessToken
  • String ID:
  • API String ID: 4227741133-0
  • Opcode ID: abed1b1ed564e286e9d7c446ea2cf84ec24caccf823dafe7c0b074d34c552990
  • Instruction ID: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
  • Opcode Fuzzy Hash: E9F0D1019DCD462BE52738441453F4A2226BB93B45CCDAE7A9844A658B9B98B047FF0B
  • Instruction Fuzzy Hash: 8014b49a40dd83055347c84ea13b6214b64a77a63a9ba12a1b24b4d8104c97e6
APIs
  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 006842EC
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0068430E
  • GetLastError.KERNEL32 ref: 00684322
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00684358
  • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0068436E
  • GetSidSubAuthority.ADVAPI32(?,?), ref: 00684393
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
  • CloseHandle.KERNEL32(?), ref: 006843F3
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

Similar Non-Executed Functions

General

Root Process Name:explorer.exe
Process MD5:57F4BC6B07929B5C183D69EBAE904FDB
Total matches:3
Initial Analysis Report:Open
Initial sample Analysis ID:30238
Initial sample SHA 256:05418C503589319A46D7BA2CB95AC0905DD3223752EF31C5257339F4EF037850
Initial sample name:poweriso.6.x.patch.exe

Similar Executed Functions

Similar Non-Executed Functions

Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:8AD504D873DBA440325BDCE426FD2CE7
Total matches:2
Initial Analysis Report:Open
Initial sample Analysis ID:49904
Initial sample SHA 256:4268384C52CEDD3DBA8E8EF42F4868B38EDA13B58050C69F9B6BCAFA2BB53507
Initial sample name:etup.exe

Similar Executed Functions

Similar Non-Executed Functions

Similarity
  • Total matches: 51
  • API ID: AllocateAndInitializeSidCloseHandleEqualSidFreeSidGetCurrentProcessGetCurrentThreadGetLastErrorGetTokenInformationOpenProcessTokenOpenThreadToken
  • String ID:
  • API String ID: 2325005333-0
  • Opcode ID: 490fc326f30fc23960ef243291f910355b3c5ab6d69cca566227f882c093ad22
  • Instruction ID: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
  • Opcode Fuzzy Hash: 53F02E128CDC07A7EA3238A01893B132266F3A360AC0DAF6349002B803CB44B047AB0B
  • Instruction Fuzzy Hash: bdd662580af02895a0d7a2fc612871f8838306a3a8e8a4f5dbc8904d44089b2c
APIs
  • GetCurrentThread.KERNEL32 ref: 006841DE
  • OpenThreadToken.ADVAPI32(00000000), ref: 006841E5
  • GetLastError.KERNEL32 ref: 006841F4
  • GetCurrentProcess.KERNEL32 ref: 00684207
  • OpenProcessToken.ADVAPI32(00000000), ref: 0068420E
    • Part of subcall function 006813DC: GetProcessHeap.KERNEL32(00000000,?), ref: 006813EB
    • Part of subcall function 006813DC: RtlAllocateHeap.NTDLL(00000000), ref: 006813F2
  • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00684241
  • CloseHandle.KERNEL32(?), ref: 0068424E
  • AllocateAndInitializeSid.ADVAPI32(0068A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00684278
  • EqualSid.ADVAPI32(?,?), ref: 006842A2
  • FreeSid.ADVAPI32(?), ref: 006842BE
    • Part of subcall function 00681440: GetProcessHeap.KERNEL32(00000000,?), ref: 0068144D
    • Part of subcall function 00681440: HeapFree.KERNEL32(00000000), ref: 00681454
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true

General

Root Process Name:explorer.exe
Process MD5:C8398C45B86F64452448F1360580C710
Total matches:2
Initial Analysis Report:Open
Initial sample Analysis ID:30860
Initial sample SHA 256:A35C743513E0E61F29502FD8601B9E234AB0E825BB5E3B32F848DF8D48B6ED97
Initial sample name:glasswire-patch[Settings-fixed].exe

Similar Executed Functions

Similar Non-Executed Functions

Similarity
  • Total matches: 39
  • API ID: CloseHandleCreateFileFlushFileBuffersWriteFile
  • String ID:
  • API String ID: 4026719408-0
  • Opcode ID: 1494f3174906e8e6b9cd57a5728ec38f5447db6ed73d7a2385041bc4b25985f6
  • Instruction ID: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
  • Opcode Fuzzy Hash: 58D05E514D4D8A57E9B22C840F137520342F35262AC5E3BA38AB0A6182C751A14A5E03
  • Instruction Fuzzy Hash: cb7fa1244f17197322e1caa744313acb22db9116bd311342486e70eea163e68f
APIs
  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00684886
  • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 006848A7
  • FlushFileBuffers.KERNEL32(000000FF), ref: 006848C4
  • CloseHandle.KERNEL32(000000FF), ref: 006848CE
Memory Dump Source
  • Source File: 00000001.00000002.22923987385.00680000.00000040.sdmp, Offset: 00680000, based on PE: true